SecaaS Working Group Releases Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring

By John Yeoh, Senior Research Analyst, Global, Cloud Security Alliance

Numerous security vendors are now leveraging cloud-based Security as a Service (SecaaS) models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. However, these SecaaS offerings can take many forms causing market confusion and complicating the selection process. Customers are increasingly faced with evaluating security solutions, which do not run on premises, and need a better understanding of these offerings to evaluate the security risks and the shared responsibility over the security of systems for which they are accountable.

In order to improve the perception and reputation of these services, Security as a Service requires a clear definition and direction to ensure it is understood and to improve the adoption across industry sectors. This will lead to greater awareness, understanding and knowledge of SecaaS and its functions.

The CSA SecaaS Working Group is working to address these challenges by working with experienced knowledge leaders and intelligent market research in the industry to align with cloud governance best practices, document use cases, identify standards requirements, and create other innovative research artifacts.  The group’s research will allow the intended users to create guidelines for implementing SecaaS offerings, support those looking to purchase SecaaS solutions, and aid those tasked with implementing or auditing them.

Today, at the RSA Conference, the SecaaS Working Group is releasing Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring.”

Continuous Monitoring has been recognized as a new category that the working group has addressed. This overview document is the first in a series of business, technical, and implementation guidance documents for the following security service categories:

  • Business Continuity and Disaster Recovery
  • Continuous Monitoring
  • Data Loss Prevention
  • Email Security
  • Encryption
  • Identity and Access Management (IAM)
  • Intrusion Management
  • Network Security
  • Security Assessments
  • Security Information and Event Management
  • Vulnerability Scanning
  • Web Security

For more information, visit CSA Security as a Service.

CSA’S Virtualization Working Group Publishes New Position Paper on Network Function Virtualization

With the broad adoption of virtualized infrastructure, many security teams are now struggling with how to best secure these vital assets from targeted attacks. And because almost anyone can now easily virtualize resources such as compute, storage, networking and applications, the velocity and impact of security threats have increased significantly.

In response to these trends, the CSA’s Virtualization Working Group has convened a forum of experts to help network and data center practitioners adopt new best practices for securing their virtual infrastructure. The result is a new position paper on Network Function Virtualization, which discusses some of the potential security issues and concerns, and offers guidance for securing a Network Virtual Function (NFV) based architecture, whereby security services are provisioned in the form of Virtual Network Functions (VNFs). We refer to such an NFV-based architecture as the NFV Security Framework. This paper also references Software-Defined Networking (SDN) concepts, since SDN is a critical virtualization-enabling technology. The paper is the first step in developing practical guidance on how to secure NFV and SDN environments.

This white paper consists of five core sections:
Section 1: Provides a basic overview.
Section 2: Introduces NFV concepts, and briefly discusses SDN.
Section 3: Expounds on some of the security issues and concerns when introducing NFV into a cloud environment.
Section 4: Explains the benefits and opportunities of an NFV Security Framework.
Section 5: Expounds on the challenges and important elements of the NFV Security Framework.

“NFV and SDN have introduced significant new threat vectors into cloud providers and enterprise environments.  The CSA Virtualization Working Group looks forward to collaborating with the industry to determine how best to mitigate these threats.  We have created an initial step in that direction and hope to accelerate our ability to guide security experts with practical guidance in the near future”, said Kapil Raina, Co-Chair of the Virtualization Working Group

The Virtualization Working Group is sponsored by Trend Micro. Download a free copy of the paper.

You can catch the co-chairs and members of the working group during RSA 2016 at the CSA Research Working Group meetings. Visit CSA Research Working Group more information about the meetings.

CSA’s Consensus Assessments Initiative Releases Minor Update to Version 3.0.1

CSA’s Consensus Assessments Initiative Working Group has released an update to version 3.0.1 of the Consensus Assessments Initiative Questionnaire (CAIQ) that included minor updates and corrections.

A tab was created in the spreadsheet titled “CAIQ Change Log” to capture the details of each update. This will be the location where all updates/corrections are logged until the next major version release. Updates included spelling and consistency in the document.

Consensus Assessments Initiative Questionnaire v3.0.1 (9-1-17 Update)

Cloud Data Security Services Just Got Easier to Build and Assess

By Alan Eng, Senior Manager/Product Marketing, Vormetric

vormetricIt is well documented that security is the leading concern hindering cloud adoption. However, it is not so clear cut how to build secure cloud services, or how to assess whether cloud services adhere to relevant security requirements. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) framework was specifically designed to offer insights on these topics. The CCM framework provides fundamental security principles to guide cloud service providers (CSPs) and to assist prospective cloud customers in assessing the overall security risk of a cloud offering.

Using the latest CCM framework, version 3.0.1, Vormetric has created two white papers that shed further light on these critical topics. One paper helps cloud providers understand how to meet industry security guidelines with Vormetric data security solutions. The second paper explains how customers looking to adopt cloud services can assess whether their cloud vendors adhere to cloud security best practices. This paper also describes which Vormetric solutions to look for in complying with these standards.

The CCM is aligned with many industry standards and control frameworks, including International Organization for Standardization (ISO) 27001 and 27002, ISACA COBIT, National Institute of Standards and Technology (NIST), Jericho Forum, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), the Payment Card Industry Data Security Standard, version 3, and several others. As a result, CSPs can meet a number of industry security guidelines simply by adopting CCM requirements. In addition, the CCM framework features the Consensus Assessments Initiative Questionnaire (CAIQ), a detailed questionnaire that customers can use to assess the security capabilities of CSPs.

To develop our white papers, Vormetric staff worked with CSA CCM experts to identify which requirements pertained to data security. These white papers explain how the Vormetric Data Security Platform meets critical data security requirements.

By leveraging these white papers, security teams at CSPs can establish a clear path forward for securing data in their cloud environments. Further, executives at enterprises can use a concrete list of questions to assess and qualify prospective CSP offerings and ensure their data security needs are met. Below is a brief description of each white paper and the link to download the paper directly.

Industry Guidelines for Building Secure Cloud Services: This white paper explains how CSPs can use the Vormetric Data Security Platform to address CCM requirements for data segregation, persistent protection of customer data, data access monitoring and auditability, availability, and data destruction.

Best Practices for Assessing Your Cloud Data Security Services: This white paper offers a detailed look at how Vormetric solutions address the requirements specified in the CAIQ. In addition, the paper details what enterprise decision makers should look for in their cloud data security services.

Both white papers are also available on the Vormetric resources page.

Quantum Technologies and Real World Information Security Challenges

By Bruno Huttner, Quantum Safe Product Manager, ID Quantique

Most cyber security applications rely on a few cryptographic primitives, for both encryption and signature. These primitives are now known to be breakable by a Quantum Computer (QC), that is a computer operating according to the rules of quantum mechanics. The design and manufacture of such a computer is still a formidable tasks, which is expected to last for many years. However, a post by the NSA in 2015, which was very recently followed by a NIST report have brought a new sense of urgency to the matter.

Indeed, in view of the devastating effect the QC would have on our cryptographic systems, it is necessary to start thinking now about new ways to protect and authenticate data. Existing tapping techniques, in conjunction with almost unlimited storage abilities, allow malicious entities to gather and store incredible amounts of data. These encrypted data can be kept this way until the  quantum computer is ready,  and then subsequently decrypted. Therefore, data, which has to be kept secret for a long time, say tens of years, should already be encrypted in a quantum-safe manner. We need to prepare for the post-quantum era now.

There are two possible roads towards this goal. The first one is to keep algorithmic-based cryptography, but use different algorithms, known as Post–Quantum Algorithms (PQAs) or Quantum Resistant Algorithms (QRAs), which, we hope, will remain quantum-safe. The second one is to adopt an entirely different principle, and base some of our cryptographic primitives on physical methods. In this case, security does not depend on mathematical analysis, but on the laws of quantum mechanics. This is what is achieved by Quantum Key Distribution (QKD).

These two approaches are by no means exclusive. Each have different domains of application, and will most probably complement one another. Since QKD requires a physical infrastructure, it will be restricted to  large communication hubs, for example links between large data centres, such as the ones used for cloud infrastructure. In addition, as it is provably secure, QKD shall be used for high value data, which has to remain secret for a long period. However, QKD only deals with key distribution which is only one part of a quantum-resistant cryptosystem. QRAs, necessary for authentication, will also be used in links between end-users and communication infrastructure, for example mobile applications to antennas or telecom hubs. It could also be used for data with high privacy content, but shorter validity period.

Quantum Safe Security @ RSA 2016
Quantum technologies represent both a threat to current cyber security methods, and an asset to guarantee long-term cyber security in the post-quantum era. The “Quantum technologies and real world information security challenges” panel is the first of its kind, which will be presented at RSA Conference this year. The panellists have been chosen among real information security professionals from a variety of fields. The specific topics they will cover include:

  • The threat of the quantum computer against current cryptographic techniques.
  • The immediate and medium-term challenges faced by each industry that could be mitigated by quantum security approaches.
  • Different quantum solutions, the problems they can help address, and how they compare to the current approaches in use.
  • What are the perceived risks and weaknesses of Quantum Key Distribution solutions?
  • Discussions on any work / partnerships they have done in this area.

If you ever wondered whether you should start thinking about these issues, their stories are your own stories. This session will provide you with a clearer picture and possible action points for the future.

Session Details
Date: Friday,  March 4, 2016
Time: 10:10 AM
Venue: Moscone West, Room 2005

For more information about the session, click here.

Apple vs. FBI: The “Bad” Guys Always Get the “Good” Weapons

By Susan Richardson, Manager/Content Strategy, Code42

02_19_16_apple_fbi_social_blogIt’s a powerful tool, created for good—until it falls into the wrong hands. Sounds like a classic James Bond plot, right? That’s how we see the battle surrounding government-mandated “backdoors” playing out—and why we side with Apple (and most of the tech world) in supporting the individual’s right to privacy. Because unfortunately, 007 doesn’t stand a chance against today’s cyber criminals.

Backdoors: the classic “good” tool that falls into “bad” hands
The FBI’s court order to Apple—and Apple’s official and very public response—is just the latest in an ongoing debate and struggle to find the balance between the need for security and the right to privacy. The pro-backdoor camp believes these tools are essential for investigating criminals, terrorists and other nefarious actors, preventing them from “going dark” behind the wall of encryption. This all seems reasonable in the short term. Their cause is just. It’s a means to an end we all want—safety and security. It’s a one-time thing, right?

Wrong. Once the technology exists, there’s no going back—and there’s no sure way to completely control how it’s used or how it evolves. So, what happens when these backdoor keys fall into the wrong hands? It’s the classic plot of the James Bond series and other spy thrillers. But this time, it won’t be a single villain; it will be the entire shadowy world of cyber criminals, wreaking havoc with the newly created (and hacked) “keys to the kingdom.”

“But the government will protect the keys!”
Think the bad guys won’t get the backdoor keys? Think again. The U.S. government is already being hacked with alarming frequency and ease. Just last week, President Obama acknowledged that government IT infrastructure is woefully outdated and easily outgunned by agile cybercriminals. Even if the government moves to shore up these vulnerabilities, the mere existence of backdoor keys will be blood in the water for hungry cybercriminals, giving even greater incentive to target government IT infrastructure.

Code42 supports the individual right to privacy
At Code42, we recognize the need to balance security with privacy, but we ultimately believe in the individual’s right to privacy. We’ve talked about the problems with backdoors before—and industry experts agree that the risks outweigh the benefits. Our consumer tools, including Code42 CrashPlan, help our customers protect this right. In the enterprise world, we designed Code42 CrashPlan to empower the enterprise to define their security policies, providing employees with a respectful sense of privacy.

Forcing tech companies to sabotage their own products and hack their own customers will have a disastrous impact on the tech economy. But expecting a technology to only be used for good is a shortsighted move with the potential for far greater harm than good. And like we said, James Bond won’t be saving the day on this one.

The Netskope Cloud Report: The Cloud Malware Fan-out

By Krishna Narayanaswamy, Co-founder and Chief Scientist, Netskope

NS-Cloud-Report-Feb16-WW-IG-00 (1)Today we released our Cloud Report in which we highlight cloud security findings from October through December of 2015.

This quarter we focus on an important finding from our research team. In scanning many hundreds of our customers’ tenants, we found that 4.1 percent of those enterprises’ sanctioned apps are laced with malware such as trojans, viruses, and spyware. The volume of malware in those apps ranged from a handful of files to many dozens in a customer tenant.

We analyzed the infections and found a “fan-out” pattern in the spread of the malware (or in some cases, the effect of the malware). This is due, ironically, to two critically useful capabilities that the cloud is known for – sync and share.

I’ll show an example of this in full forensic detail during my keynote at next week’s CSA Summit, but let me describe what we saw happen in a number of enterprises that got hit with ransomware recently:
– A user becomes infected with ransomware
– Upon detonation, the ransomware encrypts the files on the user’s hard drive
– Some of the files on the user’s hard drive are in sync folders of a cloud app
– The encrypted versions of the files sync with the cloud app, replacing the cloud versions with the encrypted ones
– Then additional users, with whom the original user had shared the sync folder, sync their desktop client folders with the cloud, and those desktop files become encrypted

We have observed the fan-out effect both for the spread of malware itself and for the spread of the effect of malware, such as encryption in the above example.

Note that our initial research was only on enterprises’ sanctioned apps, which represent less than five percent of total cloud usage. Given this, we believe that both malware, and this fan-out effect, are far more widespread than the 4.1 percent we observed. As we begin applying this research to unsanctioned apps in our cloud access security broker, we’ll report on what we find in future reports.

What do we recommend to combat this? Five things:
1. Back up versions of your critical content in the cloud. Enable your app’s “trash” feature and set the default purge to a week or more
2. Scan for and remediate malware at rest in your sanctioned apps
3. Detect malware incoming via sanctioned and unsanctioned apps
4. Detect anomalies in your sanctioned and unsanctioned cloud apps, such as unusual file upload activity or other out-of-the-norm behaviors
5. Monitor uploads to sanctioned and unsanctioned cloud apps for sensitive data, which can indicate exfiltration in which malware is communicating with a cloud-based command and control server

Top Ten Reasons You Need to Attend the CSA Summit @ RSA February 29th

Cloud Security Alliance’s 7th annual CSA Summit @ RSA will be our biggest yet, with educational sessions covering cloud security from every angle. This Monday event is free for any type of RSA Conference pass holder, so make your plans to attend. If you need any more enticement, below are the Top Ten reasons you need to be there:

  1. Leading edge discussions of containerization, new cloud attack vectors, Cloud Access Security Brokers (CASBs ), identity, Internet of Things (IoT) and much more!
  2. It is held on Leap Day, so if you are operating on an old calendar you probably didn’t have anything scheduled for February 29 anyway.
  3. Former SEC Commissioner Luis A. Aguilar provides his vision of how Boards of Directors must address emerging cybersecurity issues, how private and public companies must cope with rapid technological innovation and the role of the U.S. Securities and Exchange Commission must play now and in the future.
  4. Free lunch.
  5. Enterprise experts abound to share experiences. Learn how cloud is causing GE to completely rethink their network architecture and security controls. Hear Cisco CISO John Stewart discuss managing cloud security at scale in a decentralized world. Don’t miss Vinay Patel from Citi launch the CSA Global Enterprise Advisory Board.
  6. See a noted security celebrity get the annual CSA Leadership Award (hint: it won’t be Leonardo DiCaprio)
  7. Security experts provide guidance to overcome the CSA’s Top Threats to Cloud Computing, with the new report to be released at the Summit.
  8. Guaranteed no ransomware-infected USB drives in attendee bags.
  9. Herjavec Group CEO and top “Shark” Robert Herjavec discusses information security innovation and puts the industry’s top cloud providers on the hot seat

And the number one reason you need to attend the CSA Summit @ RSA February 29th:

  1. No 2016 Presidential Candidates Allowed in the Room.

Come to the Summit to Learn, Engage and Start your RSA week off right: https://csacongress.org/event/summit-rsa-2016/

Something’s Gotta Give, And It’s You

By David Payne, VP Systems Engineering, Code42

02_10_16_it_employee_partnering_blogIT has lost the ability to unilaterally command which software employees access and what devices they carry. Anybody with a credit card can get the tools he or she needs to work fast and unencumbered. This freedom has significant impact on data security. But there’s no going back to a time when employees acquiesce just because IT says no.

The adversarial relationship that has festered between IT and “end users” prevents learning and increases vulnerability.

For example: Is it the user’s fault when a window pops up on his screen suggesting he update his Flash player and the false link unleashes a virus into the network?

Or what about this one: Despite the policy (written for the company road warriors) about always using the VPN and never storing sensitive data on laptops, who’s to blame when the device is breached, with hundreds of customer documents and details, during a week-long international sales trip?

In a lot of scenarios, the right technology and small shifts in behavior can change (and mend) the relationship between employees and IT and InfoSec—and in so doing improve data security.

German philosopher, critic and poet Friedrich Nietzsche summarized the way people live and think in the phrase, “He who has a why to live for, can bear almost any how.” I use this aphorism to describe the new relationship IT must forge with workers. Instead of policing end users and erecting barriers to protect them from themselves, IT needs to innovate around the people it supports. That means seeing them as people striving to meet their business goals, not end users who must be admonished for their own good.

Does that mean IT has lost the war? Not at all. When IT supports the work of employees—without sacrificing data security and integrity—they must deeply understand the way and the why employees do what they do. The question becomes not, “Why don’t employees save files on the file server like I told them to?” but, “What technology will make file backup automatic and inconspicuous so employees don’t have to worry about it?”

In reverse, this shift will help employees better understand the “why” of IT and InfoSec and encourage employees to examine how their behavior affects the security posture of the organization.

“I understand some of these restrictions are here to protect all of us, not to prevent me from getting my work done.”

When IT sees people (rather than end users) trying to get important jobs done with the least resistance, and employees see IT and InfoSec as protecting the business, data security feels and looks more like a team sport than a boxing match.

Tentative Safe Harbour Agreement Reached—For Now

By Rachel Holdgrafer, Business Content Strategist, Code42

02_03_16_safeharbour_blogThe European Union and the United States have reached a preliminary agreement that would allow companies doing business on both sides of the Atlantic to resume transmitting individuals’ digital data.

Struck down in October 2015 for failing to sufficiently protect European citizens’ data, transatlantic data transfer governed by the Safe Harbour Agreement is the life blood of thousands of companies including Google, Amazon and Pfizer. European privacy groups demanded that an agreement be reached by January 31 and while negotiators missed the deadline, they reached agreement on February 2.

The new legislation guarantees that U.S. intelligence agencies would not have:

indiscriminate access to Europeans’ digital data when it is sent across the Atlantic in the course of business.

It also puts more responsibility on U.S. companies to protect the data of European citizens. Additionally, the European Commission reports that European citizens who believe that their data has been misused will have several possibilities for redress.

Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

But companies doing business in both Europe and the United States are not in the clear yet. The New York Times reports:

Many obstacles still await the deal, which must be officially approved by the union’s 28 member states. National data protection regulators have yet to give their support to the pact, and European privacy-rights advocates are preparing to file legal challenges seeking to overturn it.

European privacy groups are skeptical that the U.S. will uphold the data protection rights that European citizens demand and “support further restrictions on how companies can move the data if they suspect it may still be misused.”

Can Wanted Cybercriminals Be Stopped?

By Leo Taddeo,  ‎Chief Security Officer, Cryptzone

Part 2 of a 2-part series

Can-Wanted-Cybercriminals-Be-Stopped-iStock-arfo-250x167I recently wrote about the challenges around cybercrime reporting in the US. Organizations often fail to notify law enforcement after discovering a network intrusion – partly because of a reluctance on their part to admit having been a victim, but also because they may not be aware which agency has jurisdiction over their case.

The outcome of this is that a lot of cybercrime is never investigated by the authorities, and a lot of hackers – some of them extremely prolific – are never brought to justice. This makes it difficult for law enforcement to create a meaningful deterrent. The financial rewards of cybercrime are often very high; the risk of getting punished is very low.

However, it’s not just a lack of cybercrime reporting that feeds into this difficulty. There’s also the fact that while the US has had a lot of success in apprehending certain high-profile hackers, other wanted cybercriminals – individuals of similar, if not greater, stature – remain at large with little chance of arrest.

Some of these people are on the FBI’s most-wanted list. Bringing them to justice would act as a significant deterrent for other would-be hackers, and therefore do much to protect the networks of organizations in the US and elsewhere. But can they be stopped?

Apprehending Foreign Cybercriminals is Difficult
One of the key reasons the US has difficulty in stopping wanted cybercriminals is that many of them are located in China and Russia, which significantly hinders our ability to bring them to justice.

I’ve written before about the hacking threat from China and the 2014 indictment of five Chinese military officers for stealing intellectual property from American companies; naturally, those officers have never been extradited. And while President Xi and President Obama have since agreed not to “knowingly support” cybercrime, I would argue that this agreement is unenforceable. In all likelihood, China will continue to use hacking as a tool to further its global power.

Still, at least we’ve opened a discussion. No such dialogue has been sought with Russia, which means US authorities can’t rely on the cooperation of their Russian counterparts when it comes to cracking down on cybercriminal activity originating in that country.

Russian hackers have a long history of targeting financial institutions in the US, and – by all accounts – remain free to do so with relative impunity. Evgeniy Bogachev, one of the most prolific cybercriminals in the world, is a key example; despite having a bigger FBI bounty on his head – $3 million – than any other hacker, he’s reportedly treated as nothing less than a hero in Russia. One policeman in his hometown of Anapa told the British press in 2014: “I’d pin a medal on the guy.”

This is a man whose cybercriminal enterprise is believed to have stolen over $100 million from foreign banks. It’s hard to say for sure if being on the FBI’s most-wanted list has made him any less prolific, but is there any reason for him to stop what he’s doing?

US Organizations Must Act Now to Improve Security
As I said in my last blog post, law enforcement has a hugely important role to play in the fight against cybercrime. By gathering and sharing up-to-date threat intelligence, investigating network intrusions, and ultimately arresting and prosecuting hackers, agencies like the FBI make America a safer place to do business.

At the same time, issues like our inability to extradite wanted cybercriminals from Russia and China, as well as the fact so many cyber attacks go unreported, means no organization can rely on the government to protect it from this growing threat. Only by implementing the best possible controls – securing their networks, applications and data – can American companies truly defend themselves.

Don’t wait for the bad guys to be arrested; strengthen your defenses to stop the bad guys from getting in.

Learn more about Cryptzone’s secure access and data security solutions.

Five Surprising Truths from the Cloud Security Alliance’s Latest Survey

Survey of 200 it leaders finds that cloud perceptions, it security reporting structures, and cloud security approaches are changing

By Cameron Coles, Senior Product Marketing Manager, Skyhigh Networks

Screen Shot 2016-02-03 at 3.08.24 PMAfter years of IT leaders loudly voicing their concerns about the security of the cloud, trust in cloud services is now virtually on par with on-premises applications. That’s according to a survey conducted by the Cloud Security Alliance released this week (download a free copy here). It’s just one finding in the 26-page report drawn from a survey of over 200 IT executives about the state of cloud adoption, the evolving role of IT, and how enterprises approach cloud security. While trust in the cloud may be on the rise, that doesn’t mean companies aren’t looking to implement many of the same security controls they did for their on-premises systems.

“As data leaves the company data center for the cloud, IT is caught between delivering technologies to support innovation and growth in the business and securing sensitive data against proliferating threats.”
– Cloud Security Alliance “The Cloud Balancing Act for IT: Between Promise and Peril

64.9% of IT trusts the cloud as much or more than on-premises software
It’s a well-established conceit, heard whenever IT executives are discussing the merits of cloud projects, that “the cloud is not secure” but that’s changing. Despite concerns about the security of corporate data moving to the cloud, just 35.0% of IT leaders believe that, as a general rule, cloud-based systems of record are less secure than their on-premises counterparts. A majority, 64.9%, say that the cloud is either more secure than on-premises software or equally secure. One potential reason for this is that cloud providers like Salesforce and Workday have invested heavily in security, extending beyond even what some of their customers do to secure their on-premises applications.

64.9

While IT leaders are more confident in the platform security of cloud applications, there’s still a lot that can go wrong. Careless or malicious insiders, compromised accounts, and misconfigured security settings can all lead to data loss, even within enterprise-ready cloud services whose platforms are arguably more secure than what most companies run in their own data centers. Perhaps that’s why the ability to enforce corporate security policies is the number one barrier to moving applications to the cloud, indicated by 67.8% of IT leaders. That’s followed by the need to comply with regulatory requirements (61.2%) and lack of budget to replace legacy systems (31.6%).

64.9% of IT leaders say the cloud is as secure or more secure than
on-premises software

The top barrier to securing data is a lack of skilled security professionals
Surprisingly, the biggest barrier to stopping incidents that result in data loss is not a limitation with security technology or budgeting; it’s a human resource limitation. Companies are struggling to find and hire skilled employees to take advantage of their security technology. That’s because businesses are hiring IT security professionals faster than the market can educate, train, and develop experienced security professionals. In August, it was reported that JP Morgan expected to spend $500 million on cyber security in 2015, double its 2014 budget of $250 million. Rapid hiring is leading to a shortage of people to fill open positions.

CSA-Report-2015-barriers-to-detecting-data-loss-961-dark

A 2015 report from labor analytics firm Burning Glass shows that cyber security job postings grew 91% from 2010 to 2014, more than three times the rate of growth in all IT jobs. More than a third (35%) of cyber security jobs require industry certifications such as CISSP, 84% of postings require at least a bachelor’s degree, and 83% require at least three years of experience. However, education, certifications, and experience pay off for security professionals. The same report revealed that cyber security jobs have a 9% salary premium over other IT jobs. That’s why some say it’s the hottest job of 2016 and one with job security.

screenshot

24.6% of companies would pay a ransom to prevent a cyber attack
In the now infamous Sony cyber attack, hackers contacted the company and demanded a ransom before making over 100 terabytes of sensitive company data public and crippling its IT infrastructure. In the CSA survey, the greatest concern reported by IT leaders about the impact of a cyber attack is the loss of reputation and trust, followed by financial loss. In the Sony attack, external analysts estimate it cost the company $35 million to deal with the immediate aftermath of the data breach and another $83 million to completely rebuild its damaged IT infrastructure.

CSA-Report-2015-ransom-961

It’s not clear whether Sony could have stopped the release of company data if it had responded to hacker demands in the days leading up to data dump (or if, indeed, the company attempted to answer the demands of the attackers). Nevertheless, if faced with a situation in which hackers have stolen information in a major breach and plan to make the information public, 24.6% of companies would be willing to pay a ransom to prevent the release of sensitive information. Across all companies, 14.0% would be willing to pay a ransom in excess of $1 million to prevent the release of such information. Not surprisingly, companies with cyber insurance were more likely to be willing to pay a ransom to stop a breach (28.6% vs 22.6%).

14% of companies would pay a ransom of $1+ million to prevent the release of data stolen by hackers

Systems of record are the next wave of cloud adoption
In 2011, Geoffrey Moore introduced the concept of systems of engagement and predicted they would be the next wave in enterprise IT. Systems of record, which capture every dimension of data relevant to a company and process that data, were the focus of information technology initiatives last century. The new focus, he said, was on systems of engagement that enabled greater collaboration and communication. These new tools allow users to share files and information and communicate in real time via video and chat, and they were built from the ground up to run in the cloud.

Fast-forward a couple years and Moore’s prediction appears prescient. Companies have invested in a new generation of communication and collaboration tools that are cloud-native. However, as more companies experience the benefits of cloud computing, they are beginning to look toward extending these benefits to their systems of record. Systems of record, far from being left behind in legacy on-premises data centers, are starting to move to the cloud. The most common system of record to be deployed in the cloud today is customer relationship management (CRM) solutions but nearly one third of companies plan to migrate their accounting/finance, HRM, and IT service management systems to the cloud.

CSA-Report-2015-system-of-records-550

Companies with a CISO are more prepared for a cyber attack
Companies with an executive in charge of information security, known as the chief information security officer (CISO), are more confident about their internal strategy to operationalize threat data. One of the reasons that companies with a CISO may be more confident is that they are more likely to have an incident response plan. Across all companies, 82.2% have some form of an incident response plan that details how the company would respond to a serious breach, including security remediation, legal, public relations, and customer support. However, fewer than half of these companies have a complete plan that covers all of these areas.

CSA-Report-2015-incidence-response-plan-961

Just 19.0% of companies without a CISO have a complete incident response plan. However, 53.8% of companies with a CISO have a complete incident response plan. Companies with a CISO are also more likely to have cyber insurance to protect against the cost of a data breach. Across all companies, 24.6% have cyber insurance. However, just 17.2% of companies without a CISO have insurance compared with 29.2% of companies with a CISO. This insurance can help pay for the cost of a major cyber attack. Following the Target credit card breach in 2013, the company’s insurance covered $90 million of the $264 million cost related to the attack.

53.8% of companies with a CISO have a complete incident response plan
vs 19.0% of companies without a CISO

Improving Data Privacy One Employee at a Time

By Rick Orloff, ‎Vice President and Chief Security Officer, Code 42

dpm_li crop (1)It’s no Hallmark holiday, but here at Code42, Data Privacy Day is kind of a big deal. We think it should be a big deal for your organization, too. It’s a great chance to focus on the biggest security threat in your organization: your end users and their devices.

As IT and InfoSec professionals, we spend a lot of time on complex strategies that protect us from the most sophisticated cyber threats. And then we spend more time cleaning up the messes that employees get us into just by clicking corrupt links. These unintentional “user mistakes” are the biggest insider threat today, causing around 25 percent of data loss.

Your end users don’t care about data security procedures
Why are end users so mistake-prone? Because, frankly, most don’t care. They think data security is IT’s problem—that if IT does its “job” and filters out the threats, they have nothing to worry about. Moreover, when they do something stupid, they think it’s IT’s job to come to the rescue. They don’t understand the risks they create for the company or the fact that once rung they can’t unring the bell. So, they go on ignoring security policies and finding creative workarounds for security measures that inconvenience them—such as utilizing “shadow IT.”

This is changing, and we’d like to help.

Code42 + National Cyber Security Alliance = Data Privacy Month 2016
Code42 is partnering with the National Cyber Security Alliance to champion Data Privacy Day and the entire Data Privacy Month of February. We’re helping enterprise security professionals address the problem of end-user education and motivation.

Making data security an end-user responsibility
Ready to celebrate this joyous holiday? Then it’s time to “talk turkey” with your end users. Here are some key considerations and topics to get you started:

1. Security education should be an in-your-face affair
Talk to employees, face-to-face. They ignore your emails and videos.

Your employee education has to a) deliver a crisp, meaningful message; b) demonstrate that security is a core responsibility bestowed by executives; c) close the loop between what you say and what employees understand; and d) hold employees accountable. Part of holding employees accountable is providing the easy-to-use tools and capabilities employees need to work.

2. Focus on keeping a clean machine
You might not be able to win the fight against “shadow IT,” but make sure your employees understand exactly how an unknown or unapproved app can quickly lead to a massive data breach that extends far beyond their device. It’s also important that they see how apps for personal use (social media, gaming, etc.) are not designed to offer the same level of data security as enterprise-grade productivity apps—and why installing these apps on work devices creates open doors to the entire enterprise ecosystem.

3. No more lazy passwords
This one can be fun. See if you can guess your end users’ passwords. It’s amazing how many people use something like “password” or “123456.” Call them out on using the same password for every login (as 73% of enterprise employees do). Call them out on never changing their passwords (47% of people use passwords that are 5+ years old). Take the group on a cubicle tour and see how many Post-It Note passwords you can find. If you haven’t already, implement technical controls to support your policies.

4. Have doubts? Throw it out
This one’s simple: Don’t be gullible. Don’t be stupid. Remind them not to open emails, click links or open attachments from unknown or suspicious sources. It’s uncanny how many people say, in retrospect, that “something seemed odd” about that email in broken English—but they figured the spam filter didn’t catch it, so they clicked the link. To that end, make sure they understand that spam filters are just the first line of defense—that they’re not perfect. Show them how to use your company’s spam filters: how to make sure filters are on, how to refine the filtering by flagging spam, and how to report a suspicious email, attachment, etc.

5. Endpoint backup is your best friend
Make sure your employees know that endpoint backup is the closest thing to a “Get Out of Jail Free” card in the data security world. The best way to get employees to embrace endpoint backup is to promote its benefits. Demonstrate how the “utility” makes it easy to work anywhere and recover any file in real time with or without the original device. This capability (with no IT intervention) will make IT the hero when employees lose data or suffer a malware attack at a critical moment.

6. Make the call for accountability
Make it clear that data security is everyone’s responsibility and that it’s not a cliché.

End users are actually the ones on the front lines of the battle—IT and InfoSec teams are more like the generals pushing big-picture strategies. End users are often the primary points of attack and need to embrace the defense strategies provided to them. They need to understand that all the fancy security tools in the world are worthless if they don’t follow the rules. They need to understand the true impact of even a tiny mistake—that IT can’t always “fix” it, and that a small error could easily lead to immense costs, lost productivity, brand damage and more. This can’t be understated. Most importantly, no employee—even trusted administrators and executives—should expect absolution for their ignorant or careless actions. At Code42, several data privacy “no-no’s”—not having full disk encryption on laptops, disabling Code42 CrashPlan for any reason, etc.—are fire-able offenses. Considering the damaging impact of data loss, we don’t think this is harsh—we think it’s critical to creating a culture of accountability.

Be privacy aware. Take the pledge and enter to win an iCloak.

You’ve Been the Victim of a Cybercrime. Who You Gonna Call?

By Leo Taddeo,  ‎Chief Security Officer, Cryptzone

Part 1 of a 2-part series

Youve-Been-the-Victim-of-a-Cybercrime-250x167Right now, one of the greatest challenges in the fight against cybercrime is the difficulty we have in creating a meaningful deterrent for hackers.

Basically, the number of cybercriminals out there is demonstrably very large, and all the available data shows the number grows larger all the time. And yet the number those cybercriminals who are caught and punished is very small, and changes little from year to year. In terms of risk versus reward, it’s a very attractive game for hackers to be in.

In this blog post – the first of two – I’d like to talk about how one of the reasons for this difficulty in creating a deterrent is that US organizations often fail to engage law enforcement when their networks come under attack.

Let’s say you’ve been the victim of a cybercrime. Who you gonna call?

The Trouble with Cybercrime Reporting
The first challenge many US organizations encounter when they attempt to report cybercrime is that there’s no one correct way to do this. Even if you restrict your definition of the term to only cover network intrusions and not other illegal online activity like identity theft, there are still several different places a person can go to alert the authorities to an incident.

According to the official guidance of the Department of Justice, organizations have no fewer than three options when it comes to reporting cybercrime. They can call their local FBI office; they can call the Secret Service; or they can log a complaint with the Internet Crime Complaint Center (IC3).

On top of that, the Department of Homeland Security has its own online portal for reporting cybercrime of any type, including network intrusions. State and local authorities add more options, as some victims resort to calling their local police departments or prosecutors offices.

Then there’s the question of which agency actually has jurisdiction over what. According to Title 18 Section 1030 of the US Criminal Code, both the FBI and Secret Service have the authority to investigate criminally-motivated cyberattacks. Should an incident be a matter of national security, the FBI is designated the lead agency.

In a nutshell, cybercrime reporting can be confusing. This is exacerbated by the fact that it’s rarely possible to know whether a cyberattack is a criminal or national security issue at the outset of an investigation – you might need to study a large amount of forensic information before this becomes apparent. Who wants to deal with this level of confusion right after discovering a data breach?

Why Engage Law Enforcement, Anyway?
Consequently, a lot of cybercrime goes unreported. This is an issue I touched upon in a recent blog about the lack of reliable cybercrime statistics, and it’s troubling for a number of reasons. It means that authorities don’t consistently have access to up-to-date threat intelligence; the victim has no access to the intelligence that law enforcement does have; and, at the end of the day, nobody is arrested and prosecuted.

Obviously, no organization should rely on the government to protect it against network intrusions and any damage that occurs as a result by chasing down and locking up hackers. But if the authorities had a more complete picture of the threat landscape, it’d be an enormous net positive for the security community – we’d be better equipped as a country to fight cybercrime and therefore create the deterrent we so badly need.

My advice? If you’re the victim of a cybercrime, report it to the FBI, which has jurisdiction over both criminal and national security cases.

Really, though, you should be doing everything you possibly can to ensure it never comes to that. Invest now, and strengthen your network defenses, because we’re a long way from having a sufficiently powerful deterrent to prevent the threat from growing day by day.

In part two of this blog, I’ll talk about the difficulty we have in bringing wanted cybercriminals to justice.