Five Tips for Not Becoming an Insider Threat

By Andrew Wild, Chief Information Security Officer, Lancope

PrintMost employees are honest, trustworthy people that would not steal from their employer or intentionally take sensitive, private information from their job and sell it. But many well-meaning employees are taken advantage of by attackers to steal data, and it can cost their employer (and customers) millions.

Unintentional insider threats can cost a U.S. company as much as $1.5 million, according to a report from the Ponemon Institute. The Verizon 2015 Data Breach Investigations Report noted that most of the thousands of data breaches and security incidents studied involved stolen user credentials.

This predicament is understandable – most employees don’t fully understand the importance of the role they play in ensuring the security of their organization – but there are simple measures everyone can take to ensure they don’t become the open door into the network. Here are five tips on how not to become an insider threat:

Be mindful of devices with company data on them
It’s a new world out there, and most of us have some sort of company data on portable devices. Whether you get work-related emails on your smartphone, use company laptops out of the office, access cloud-based IT solutions or just log into company systems remotely, be careful not to let this information fall into the wrong hands.

Try not to store unnecessary sensitive data on your mobile devices, and be wary of what external networks you connect to. Malware can be used to steal login credentials or compromise the corporate network if you return to the office with the infected device.

Lastly, don’t forget devices can be stolen or lost. Keep track of your devices, promptly report any device containing company data to your IT group, use a password and secure them, which leads to the next tip.

Encrypt data at rest
Most people only think about encryption when they are transferring data to a third party, but data that is sitting unused in storage is also at risk. From the perspective of an employee, this most often takes place when sensitive items are stored on mobile devices, personal computers or data storage devices such as external hard drives and thumb drives.

Encryption ensures that even if data falls into someone else’s hands, they won’t be able to access it. Most phones and mobile devices have the ability to encrypt data stored on them. Here is some information on encrypting iOS and Android devices.

Encrypting external hard drives and thumb drives is a little more difficult. Though there are several third-party applications to encrypt storage drives, if you are running Windows Vista or later, Microsoft BitLocker is a good solution. For more information on BitLocker and installation instructions, click here.

Of course, the effectiveness of encryption is highly dependent upon the strength of the key and the key management processes…

Use good password practices
You wouldn’t put your valuables in a safe but leave the door open, would you? Likewise, you wouldn’t use the same key for your car, safe, safety deposit box, etc. Your sensitive data is only as safe as the password you use to protect it.

You should use passwords that are at least 10 characters long, though the longer the better, with complexity: it should contain a mixture of uppercase, lowercase and special characters as well as numerals. Change your password often, and use a unique password for every site, system and application. If you use only one password for everything and a website you use suffers a data breach that includes user passwords, all of your accounts are as good as compromised.

Of course, it is difficult to memorize and manage so many unique passwords, but there is a solution. You can use secure password managers to generate unique passwords and keep track of them, requiring you to only remember the one password used to secure the manager. You can also employ two-factor authentication for your most sensitive accounts (your password vault, for example), which will require you to input a unique ID that is sent to your phone every time you log in, drastically reducing the likelihood of compromise.

For more information on using secure password managers and two-factor authentication, click here.

Beware of social engineering
“Social engineering” is just a fancy way of saying an attacker utilizes tactics from traditional scams in conjunction with a cyber-attack, and it is a common practice. Social Engineering attacks the human component of the security system. The most common example of this today is phishing, in which an attacker crafts an email that appears legitimate but aims to trick the recipient into divulging sensitive details such as passwords or installing malware on their machine. A more targeted approach is called “spear phishing” wherein the attacker creates an email targeting a specific person, perhaps even you.

Very few of us are truly “off the grid”; we all have information available about us online. In a matter of minutes, an attacker can find out what you do and discover your workplace responsibilities. They can then use that information against you. For instance, an attacker may identify a company’s CEO or other C-level executive and then send a fraudulent email that appears to be from that CEO to you, a company finance manager. The attacker claims they need an urgent wire transfer to close a deal or secure a service. The wire information will likely contain a legitimate vendor but a fake SWIFT code that routes the money to the criminal. Most people don’t question emails that appear to come from a company executive, or another associate, but that mistake could cost your company thousands or even millions.

Social engineering doesn’t have to be digital. Some of the largest breaches over the past few years involved an attacker using the telephone to speak with a company employee posing as a member of IT or other organization insider and convincing them to divulge passwords and other access information. Legitimate IT support staff will never ask you to divulge your passwords! Be wary of strange phone calls. If someone seems suspicious, clear it with a company security professional before you give them any information or ask the caller to hang up so you can call them on an official company phone number.

Ensure you don’t have unnecessary access privileges
This may sound like a strange tip, but most employees don’t need access to every resource on their company’s network, and limiting access to sensitive systems to only those who need it can drastically reduce the reach of a potential data breach. This is called the “principle of least privilege.

Though access privileges are typically managed by IT Security, they do not always know everything different employees need access to, and maintaining proper access control can be difficult. If you discover you have access to data or systems that you don’t require as part of your job, you should notify your organization’s security team. This is especially true if the data or systems contain sensitive information such as customer payment information or personally identifiable information (PII).

While there is no cyber security “silver bullet” to prevent breaches, remaining aware of common security practices can help prevent attackers from using you as a way into your employer’s network. Just like you brush your teeth every morning, these practices are essential to maintaining your “cyber security hygiene.”

This post is part of a series for National Cyber Security Awareness Month, which aims to educate Internet users on how to stay safe online.

The Blind Spot of Insider Threat

By Paul Calatayud, Guest Blogger, Code42

Code42_Insider_ThreatSecurity threats from inside the organization are increasing, but too many organizations hesitate to address the issue. They’re afraid that monitoring employee behavior implies they don’t trust employees. Today, the reality is that employees are often unintentional actors. They’re increasingly being used as vectors and vessels by sophisticated cyber organizations, which want employee credentials to access valuable data.

We’re seeing an increase in employee-targeted phishing attacks and credential theft, because the credentials allow hackers to bypass a huge amount of security investment—the firewall, the perimeter, the encryption—essentially 90% of your security strategy.

As CISOs, we need to get past the insider blind spot to adequately protect our organizations. The first step is to define insider threat more accurately and more tactfully—as either a known actor with motive and opportunity or an actor who unknowingly becomes a conduit, who is essentially a victim.

I try to take an approach that defends against both scenarios, an approach that says: “I’m not sure if your credentials were handed to the bad guy or harvested through malware. Regardless of how it happened, if there’s a deviation or situation where a credential is suspect, then we will detect and respond.”

The bigger challenge is how to detect the deviations. And that requires understanding what the normal state looks like. If you were to look at Edward Snowden and say you wanted to protect against that type of data breach, then you have to be able to understand at what point his access and his abuse occurred. At what point did he go from his normal three years as a contractor to someone behaving maliciously.

Or in the case of Anthem, in which a database administrator’s credentials were stolen, when did that administrator’s normal network behavior change. If the admin logged in every day from 9 to 5 p.m. and then all of a sudden was logging in at 3 a.m., that would tell you something.

To understand what normal looks like at Surescripts, we’ve invested in advanced analytics and other technologies that allow us to profile good behavior. So if we had an Edward Snowden, I would have been able to see and potentially detect the moment he started to abuse his privilege, because I’d have a historical view of his digital behavior over the past three years.

The key for any CISO to gain support for this type of internal profiling strategy is not to focus on distrust. Rather, focus on the need to find the anomalies that lead to internal data breaches—by both intentional and unwitting internal actors.

Paul Calatayud is the Chief Information Security Officer for Surescripts.

Spread the Message Beyond the Experts

By Andrew Wild, Chief Information Security Officer, Lancope

PrintOctober is National Cyber Security Awareness Month. But if you’re reading this blog, chances are good that you are an experienced information security professional and that you’re focused on awareness every month! So, how do you explain security awareness to others, especially co-workers, family members and friends that are not information technology experts? In this article, I will share some of the tips that I pass along to my family and friends.

A funny but accurate analogy I’ve read on the Internet that seems to work with non-IT folks is:  Passwords are like underwear…

  • Change them often.
  • Don’t share them with anyone.
  • The longer the better.
  • Don’t leave them on your desk.

All kidding aside, the three most important points to share about password security are:

  1. Ensure you create a strong password. There is a lot of information on the Internet that defines a strong password.
  2. Don’t reuse passwords. Many people still use the same password on multiple accounts.  Stress the importance of not reusing password across accounts.
  3. Don’t share your password with anyone. Surprisingly to IT security professionals, there are many people that don’t know that support staff from an organization will never ask you to give them your password.

Most people hate passwords though, and telling them they have to use a different password for every site and that the passwords have to be strong isn’t likely to be advice that will be followed.  Whenever I talk about password security, I always follow up by recommending the use of a password vault. There are many password vault solutions available at low or no cost that can help people manage their passwords. Most of the vault solutions also provide a mechanism to generate secure passwords too.

And finally, encourage people to take advantage of stronger authentication options that are now available. Many banks, email service providers and file sharing services now support some kind of stronger authentication for password security. The use of multifactor authentication significantly reduces the likelihood of your account being compromised.

We’ve been telling people for years not to open email attachments, and most people do understand the risks of opening unsolicited attachments, but now it’s not only about attachments, it’s also about not clicking on URLs contained inside email messages. We can tell people to be careful about clicking on links, but the reality is that it is often difficult to tell if a link is good or bad. A resource that I have found to help people understand the thought process for evaluating a link is the nice flowchart from Intel Security. They also have an online test that is a useful way to check your understanding.

Cyber Monitoring
Inside our Enterprise environments, we’ve implemented extensive cyber monitoring capabilities to quickly and proactively detect anomalous behavior within our networks (check out Lancope’s StealthWatch® System). Many online IT solutions have capabilities for detecting unusual activity and notification. Banks and credit card companies can send notification by SMS (text messaging) or email for a variety of events including financial transactions over a user-defined threshold. Many online service providers allow users to configure multiple email addresses for an account and can send an alert by SMS or email when a password is changed. Monthly online account activity information is also available for many services, showing geo locations from which the service was accessed (obtained by examining the source IP information). Encourage friends and family to enable and use these cyber monitoring capabilities to proactively look for anomalous activity on their accounts.

Patch Patch Patch
Encourage the frequent updating of operating systems, applications and plugins for computers and mobile devices. Updating web browser software and their plugins has become very important given the extensive use of web applications. A tool that I find very useful to help friends and family check the health of their web browsers and plugins is the Qualys Browser Check. This easy-to-use tool can identify vulnerabilities in browser software and the plugins used by browsers.

These are some of the ways that I help my friends and family secure their online assets. I hope these are helpful, and remember that the Stop Think Connect message is not just for National Cyber Security Awareness Month, it is a year-round approach that everyone should adopt.


Consumer IoT Security Impacts

By Brian Russell, Co-Chair, CSA IoT Working Group

Within the CSA Internet of Things (IoT) Working Group, we are researching various topics related to securing IoT implementations within an enterprise. One of the more interesting aspects to consider on this subject is the role that consumer IoT devices play in regards to enterprise security.

News of exploits against consumer IoT devices is common, and research into vulnerabilities related to poor development and configuration choices continues. Rapid7 recently published a significant research report on baby monitor exposure and vulnerabilities, which showed that many leading brands are still highly vulnerable. Download their report.

Another interesting aspect of consumer IoT security is the apparent inability to rely upon the consumer to safeguard the underlying network that IoT devices use to communicate. Consumers are often proponents of usability over security, and in the past some consumer IoT device makers have purposefully chosen to value usability over security. This is somewhat understandable, as most people would prefer not to have to configure unique security credentials for each IoT device that operates within their home. Of concern though is that adding new (non-secure) points of connection into the home provides an ability for malicious parties to gain access to other computing resources in the home – potentially leaving sensitive data such as passwords exposed. This is concerning for an enterprise security practitioner because many people choose to use the same passwords to protect both corporate and personal information and application access.

What’s interesting also is that consumer IoT devices do not always stay within the home. A report this year by OpenDNS provided a great deal of data that showed that IoT devices, or the associated applications installed on staff computers, were often found to be communicating with services over the internet from the Corporate network. In some cases, Smart TVs were brought into the enterprise, and these devices were pre-configured to talk with service addresses/ports on the internet. In other cases, fitness trackers were associated with applications that were loaded onto laptops or mobile phones, and then those applications began communication with the manufacturer through the corporate network. Read the OpenDNS report.

At this point, education is likely the best defense against the exposures that consumer IoT devices introduce to the enterprise. Security staff should be educated to identify when inappropriate devices and software is being used on the network, and all staff should be educated on the need to secure their connected home systems as part of a larger effort to keep data secure.

Join the CSA IoT Working Group.

Brian Russell is the Chief Engineer/CyberSecurity for Leidos. 

The Definition of Cloud Computing

By Ross Spelman, Group Technical Services Manager, Espion

Ross_Spellman_HWhat is the cloud and why should I go there?
The transition to cloud services offers major opportunities for your organisation. Significant scalability, flexibility and cost-efficiency can all be achieved through the adoption of cloud-based solutions. Migrating to the cloud can be a scary prospect for many organizations. In fact, the question is often asked: What actually is cloud computing, and why do I need to go there? Drawing on our consultants’ wealth of knowledge, we have put together a comprehensive definition of cloud computing, outlining how to get the best out of this new technology.

Cloud Computing Defined
Cloud Self ServicesOn Demand Self Service
At the touch of a button your cloud environment should be there for you. For example, if your IT team were to come under pressure to add or change software, platforms or infrastructure and make them available to your users, they should be able to make these additions instantly. It’s an instant access environment provision.

Ubiquitous Network Access
Internet cloud, conceptThis is the beauty of cloud – you can access it from anywhere via the Internet. You don’t need any specialized ingress point into your environment; it’s readily accessible for anyone with Internet access. You can access it anytime, from anywhere. This benefit is crucial to all aspects of your organization. All your team needs is an Internet connection and they can log in and use all their enterprise applications and systems, including all their data and resources from any location. This can be vital for remote workers, such as salespeople on the road who are trying to close that quarter-defining sale.

There are risks with this of course; companies need to keep control of who has access to the cloud and what data they are able to access. The benefits that come from having ease of access also create risks. Our experts regularly work with organizations to define the criticality of their data and then categorize it, based on their requirements. It’s important to apply controls to your environment to ensure the right people are accessing the right data.

Location Transparent Resource Pooling
Location transparent resource PoolingThe cloud allows you to pool your resources, so an organization can exploit its assets 24 hours a day. By pooling your resources in a cloud you can utilize your software, platforms and infrastructure through shared services, allowing your users to get the most out of your assets. Pooling strategies include the likes of data storage services, processing services and bandwidth provision services. This provides huge economies of scale for organisations and provides the means to really embrace the global office. As your workforce shuts down for the day on one side of the world, your team on the other side can get up and continue working from the same platforms, applications and infrastructure. The cloud allows you to sweat your assets from anywhere.

Rapid Elasticity
The beauty of being in the cloud is the ability to scale up and scale down your infrastructure at a moment’s notice. The ability to auto-scale in the cloud eliminates much of the risk associated with scoping requirements for technology projects. With traditional environments on premise, if you under-scope the design for an environment and the demands on it prove higher than expected, you lose revenue. Conversely, if you over-scope and sales are lower than expected, you increase costs unnecessarily. The ability to scale your infrastructure at will allows you to design environments with a degree of confidence not available with traditional models.

Once again, this benefit comes with its own risks. It’s imperative that this is monitored on a regular basis. The ease of scaling up and down environments brings financial rewards but also heightens the risk. If an environment is scaled up to meet peak demand and left as such when it’s not needed, this can have negative implications.

Proper, consistent management of this service is the key to success.

Measured Pay Per Use
When in the cloud, you only pay for what you use. This means you can offset your operational savings against your capital expenditure and truly reap the financial benefits. Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. In addition, this allows for a much more predictable and closely-controlled method of financial accounting, moving from Cap-Ex to Op-Ex budgeting.

Three Ways to Improve Your Personal Cyber Safety

By Gavin Reid, Vice President/Threat Intelligence, Lancope

For National Cyber Security Awareness month there a couple of relatively easy-to-do things that I highly recommend if you want to improve your personal cyber safety. These important protections are easily available but not well documented.

One of the biggest cyber security problems impacting users today is the reuse of easy to guess passwords across multiple sites. All it takes is for one site to be compromised and the hackers can then use your password to log into others. This process is often automated and run against all sites. To help combat that ensure that you have a *unique*! password for each site. No one can remember multiple unique complex passwords so invest in using a tool like roboform or 1password to manage these passwords and keep them safe. Once you have installed a good password manager go back to each site you use and replace your common password of “petname123″ and let the password manager create a long and complex password for you like “yott2&uv0ugs7.” Save that password and go on to change the next one. Set a complex password that you DO remember for your password manager. It’s only one and it can be recalled from memory.

Don’t be afraid of the cloud! Losing all of your newly-created complex passwords to a hard drive crash would be a terrible loss. Make sure you sync your password file in the cloud to be able to access them across multiple devices (phones, tablets, laptops) and always have a backup. Roboform has its own cloud storage built in and 1password uses Dropbox or iCloud. Your passwords are encrypted with AES encryption so even if someone somehow broke into the cloud provider and stole your password list, they cannot decrypt your passwords without the one complex password you committed to memory.

The next step to ensure you won’t be an easy victim is to set up two-factor authentication for some sites that are more important to your personal cyber security like Gmail, eBay and PayPal.

You may not have thought about it, but your personal Gmail account ties many things together. For example if you use Gmail as your email address for your Amazon account, if someone hacks your Gmail they can force a password change to access your Amazon account. Similarly, your bank and many other systems may use your email as a way to allow for password resets.

Criminals can also use your Gmail account to send out legitimate looking email requests for emergency help to all the people in your address book like the email below:


How you doing? I made a trip to London (United Kingdom) unannounced some days back, Unfortunately i got mugged at gun point last night! All cash, Credit card and phone were stolen, i got messed up in another country, stranded in London, fortunately passport was back in our hotel room. It was a bitter experience and i was hurt on my right hand, but would be fine. I am sending you this message cos i don’t want anyone to panic, i want you to keep it that way for now!

My return flight leaves in a few hours but Im having troubles sorting out the hotel bills, wondering if you could loan me some money to sort out the hotel bills and also take a cab to the airport about ($1,550). I have been to the police and embassy here, but they aren’t helping issues, I have limited means of getting out of here, i have canceled my credit cards already and made a police report, I wont get a new credit card number till I get back home! So I could really use your help.

You can contact the hotel management through this telephone number (+449444045232), you could wire whatever you can spare to my name and hotel address via Western union:

Name: John Hastings
Location: 201 Bunaby Street, Chelsea,
Greater London
SW10 0PL.
United Kingdom

Your Gmail account plays an important part in your overall internet safety. It is very important you set a strong password and enable two-factor authentication. Here is how to do it:

  • Login to your Gmail account then go-to the following URL
  • Click on “Get Started” then “Start Setup.” Enter the number for your phone and verify the number by entering the numeric code that Google sends to the phone by either text message or voice call.


  • You can also choose to use the smart phone app Google Authenticator, which you would register through the same wizard shown above. To install Google Authenticator click here for iOS or here for Android. Either way works and will stop people from easily taking over your personal email (and of course your online identity!).

PayPal and eBay
If you use either of these services, they are high-value target accounts for crime. PayPal is especially problematic as it links directly (in most cases) to your bank account. EBay accounts, on the other hand, are often hijacked then used fraudulently to sell nonexistent items, leaving the account owner to work out the mess. I highly recommend you protect yourself by setting up two-factor authentication for both accounts.

Setup instructions for PayPal:

Go to


This will give you the option to set up a secondary authentication method. You have three choices, pay a small amount and they will ship you a small fob that will provide one-time passwords to use as a secondary authentication for your account (i.e. a hacker can’t get into your account by just guessing your password or resetting it). The second choice is a more convenient one if you have a smartphone. You can download the Symantec VIP Access program for smartphones. Or you can just have PayPal send messages to your mobile like we did with Gmail.

When you get the token software installed on your smartphone, authenticate it to your PayPal account and register its unique ID. Now when anyone wants to use your PayPal account, they will have to have both your username and password and the one-time token password your phone or fob would generate. Note: you can also tie this token to your eBay account.

There was a lot of work to do to get to this stage. It is unfortunate that this process is obscure and not built-in or easier to enable. I am sorry to say that there is one more step if you use Gmail with any applications that auto-check email. I have several, such as the Microsoft Outlook client for Mac. These applications do the authentication automatically. For convenience with only a small security risk I can use Gmail to set up application- or device-specific passwords. These fixed passwords can ONLY be used by the same app on the same device. You can do this by editing the “authorizing applications & sites” button in the Gmail account settings.

When you click edit, it will force another authentication then allow you to set up, manage and track application-specific passwords.

So that’s it. I wish it was easier, but these are a couple of steps that can make your internet identity much harder to abuse.

California Leads the Way with Data Privacy Ruling

By Rachel Holdgrafer, Business Content Editor, Code42

Code42_CA_Digital_Privacy_Rights (1)Should electronic communications and metadata be afforded the same legal protections as printed correspondence? The State of California thinks so.

Introduced in February 2015 and signed into law on October 8, 2015, the California Electronic Communications Privacy Act prevents law enforcement agencies from requiring a company to turn over metadata or digital communications without a warrant. Home to a large majority of technology-based companies including Apple, Google, Facebook, Dropbox, LinkedIn and Twitter, the State of California recognized the need for updated state privacy laws. In the wake of the NSA scandal and the resulting decline in consumer trust that vendors would (and could) protect individual’s digital privacy, California took action to avoid further negative impact on its technology businesses.

The California Electronic Communications Privacy Act is a move toward instating meaningful digital privacy rights. It is also the clarion call for lawmakers to take up the mantle of privacy protection by proactively changing existing privacy laws to include digital communications. The legislation echoes recent decisions by the Supreme Court in which Fourth Amendment privacy rights preventing unreasonable search and seizure were upheld and expanded to include GPS trackers and cellular phones.

Requests for access to electronic communications are growing at exponential rates. Google reported a 250% jump in government demands for access to digital data in the past five years. AT&T reported a 70% increase in demands for location information in the past year and Verizon reported that only 1/3 of the 15,000 requests it received in 2014 included a warrant. Twitter experienced a 52% increase in access demands in 2015 as well.

The California Electronic Communications Privacy Act takes a ground-breaking stance on digital privacy that the American Civil Liberties Union (ACLU) hopes will spread to other states in coming months. The ACLU urges individual states to take action rather than wait for sweeping federal legislation due to glacial progress in Washington, D.C. Despite having 300 supporters in the House, the Email Privacy Act has failed to receive a floor vote. Clearly, technology companies cannot wait for federal legislators to tackle this issue.

Data privacy is at the heart of every cloud-based or security-based business. Without updates to current legislation—at the federal or state level—technology companies and their customers are left in a precarious position. Other states would do well to follow California’s lead and implement data privacy legislation that accounts for how people communicate in the 21st century while we wait for Washington, D.C. to get moving.

EU-US Safe Harbor: Model Clauses – Not All They’re Cracked Up to Be…

By Willy Leichter, Global Director, Cloud Security, CipherCloud

eggIn a recent blog post, we referred to the now defunct EU-US Safe Harbor framework as a house of straw, while comparing the European Commission (EC) Model Clauses (the theoretical replacement) to a house of sticks – better, perhaps, but still vulnerable to wolf-force winds.

It turns out we are not the only ones falling back on children’s story analogies. In a webinar last week, a prominent privacy lawyer from DLA Piper stated that “it will take a while to put Humpty Dumpty back together again” implying that Model Clauses were not going to instantly fix a fractured EU data privacy system.

While cloud vendors including Google, Salesforce and Microsoft have rushed to offer customers amended contracts with Model Clauses, there is increasing evidence that this approach will not be acceptable to many of the EU data protection authorities (DPAs) as a simple replacement for Safe Harbor. Initial statements from a number of DPAs highlight how fragmented and subjective European data protection has become:

  • The Austrian DPA initially stated that it would accept EC Model Clauses as basis for transfers of personal data to the US. Subsequently it clarified that the DPA would still have to approve specific transfers based on Model Clauses.
  • Authorities in Spain have opposed the idea that EU Model Clauses could be used as the sole basis for exporting data to the US.
  • One of seventeen German regional DPAs (in Schleswig-Holstein) announced its view that because of the European Court of Justice (ECJ) decision, data transfers based on the EU Model Clauses are not permitted anymore.
  • The UK ICO issued a statement that businesses will need to review how data is transferred to the US but “we recognise that it will take them some time for them to do this.”
  • DPAs in Ireland, France, Italy, Netherlands, Belgium, and Portugal have issued statements that they are studying the issue and hope for a “shared position” from authorities across Europe.

The core debate is that the ECJ decision striking down Safe Harbor was based largely on the Snowden revelations regarding NSA programs. While the EC Model Clauses provide clearer jurisdiction for EU DPAs, they still make exceptions for “legally binding law enforcement requests” which could still include compelled disclosure to government agencies.

So what should multi-national businesses do with all this uncertainty?

  • You could stop using the cloud or transferring data across the Atlantic. That might make the DPAs happy, but it’s unlikely to be practical, sustainable, or make business sense.
  • You can ignore the issue, wait for the dust to settle, and hope a new blanket Safe Harbor replacement is agreed upon. That may take a while, and privacy advocates like Max Schrem now have the green light to challenge other data transfers.
  • You can take proactive steps to reduce you exposure by anonymizing sensitive personal data before it leaves a country. Many of our customers have taken this approach using a Cloud Access Security Broker (CASB) to encrypt or tokenize sensitive data and are confident they can avoid this legal quagmire.

CASBs: A Better Approach to Cloud Encryption

By Anurag Kahol, Founder and CTO, Bitglass

Widespread enterprise adoption of public cloud applications like Office 365 has not come without security and compliance concerns. Most cloud apps function like a black box, providing little visibility or control over the handling of sensitive data. When cloud applications leave security gaps that the enterprise simply can’t live with, thoughts often turn to cloud encryption options.

This data may exist as structured data in an app like Salesforce, or as unstructured data in file sharing apps like Box or OneDrive. In either case, a cloud access security broker (CASB) provides a way to encrypt the data using keys that you control. A CASB also provides a central point for monitoring and managing access to those resources.

Encrypting cloud data at rest with CASBs
CASBs provide a central point of visibility and control across any cloud app used in an enterprise. Control comes in various forms, including contextual access control, data leakage prevention, and of course encryption for data at rest. A CASB works by mediating connections between cloud apps and the outside world, typically via a combination of proxies and API connectors to applications.

A CASB, or cloud access security broker, mediates the connections between end users and cloud applications,
providing a central point of visibility, access control, and data security.

CASBs have become the de facto answer to encryption for cloud data at rest. Unfortunately, in order to make data searchable when encrypted and stored in the cloud, early CASBs cut down on the number of initialization vectors used in their products which limits the number of possible encrypted versions of a given string. This same approach makes the encrypted data subject to attacks, such as a chosen plaintext attack. Why bother encrypting if you use weak schemes that can easily be cracked?

Full-strength cloud encryption with Bitglass
Bitglass takes a patented “split index” approach to searching cloud-based content that allows you to have your cake and eat it too — that is, full-strength crypto and search. In a nutshell, Bitglass brings the trusted security of a private cloud to powerful and flexible public cloud applications, allowing you to safely take advantage of apps like Office 365, Salesforce, Box, and ServiceNow.

Unless a user accesses the cloud application through the Bitglass service,
he or she will see nothing but meaningless ciphertext.

With a few clicks, CASBs like Bitglass can replace sensitive data inside of the application with copies encrypted using keys that you control using the encryption algorithms of your choosing — which means your existing key management system works out of the box. The encrypted data can be stored in the cloud app or on-premise; in the latter case, the only thing stored in the cloud application is an encrypted pointer to where the data lies in the local data store.

When a user searches for data, the search query is executed against a local search index, returning all of the associated pointers to Bitglass. Bitglass then searches the application for those pointers and retrieves the encrypted files or records, decrypting data for the user on the fly.

Because data is encrypted in the app, it’s not readable by prying eyes. Even within your organization, access is provided by policy. In fact, unless the user is accessing the application securely through Bitglass, they will see nothing but meaningless encrypted pointers.

Many enterprises forgo the power and flexibility of public cloud applications for the sake of data security and compliance. With a split-index approach to cloud encryption, these businesses can have both without undermining the strength of the encryption or sacrificing the functionality of the applications. It’s an approach to cloud encryption that should make a cloud-first strategy more attainable for the most security-conscious of organizations.

Want to learn more? Watch our Glass Class on Cloud Encryption.

Managing Shadow IT

By Rachel Holdgrafer, Business Content Editor, Code42

Code42_Shadow_IT“Shadow IT,” or solutions not specified or deployed by the IT department, now account for 35 percent of enterprise applications. Research shows an increase in IT shadow spend with numbers projected to grow another 20 percent by the end of 2015.

Experts agree that shadow IT is here to stay, particularly the growing tendency to use cloud services for collaboration, storage and customer relationship management.

Enterprise organizations can’t afford to bypass the productivity and profitability that comes with a happy and enabled mobile workforce. However, the utilization of SaaS that IT has not vetted and approved may expose regulated or protected personal data, which a business is responsible for remediating.

California leads the way in the privacy arena with the Security Breach Notification Law and Online Privacy Protection Act. The Federal Trade Commission is the primary U.S. enforcer of national privacy laws, with other national and state agencies authorized to enforce additional privacy laws in vertical industries such as banking and health care.

Sanctions and remedies for non-compliance with FTC data protection laws include penalties of up to US $16,000 for each offense. The FTC can also obtain an injunction, restitution to consumers, and repayment of investigation and prosecution costs. Criminal penalties include imprisonment for up to ten years. In 2006, a data broker agreed to pay US $15 million to settle charges filed by the FTC for failing to adequately protect the data of millions of consumers. Settlements with government agencies can also include onerous reporting requirements, audits and monitoring by third-parties. A major retailer that settled charges of failing to adequately protect customer’s credit card numbers agreed to allow comprehensive audits of its data security system for 20 years.

So, what is the answer? How do you start to get a handle on shadow IT?

Ask employees which cloud services they are using. You might also need to utilize a combination of automated and manual discovery tools to get a complete picture of what programs employees are using and what data is hosted and shared in provider clouds. These “cloud consumption” dashboards can monitor and assess cloud usage and detect encryption tools at each host.

Protect your data.
Implement automatic backup of all endpoint data in the enterprise to capture a real-time view of where employee data lives, when and where it moves and who has touched it—even as it moves to and from non-approved clouds.

Act fast when the inevitable happens.
The reality is a breach may be inevitable, but you can recover. With continuous and automatic endpoint backup, IT can quickly evaluate the content of files believed to have been breached and act in good faith to lessen the impact. Additionally, understanding what was stolen allows a company to make an accurate disclosure and manage consumer confidence issues.

For CIOs and IT staff accustomed to maintaining complete control over their digital ecosystems, relinquishing even a bit of this control can be terrifying—even in the name of productivity. And yet, with a security strategy that focuses on complete data visibility, they can empower mobile workers while minimizing the risks associated with the dark side of shadow IT.

CSA Release Cloud Forensics Capability Maturity Model Report

cloud forensics capability maturity model report coverCSA’s Incident Management and Forensics Working Group today released its “Cloud Forensics Capability Maturity Model”, a new research report that describes a Capability Maturity Model (CMM) that can be used by both cloud consumers and Cloud Service Providers (CSPs) in assessing their process maturity for conducting digital forensic investigations in the cloud environment.

Even the most capable enterprise cannot avoid data breaches entirely. As such, there is a rising need for enterprises to adopt mature forensic security processes. This need will rise at least at the speed at which adversaries improve their attack strategies and techniques. This situation is even more complex in the world of cloud computing. Only with close cooperation between the cloud consumer (who has given up some control) and the CSP (who has inherited it) can adequate, timely and accurate forensic analysis occur.

The target audience for this paper is enterprise users that deal with all aspects (technical and organizational) of their forensic processes, and that plan to or have already integrated cloud IaaS services into their IT infrastructure. The starting point for the model was the Carnegie Mellon University Software Engineering Institute’s (SEI) “Software Process Maturity Framework” which identifies five progressive levels of process maturity:

LEVEL SEI Capability Forensics Question
1 Initial How are we ever going to do this?
2 Repeatable Have we done this before?
3 Defined What is our process for doing this?
4 Managed What resources did this require?
5 Optimizing How can we do this better?

The report provides detailed guidance for each question via scenario planning and recommended process mapping.

Download a free copy of the report.


Conversation with an HP Instructor: “Cyber Security is part of the job for business people today”

By Kelly P. Baig, Education Services Instructor, HP

hplogofacebook2012_400x400Are you aware of the latest trends in cyber-security attacks and the tactics used by bad actors to exploit your security weak points? More importantly, have you put in place appropriate protection against these threats? One starting point as cited by one of our Education Services instructors, Lauri Harris, is the HP 2015 Cyber Risk Report.

If you are wondering how to be sure you are controlling your risks, you are not alone. In my conversation with Lauri Harris, I found her advice and insights to be invaluable to understanding the scope of the threat environment – as well as some practical starting points for closing the threat exposures. If you are interested in hearing from Lauri directly yourself, you may find it useful to attend one of her HP security courses.

For more information on the upcoming CSA Summits – and to register to attend Lauri’s course – see these registration pages:

Conversation with Lauri Harris

Kelly: Lauri, thanks for taking some time from your busy training schedule to speak with me! I’m interested to hear your opinions of the latest threats and trends. But let’s start with you; what is your background and how long have you been with HP?

Lauri: I started originally with HP in 1998. Then I took a leave of absence to serve active duty with the USAF following 9/11. I also had a short service with the US Patent & Trademark Office as a Patent Examiner. But, I couldn’t stay away from HP. I’ve been back as an HP Education Consultant since 2010. I am an instructor for all ITIL and security courses, as well as the Cloud Security courses.

Kelly: What did you work on originally for HP?

Lauri: I was always an instructor; I taught HP-UX in the beginning – all the UNIX System and Network Administration courses. I also had technologies like MC Service Guard for high availability, Data Protector for enterprise backup solutions, Network Node Manager and Operations for network discovery and remote node management on both Windows and UNIX. I taught everything from POSIX shell scripting to Service Manager; I tried to teach just about everything that I could get my hands on.

Kelly: Do you find that your varied technology background – and your real-world service – helps with your security training?

Lauri: Yes, I think that a varied background really helps a lot. I find that a holistic approach to the practice of security is what is needed. Security cuts across technologies – across hardware, software, and networking. The advantage of my varied background is that I can talk to the whole picture of what you might run into from a security perspective.

Kelly: Who do you find attends your security courses? What types of students to you get?

Lauri: I get people from all different types of backgrounds, some are very technical and some are non-technical leaders; it runs the gamut. For me as an instructor – and I hope for the students in the courses – teaching security is very interesting because of the varied questions that I get. It is an opportunity to sketch out the flow of data and determine the appropriate controls depending on the data type, laws governing the data, and the necessary processing and required hardware and software to process the data.

For example, I taught a Cloud Security course in April at the RSA event. Keep in mind that at these conferences, like the upcoming CSA Summits, these are real courses that I’m teaching. I’m not just doing a summary overview or talk. So, I had a student in that April course that asked me about a particular aspect of how audits fit into cyber security – and we did a deep dive on that based on the interest in the room. We keep the courses small enough to make sure that we have that type of conversation –deep dives– as we go through. I’ve found at the conferences that it’s a lot of fun, because we tend to get the security specialists so we do really deep dives on the technology and processes.

Kelly: You mentioned that having business people in these courses is a more recent trend?

Lauri: Yes, it’s really just more recently that I’m seeing the managers coming in to take security courses. I think this is reflective of a paradigm shift that is happening across the board in business: technology is now embedded as a part of everything we do, from service delivery to customers, to the Internet of Things (IoT). This makes it extremely important for all people to be technology savvy, and especially security savvy.

So what I’m seeing, is that more managers are attending our security courses and cloud security, in particular. They want to gain some understanding of the courses that we offer to determine which team members should attend which courses and to improve their own knowledge of cyber security for making better business decisions.

In short, security is part of the job for business people these days. Digital skills development is also part of the requirement for any professional.

Kelly: On security, what has your students most concerned? What questions do you get asked the most?

Lauri: The topic that comes up the most is cloud: Almost everyone coming to any of our security courses, is asking about cloud. Data in the cloud is the biggest concern. And, they have questions about their continued responsibility of ensuring that the data is safe and protected. They have questions about how much control over data protection they have between purchasing infrastructure as a service (IaaS), platform as a service (PaaS), versus software as a service (SaaS). These are questions we address in class.

Also, the physical location of data in the cloud is a big concern, and we wind up talking about this a lot in our courses. The fact is that all governments can subpoena data that is being collected or stored within their jurisdiction, if they think they have a need for it, not just the US government. But in reality, the vast majority of data collection is being done by private companies, not government agencies. And the data collected is governed by the organization’s security policy along with the local and federal laws.

Kelly: What are the topics that you cover in the HP CCSK Foundation Cloud Security course?

Laurie: We come in and we talk about the basic terms of cloud, security vectors, where the accountability lies in moving data to the cloud. We also talk about where the real risks are in putting applications and data in the cloud – and how to manage them. We help make sure that the students know how to get the right kinds of cloud contracts in place, with the right levels of service and the right types of terms to meet their business needs.

Kelly: Are the perceived risks of putting data in the cloud over-stated?

Lauri: Well, it depends. I like to use this analogy: imagine that you have a $30K diamond ring and you’re going to wear it to a gala event. So, where would you prefer to store it when you are not using it? Would you feel comfortable putting it into a jewelry box on a shelf in your home? Do you have a vault in your floor? Or, would you be better protected using a safety deposit box at the bank – and then have to go to the bank to get that ring when you want to wear it?

If you are a billionaire, then maybe you have great home security. But, if you’re like most people, then the bank is probably better protection for your ring.

Kelly: Are people understanding security better now?

Lauri: I think we are going in the right direction, but it was startling for me to read in our HP 2015 Cyber Threat report that the top two themes noted are: “well-known attacks commonplace” and “misconfigurations are still a problem”.

Kelly: Any closing remarks?

Lauri: As an instructor, I love my job. The thing that I like best is that I’m constantly challenged by new configurations and new questions. It pushes me to keep current with what’s the latest technology or what’s the latest trend. I read constantly, to stay current, because someone is going to come to class and ask about the latest trend or software or gadget. It’s really an on-going relationship and feedback loop between myself, my students, and what is happening with security in the industry.

Want your own opportunity to speak with Lauri and learn from her insights?
You can take the HP CSSK Cloud Security Foundation course to learn directly from Lauri Harris. A great opportunity for this, is at the upcoming CSA Summits in October and December 2015. CSA is partnering with HP to offer the CSSK Cloud Security Foundation course at its lowest possible cost. Lauri will be at the Summits in-person to lead those courses.

Three Killer Use Cases for Skyhigh’s New Patented Pervasive Cloud Control

By Kamal Shah, SVP, Products and Marketing, Skyhigh Networks

pervasice-cloud-control-blog-headerIf cloud services were used only by employees who worked from the office, on company-issued devices, enforcing cloud policies would be straight-forward. IT Security would simply direct all traffic, for all employees, across all cloud services through a Cloud Access Security Broker (CASB), which would provide the required visibility, threat protection, compliance, and data security for all users.

3 megatrends that make Cloud Security a bit more challenging
Three IT megatrends render this type of simplicity impossible:

  1. BYOD: According to a CompTIA survey, 47 percent of companies have a Bring Your Own Device (BYOD) policy in place, allowing employees to access corporate data from their own devices. With the BYOD, employees access corporate data in cloud services from a variety of devices, most of which are unmanaged.
  2. Telecommuting: According to statistics from the American Community Survey, telecommuting has risen 79 percent between 2005 and 2012. With many employees logging hours from home and on the road, it can be difficult to get in the path without forcing users to adopt the dreaded VPN.
  3. 3rd Party Collaboration: According to Skyhigh’s recent Cloud Adoption and Risk report, the average enterprise collaborates with 1,555 partners via cloud services. Agents and VPN are not options for 3rd parties (many would suggest they aren’t an option for employees on BYOD either), making it impossible to get in path for policy enforcement.

API access offers a frictionless path to visibility, but for companies with policy enforcement requirements, such as real-time DLP with closed-loop remediation, contextual access and collaboration control, and structured and unstructured encryption, a new technique is required in order to get in path and enforce security, compliance, and governance policies.

Skyhigh solves policy enforcement challenges with new, patented technology
Today, Skyhigh announces that the United States Patent and Trademark Office has issued US Patent 9,137,131 for Pervasive Cloud Control. The patent covers SAML-based Identity Provider (IdP) redirection, which enables customers to enforce their cloud security, compliance and governance policies across all devices – managed or unmanaged – and across all user – on-premises, remote, or third party.

Best of all, the solution meets two universal requirements for cloud security and enablement – pervasiveness and zero-friction.

Pervasiveness: It is impossible to circumvent the CASB control point, regardless of the device or user.

Zero-friction: The solution requires no device agents and has no impact to the user experience or the cloud service providers.

Skyhigh Pervasive Cloud Control extends Skyhigh’s leadership in the Cloud Access Security Broker space and enables policy enforcement while supporting BYOD access to cloud services, off-network access to cloud services, and collaboration between employees, customers, and partners.

Three killer use cases for Skyhigh’s Pervasive Cloud Control
BYOD Access to Cloud Services: With Skyhigh Pervasive Cloud Control, IT and Security teams can support BYOD policies while enforcing corporate security, compliance, and governance policies. As an example, a sales person may be authorized to access a Customer Relationship Management service, such as Salesforce, from their personal iPhone to view or update their sales forecast. However, when the salesperson tries to download their monthly forecast to their iPhone, Skyhigh’s Pervasive Cloud Control automatically prevents the download because it violates the company’s security policies.

Off-Network Access to Cloud Services: With Skyhigh Pervasive Cloud Control, IT and Security teams can secure off-network access to cloud services, and best of all they can do so without an agent on the device or VPN access to the corporate network. As a example, an executive needs to download an encrypted file stored on a file sharing and collaboration cloud service, such as Box, while logged in from the airport. Skyhigh’s Pervasive Cloud Control seamlessly decrypts the encrypted file and the executive can access the encrypted file in a readable format

Collaboration Between Employees, Customers and Partners: With Skyhigh Pervasive Cloud Control companies can satisfy security, compliance and governance requirements while collaborating seamlessly with third parties such as vendors, customers, and partners and without breaking business workflows. As an example, while collaborating with a customer’s HR department, a third party HR vendor uploads a document containing PII to the customer’s Office 365 SharePoint site. Skyhigh’s Pervasive Cloud Control flags the file containing PII for policy violation, puts the file in quarantine as the PII is identified, and replaces the file with a tombstone file.

How Pervasive Cloud Control works (according to Gartner)
“Reverse Proxy Mode – This mode involves traffic redirection by making configuration changes to how traffic arrives from clients to the SaaS application. One way this can occur is by configuration applied to the SaaS application so that, during the SaaS authentication workflow, each individual app in question is directed to use the CASB provider as the authentication source. The CASB then forwards the authentication request to the IAM solution, and directs future traffic through it as well. This SAML redirection method is a popular way to force end-user traffic through the CASB so that it can perform inspection, even from unmanaged devices.” — Gartner, Select the Right CASB Deployment for Your SaaS Security Strategy, Craig Lawson, Neil MacDonald, Sid Deshpande, March 2015.

CSA Congress at PSR 2015 Recap Roundup

By Frank Guanco, Research Project Manager, CSA Global

Last week, the CSA Congress and IAPP Privacy Academy teamed up in Las Vegas, Nevada for the Privacy.Security.Risk. (PSR) conference. This was the second privacy and security conference that the Cloud Security Alliance (CSA) and the International Association of Privacy Professionals (IAPP) co-hosted and the conference was a successful event with cloud security and privacy professionals learning about best practices, the current state of affairs in their respective fields, and cross-training and learning new disciplines. During CSA Congress at PSR, there were a number of releases, events, awards, speakers, and sessions that ran the gamut of the CSA’s Research Portfolio. Below are links that recap some of the activity during CSA Congress 2015 at PSR.

Ron Knode Award Winners 2015
Each year at Congress, the CSA recognizes a few of our members around the globe for their excellence in volunteerism and leadership. Named in honor of Ron Knode, a member of the CSA family who passed away in 2012, these awards are a means toward recognizing members whose contributions have been invaluable. Learn more about the winners of the 2015 Ron Knode Service Awards.

Cloud Security Alliance Releases New Guidance for Identity and Access Management for the Internet of Things
The CSA’s Internet of Things (IoT) Working Group released a new summary guidance report titled Identity and Access Management for the Internet of Things. The Internet of Things (IoT) has been experiencing massive growth in both consumer and business environments. In response to this emerging market and the particular security requirements of these connected devices, the CSA established the IoT Working Group to focus on providing relevant guidance to its stakeholders who are implementing IoT solutions. Get more information on the report.

Cloud Security Alliance Releases New Document on Post-Quantum Cryptography
The CSA’s Quantum-Safe Security working group released their latest document, “What is Post-Quantum Cryptography,” a report that takes a closer look at post-quantum cryptography and what institutions need to know and need to do in order to protect themselves against quantum computers. Read more on the report.

Cloud Security Alliance Research Working Group Sessions
When CSA’s big events happen in North America, like CSA Summit at RSA and CSA Congress at PSR, the CSA’s Research team hosts working group sessions for the various projects, groups, and initiatives that comprise the research portfolio. This year, the following working groups and initiatives gave their updates: Virtualization, Service Level Agreement, International Standards Council, Top Threats, Cloud Controls Matrix, Cloud Cyber Incident Sharing Center, Internet of Things, and the Open Certification Framework. See presentations from CSA Congress at PSR 2015.

Thanks to all that attended CSA Congress at PSR in Las Vegas. It was a successful event and we look forward to seeing everyone at Privacy.Security.Risk 2016 as it returns to San Jose, California from 9/15-16, 2016. Save the date!

The Web’s Greediest Villain: Ransomware

By Aimee Simpson,  Integrated Marketing Manager, Code42

CODE42 Cyber Security Awareness MonthPresident Obama designated October as National Cyber Security Awareness Month (NCSAM). This U.S. observance is meant to engage, educate and raise awareness of the importance of cybersecurity to our nation. This month, Code42 is celebrating with a series of blog posts, giveaways and juicy content all about protecting your users and network from the growing threats that haunt our digital lives. This post covers one of the darkest, greediest threats out there: ransomware.

Over the last few decades, hundreds of thousands of computer users have had the great misfortune of having messages like these pop up on their screens (see Example A).

Becoming infected with a ransomware program—be it CryptoLocker, CryptoWall, CTB-Locker, TorrentLocker, or one of their many variants—can feel like the digital equivalent of getting mugged. The software encrypts targeted files on the infected computer and holds them hostage until a payment is made when a decryption key is delivered. Demands for payment range from $100-$500, depending on the victim. This past year, several U.S. city police departments admitted to paying ransoms around $500 each for retrieving files that were stolen from them.


(Example A. Screengrab:

With criminal groups all over the world reaping exponential rewards, ransomware is now big business. By tracking bitcoin transactions, a computer science grad student reported that on January 15, 2013, a single address associated with ransomware received over $1 million in bitcoin.  For criminals in the ransomware game, the average ROI is 1,425%.

With returns like that, it is no wonder that ransomware has grown into an enormous, notorious global extortion machine. It’s one of the web’s most costly nemeses—a true super villain—with an equally evil origin story.

An Evil Villain with an Evil Origin
Ransomware, first known as cryptoviral extortion, was born in 1989. The malware was quaintly distributed on 20,000 floppy disks by post. Instead of an adult website advertisement or an email attachment promising 70 percent off select items at J.Crew—two of the many ways malware distributes and disguises itself today—this first incarnation’s disguise was something much crueler.

The floppy disks, distributed to scientific research institutions throughout 90 countries, were masquerading as AIDS education software. The program became known as the “AIDS Trojan.” When you first inserted the disk, you were taken through a questionnaire that calculated your risk of contracting AIDS. The file encryption was programmed to begin after the computer was rebooted a certain number of times. When their ransom notes arrived—also by post—the victims were instructed to turn on their printers, which spat out the demand for a payment of $189. They had no clue that the seemingly innocent AIDS app was to blame. Payments were made to a P.O. box in Panama. Only then did the victims receive the decryption key—also on a floppy disk in the mail.

After analysis, the code used in this first iteration of ransomware was found to be weak and easily reversible. The story was well covered by British media where the first attacks were reported. The mastermind, Dr. Joseph L. Popp, was a Harvard-educated biologist loosely associated with the victims through the World Health Organization, where he had recently been denied a job. In the end, Popp pled insanity and was set free. (Read the whole story here.)

More important than Popp’s fate, the World Health Organization scandal or the product of the software itself was the concept. In 1989, an idea was born. You could steal someone’s files without physically stealing them. You could blackmail the owner. You could perform cyber extortion.

This legacy left a massively destructive blueprint for a generation of criminals to come. Today’s cybercriminals are smarter, stealthier and have the benefits of ubiquitous Internet connectivity, unbeatable open-source cryptography resources and nearly anonymous online bitcoin depositories. Today, ransomware follows the same pattern as Popps’ AIDS Trojan, only everything is bigger: larger criminal organizations, higher ransom payments and malware with greater reach.

Earlier this year a strain called VirRansom was released. Experts have already dubbed it, “the AIDS of ransomware.” How evil! How…fitting.

Fall 2015 Netskope Cloud Report: Healthcare and Life Sciences Have the Most Violations

By Krishna Narayanaswamy, Co-founder and Chief Scientist, Netskope

NS-Cloud-Report-Oct15-WW-IG-00 (1) copyToday we released our Cloud Report for Fall 2015 – global as well as and Europe, Middle East and Africa versions. Each quarter we report on aggregated, anonymized findings such as top used apps, top activities, and top policy violations from across our customers using the Netskope Active Platform.

This season we focus primarily on app usage and data policy violations by industry grouping as well as activities in cloud apps. Plus, we distill that information down into a few “quick wins” for IT. Here’s an overview:

Industry App Usage
For the first time, this report breaks down trends by industry group, focusing on five key groupings with similar usage characteristics. They are:

  • Healthcare and life sciences;
  • Financial services, banking, and insurance;
  • Retail, restaurants, and hospitality;
  • Manufacturing; and
  • Technology and IT services

The average number of cloud apps per enterprise climbed from 715 in our last report to 755, with 91.2 lacking in the areas of security, audit and certification, service-level agreement, and other key attributes that we adapted from the Cloud Security Alliance’s Cloud Controls Matrix. Technology and IT services saw the highest number of cloud apps, with an average of 1,157 apps per enterprise, with healthcare and life sciences a close second, with 1,017.

Industry Data Policy Violations
A key area of focus for us this season is Data Loss Prevention (DLP) in the cloud. Healthcare and life sciences enterprises had the highest number of DLP policy violations in content at rest in sanctioned apps, with 21.1 percent of files scanned matching at least one DLP profile, such as personally-identifiable information (PII), payment card industry information (PCI), protected health information (PHI), source code, profanity, and “confidential” or “top secret” information. The second highest was Technology and IT services, with 14.2 percent. Overall, healthcare and life sciences enterprises accounted for the vast majority of total DLP policy violations (for both content at rest and en route to and from cloud apps), at 76.2 percent of the total. Not surprisingly, when we drill deeper into violation type, PHI makes up the bulk of such violations in cloud apps, at 68.5 percent. A full run-down on data violations by industry is in the report.

Activities In The Cloud
The top five cloud app activities in this season’s report include “send,” “post,” “login,” “download,” and “view.” Activities associated with data leakage or exposure, such as “share” and “download,” are alive and well in key app categories such as Cloud Storage, HR, and Business Intelligence. In Cloud Storage, for every “login,” there are four “shares.” Within HR, “download” is the fourth most common activity. And within Business Intelligence, “share” – an activity many don’t expect even to be available in this category – is the top activity.

Three Quick Wins For Enterprise It
Based on this report’s findings, here are some quick wins for enterprise IT to enable cloud apps while minimizing risk:

  1. Discover and secure sensitive content both at rest in and en route to your cloud apps. Focus on most common DLP violations that carry penalties and can result in negative press, including PHI, PII, and PCI.
  2. In defining cloud app policies, consider not just popular Cloud Storage, Social, and Webmail apps, but also focus on business-critical apps like HR, Finance/Accounting, and Business Intelligence.
  3. Go beyond coarse-grained “allow” or “block” decisions on cloud apps, and enforce contextual policies on risky activities such as “download” (e.g., to mobile), “share” (e.g., outside of the company), or “delete” (e.g., if you’re not in the enterprise directory group “HR Directors”).

What are your quick wins for dealing with cloud app risk? We want to hear them!

What Is Post-Quantum Cryptography?

By Frank Guanco, Research Project Manager, CSA Global

You are sitting at your computer about to login to your bank account to complete a transaction.  Did you notice the lock icon on the browser address bar? If you didn’t, you’re not alone.  Most people pay little attention to the lock icon on their browser address bar that signifies a secure HTTPS connection. They don’t realize that there is an exchange of keys to assure that the communications are secure and a signature with the data to assure its integrity. But what if that connection is not secure and cannot be trusted?  Now think about the situation on a global scale. Such unsecured communications could be devastating, potentially making eCommerce, Cloud applications and storage, Online Stock Trading, and anything that relies on HTTPS, useless.

While it may seem like doomsday, this scenario is possible in the not-too-distant future. The US National Security Agency (NSA) and the Chinese government, as well as researchers and engineers at universities and corporations, are all working to create a quantum computer with enough computing power to break the secure HTTPS connection. Thankfully, solutions exist today that can resist quantum computing attacks and avoid this economic Armageddon. Post-quantum cryptography refers to the different classes of new cryptographic algorithms that are currently believed to resist quantum computer attacks.  The most pressing issue today is these cryptographic algorithms need to be proactively in place several years before quantum computers are available.  That’s why it is necessary to start integrating post-quantum algorithms in cryptographic protocols today.

Today, the Cloud Security Alliance’s (CSA) Quantum-Safe Security Working Group released “What is Post-Quantum Cryptography,” a report that takes a closer look at post-quantum cryptography and what institutions need to know and need to do in order to protect themselves against quantum computers.

Current secure HTTPS communications rely on an exchange of keys generated by asymmetric cryptography to ensure that the parties are who they say they are. Once these keys are exchanged, the data is then encrypted with symmetric cryptography and signed with asymmetric cryptography. A quantum computer could potentially run on an algorithm that could be used to break asymmetric public-key cryptography schemes. Protection, however, is not far off.  Post-quantum symmetric cryptography does not need to be changed significantly from current symmetric cryptography, other than by increasing current security levels.  With a few security tweaks and some careful planning, organizations can start preparing now for the post-quantum computer world

To learn more about post-quantum cryptography and to read the entire report, please visit here. For more details about CSA and its Quantum-Safe Security working group, please visit the Cloud Security Alliance.

Cloud Security Alliance CEO’s Top Cloud Security Priorities

By Jim Reavis, CEO, Cloud Security Alliance.

code42 cloud security csaI would like to thank my friends at Code42 for again giving me a platform to talk about the cloud security issues on my mind. In this blog post, I wanted to discuss some of the changes I am seeing in how security professionals are rethinking best practices as a result of being exposed to cloud computing and what some of the security priorities are as organizations begin to depend upon a critical mass of cloud services.

From comfortable stasis…
Traditional IT systems have been characterized as being static in nature. Indeed, I spent the first 20 years of my career focused on architecture, implementation and security of traditional computer networks. File servers, routers, firewalls and hosts would be carefully sized, designed and put into production, with the hope that they could go years without a single reboot. We valued stability perhaps most of all, and would even develop odd, fond relationships with servers—treating them a bit like favorite pets. Systems would be patched and upgraded of course, but only when deemed absolutely necessary, and only after significant research and regression testing of the updates.

The information security solutions that grew up around this environment recognized the relative permanence of these systems and developed their security strategies accordingly. Detection and prevention of viruses, performing forensics on breaches and several other tasks are carefully integrated with systems, lest we disturb these permanent servers. Sometimes we couldn’t even eradicate malware, as the cure (a reboot with downtime) was worse than the disease. These static systems are actually very fragile.

To ephemeral clouds
By contrast, cloud computing is highly dynamic. We turn services on or off at will. Virtual machines are very transient, not eligible for pet names, unless as part of a cloud orchestration tool we are instantiating Rover001..RoverNNN. This ephemeral cloud is causing security professionals to tackle problems differently. Instead of a painstaking malware mitigation program, why not just turn the virtual machine off, start a new VM and point it at your data sets? Maybe we don’t care about all of the malware details from an operational perspective when we can just make it go away and start over.

This is just one example. The reality is, I don’t think we as a security community have yet grasped all of the implications of cloud computing’s essential characteristics, and have not employed enough imagination yet to replace our security strategies with brand new approaches; but clearly the wheels are turning. It is exciting to see the experts start with a blank slate, rather than duplicating a questionable security tool in cloud.

New approaches to old (and new) security problems
As we are in this phase of transitioning to cloud, security professionals are seeking their ground zero for sound security strategies. Many organizations are starting with their data and working outward from there. A lot goes into protecting data, so I’ll just mention a few priorities. Strong authentication is becoming so common, that it makes an old security professional positively giddy. When you think about some of the early so-called cloud breaches, they were actually not direct attacks on cloud providers, but account takeovers caused by attacks upon a user’s ID and password. We have a lot more to implement here, but it is going in the right direction. Closely related is identity federation. We simply cannot afford to have an employee’s login credentials stored at hundreds of provider locations and must federate our directories rather than duplicating them.

Encryption has proven to be a remarkably resilient security control. When you have the option, take it. CSAexpounds upon the importance of customer control of keys to create an appropriate separation of duties. The challenge for encryption going forward is to make it applicable in as many cloud use cases as possible. Notably, providing encryption for Software-as-a-Service (SaaS) is an important area CSA is focused on, with our new OpenAPI working group seeking to provide an approach that creates seamless encryption that works across any cloud provider.

Taking new approaches to old security problems is a great thing to see. Of course cloud will bring some interesting new security problems, but we’ll leave that for another blog post.

(This post first appeared on Code42’s blog Data on the Edge)