Saturday Security Spotlight: Malware, AWS, and US Defense

By Jacob Serpa, Product Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

—AndroRAT malware spies on Android users
—Smart TVs easily hackable
—BuckHacker tool finds unsecured data in AWS buckets
—Octoly breach exposes social media stars’ personal data
—Russian hackers target US defense contractors

AndroRAT malware spies on Android users
A new type of malware targeting Android devicesgives hackers extensive control over users’ phones. The threat allows malicious parties to use devices’ microphones (to record audio), cameras (to take pictures) and files (to steal information). This is obviously a large privacy concern for Android users around the world.

Smart TVs easily hackable
As new types of devices connect to the internet, nefarious individuals have more targets to attack. In particular, Samsung and Roku televisions were recently deemed to have multiple vulnerabilities. Hackers can target certain security gaps to control volume, channel, and more. This raises additional privacy concerns around consumers being monitored within their homes.

BuckHacker tool finds unsecured data in AWS buckets
Whitehat hackers recently created a tool that uncovers publicly available information resting within AWS buckets. While the tool is designed to help organizations uncover their misconfigurations within AWS, it also highlights the growing ease with which malicious hackers can steal unsecured data in the cloud.

Octoly breach exposes social media stars’ personal data
Brand marketing company Octoly was recently the victim of a breach, leaking the personal information of over 12,000 social media celebrities through, once again, an unsecured AWS S3 bucket. Data was exposed in the cloud for about a month before the vulnerability was noticed.

Russian hackers target US defense contractors
Hackers belonging to the Russian Fancy Bears group have been targeting US defense contractors. In an attempt to steal information about secret military technology and projects, they have been using targeted phishing emails. This can obviously have extensive ramifications for the country’s national security.

In order to address leaks, hacks, and malware, organizations must utilize next-gen security solutions. To learn about cloud access security brokers, download the Definitive Guide to CASBs.

Unmanaged Device Controls, External Sharing, and Other Real CASB Use Cases

By Salim Hafid, Product Marketing Manager, Bitglass

Many in the security industry have heard about CASBs  (cloud access security brokers) as the go-to solutions for data and threat protection in the cloud. But where exactly do CASBs slot in? If you already have a NGFW (next-gen firewall) or perhaps a secure-web-gateway-type solution, why invest in deploying a CASB?

Below, we will hone in on three of the most common real-world use cases for a cloud access security broker.

External Sharing
Most cloud applications have some form of built-in external sharing control. Perhaps an administrator is able to revoke access to certain documents, set granular permissions across the organization, or block sharing on the whole.

For organizations with multiple cloud apps, setting these controls within each app can be cumbersome. What’s more, not all apps share the same security capabilities. While Office 365 may feature granular sharing controls, an enterprise messaging app like Slack, which also enables external sharing, does not. A lack of feature parity across applications contributes to a core CASB use case – the ability to set external sharing controls for any app. This is done by leveraging APIs provided by each app vendor.

Cloud Malware Protection
Perhaps all managed endpoints in your organization feature some sort of malware scanning – a traditional and reliable approach to blocking known malware once it hits the device. The cloud malware challenge, however, is a whole different ballgame.

Cloud malware comes in many forms and is a major threat because of the rate at which it spreads. Say a spreadsheet with embedded malware is uploaded to a cloud application. That malware is likely to remain at rest in the cloud and can easily be transmitted to a connected cloud application or downloaded to a user’s device. Without cloud malware protection, IT has no way of identifying these threats. Cloud apps, intended for productivity and improved security, instead become a means of malware distribution. Only a CASB, with threat prevention capabilities that stretch across applications, can detect malware in real time as it’s uploaded. By combining a best-in-class AI-based malware engine with multi-protocol proxies, Bitglass helps organizations in every sector limit the risks of cloud malware.

Unmanaged Device Access Control
The most critical of CASB use cases is the ability for an organization to control access from unmanaged devices. Demand for bring your own device (BYOD) programs has reached unprecedented new heights, pushing IT departments to rethink their security stances with respect to unmanaged device access.

Given that employees are likely to work around IT if they are unable to work from their personal devices (particularly in the age of cloud where off-network access is highly common), steps must be taken to extend secure access to unmanaged endpoints. With a CASB, enteprises can focus on protecting data as opposed to protecting devices or infrastructure. IT-defined policies can prevent downloads of sensitive data and apply protections with built-in data loss prevention (DLP). Identify, remediate, and secure sensitive corporate data in any app, any device, anywhere.

To learn more, download the Top CASB Use Cases.

A Home for CASB

By Kyle Watson, Partner, Information Security, Cedrus

Over the past 18 months, I’ve been working on CASB in some form or another including:

—Educational architectural and technical videos
—Request for Proposal (RFP) assistance
—Pre-sales presentations and demos
—Proof of Concepts (POCs)
—Operations build-out and transition

I’ve discovered some interesting things working with vendors, clients, and our own security technical staff here at Cedrus. One of them is about the ownership model. There is not a 1:1 map when you compare CASB solution features to the structures of organizations that are deploying them. There seems to be a lack of organizational placement, a permanent home when it comes to CASB. This extends both to technology and business process ownership.

Most CASB solutions are a natural evolution out of the network layer of technology and hence so did many of the key players at CASB vendors. These folks are experts in networks, firewalls, proxies, Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM), etc.

However, many of the features being offered by CASB extend into areas that don’t typically overlap with the responsibilities of the teams that run these areas of the Security Operations Center (SOC). These include things like Identity and Access Management (IAM), Data Loss Prevention (DLP), Encryption, Application Programming Interface (API) integration, and Malware prevention. Working on technical integrations with CASB there is a need to bridge at least four groups that are often separate in enterprises.

  1. Networks/Firewalls/Proxies
  2. Active Directory Admins
  3. Identity and Access Management (IAM) Team(s)
  4. Information/Data Protection
  5. And Public Key Infrastructure (PKI) / Encryption if they’re separate from one of the other teams

That’s only the technical part. From an operational perspective, most of the work CASBs are doing are directly related to people, applications, and data. For instance:

  • Encrypt Protected Health Information (PHI) when it gets stored in Google
  • Scan all documents in the corporate OneDrive to find and move Personally Identifiable Information (PII)
  • Prevent people from uploading confidential documents as attachments on LinkedIn

This brings up the question: What is the best group for management of CASB?
All of this means that we need people constructing and approving policy that have an understanding of what’s important to the business, what regulatory mandates are instructing the organization to do, and what makes a “good” cloud app vendor vs. a “risky” one. A strong grasp of change control process must be realized and followed. Like SIEM, false positive alert evolution has to be done by this team within the CASB tool in order to get useful alerting that can be used to take concrete action. We also need these folks to be able to understand and/or work with IAM Federated Single Sign-On (SSO) configurations and redirects, PKI certificates, and DLP policies. Finally, this group has to be able to engage the business constructively, to help them transition from risky to sanctioned apps, and educate personnel on risky actions. With CASB being so new, many organizations only have a small portion of functionality deployed, such as the application discovery features that can assist organizations in resolving the ever-expanding Shadow IT. Discovery functionality can be easily managed in an existing team as a secondary responsibility. This person or team can produce reports that can be reviewed and action can be taken out of band.

A home for CASB
As CASB solutions get integrated with full enterprise security systems and processes this won’t be enough. At minimum, a Center of Excellence (COE) will have to be established for CASB. Long term, I believe a business service is needed to effectively leverage the solution for maximum risk reduction with minimum business disruption. I would love to hear other views on this as well, so please comment and share your insight!

Malware P.I. – Odds Are You’re Infected

By Jacob Serpa, Product Marketing Manager, Bitglass

In Bitglass’ latest report, Malware P.I., the Next-Gen CASB company uncovered startling information about the rate of malware infection amongst organizations. Additionally, experiments with a new piece of zero-day malware yielded shocking results. Here is a glimpse at some of the outcomes.

Nearly half of organizations have malware in one of their cloud apps
While the cloud endows organizations with great flexibility, efficiency, and collaboration, cloud apps and personal devices accessing corporate data can inadvertantly house and spread malware. However, this does not mean that operating in the cloud is inherently more dangerous than the traditional way of doing things. In the cloud, threats merely adopt new forms and require novel methods of defense. For organizations that fail to adopt cloud-first security solutions like cloud access security brokers (CASBs) that are complete with advanced threat protection (ATP), the consequences can be severe. A single piece of malware is enough to inflict massive damage to any enterprise.

Zero-day malware “ShurL0ckr” deteced by Cylance and not Microsoft or Google
In addition to uncovering the above information, Bitglass’ Threat Research Team also discovered a new variety of ransomware. Dubbed “ShurL0ckr,” the threat encrypts users’ data and demands a ransom in exchange for decryption. Armed with this zero-day malware, tests were performed with a variety of antivirus engines. Cylance, a Bitglass technology partner that uses machine learning to detect unknown threats, was able to detect the ransomware. However, few other engines proved capable of doing so.

Somewhat alarmingly, native ATP tools within Microsoft SharePoint and Google Drive were unable to detect ShurL0ckr. This highlights the growing dangers of relying solely upon cloud applications’ native security features. When adopting cloud apps, it is imperative that organizations also adopt advanced, specialized security solutions. In this way, they can ensure that their data is completely secured.

To learn more about malware’s assault on the enterprise, download Malware P.I.

Agentless Mobile Security: No More Tradeoffs

By Kevin Lee, Systems QA Engineer, Bitglass

Have you ever seen a “Pick two out of three” diagram? They present three concepts and force individuals to select the one that they see as the least important. The tradeoffs between convenience, privacy, and security serve as a perfect example of a “Pick two” situation for many mobile security solutions. 

Industries have seen massive growth in the number of personal devices that touch sensitive information, resulting in a need to secure data as it is accessed by these endpoints. Various solutions have been adopted by many companies, but all tend to fall into the classic “Pick two” scenario. When evaluating these inadequte solutions, companies normally select security as one of their two priorities, leaving them to choose from only the two scenarios below.

Security and Convenience

Mobile device management (MDM) is a fairly popular solution for securing data on personal mobile devices. Using MDM is often seen as a good strategy because, in theory, it permits employees to use their personal devices and allows employers to monitor and control data as they see fit. However, the major downside to MDM is the need for agents to be installed on personal devices. These agents give employers visibility into employees’ personal traffic. Obviously, this raises questions about employee privacy. 

Security and Personal Privacy
For individuals who wish to keep their personal information private, using one or more work-only devices is an option. Whether these devices are mobile phones with MDM or managed computers on-premises, the strategy allows employers to monitor corporate data without touching employees’ personal data. The large disadvantage with this approach is the lack of convenience for employees. They are required either to carry multiple devices at all times or to access work-related information from few, select locations.  

The Solution
As seen above, there always seems to be a tradeoff when choosing a mobile security strategy. However, does it have to be that way? What if there were a security tool that could ensure data security, provide convenience for employees, and respect the right to privacy all at the same time? It only seems far-fetched when one assumes that agents are necessary to secure data.

To learn about cloud access security brokers and agentless mobile security, download the solution brief.

Saturday Security Spotlight: Military, Apps, and Threats

By Jacob Serpa, Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

—Fitness app exposes military bases
—Soldiers’ names revealed by app
—Google Play filled with fake apps
—Medical devices easily hacked
—The internet of things creates risk for the enterprise

Fitness app exposes military bases
Strava, the creators of a fitness tracking app, released heatmaps of its users’ movements. Unfortunately, this revealed the inner workings of military bases abroad by highlighting the movements of soldiers who use said app within their bases. Naturally, making this information publicly available raises questions of privacy and national security.

Soldiers’ names revealed by app
After learning of the above heatmaps and how they expose military bases and personnel, a Norwegian researcher decided to test other aspects of Strava’s security. In so doing, he succeeded in tricking the app to reveal the names and identities of military personnel who use Strava.

Google Play filled with fake apps
Despite efforts to clean up Google PlayGoogle’s app marketplace still contains many fake applications. While some are fairly innocuous, others can spread malware or steal information from users’ mobile devices. In light of BYOD (bring your own device), this should be a concern for the enterprise.

Medical devices easily hacked
Researchers in cybersecurity have determined that medical devices like MRI machines face a high risk of cyberattack. As healthcare technology evolves and connects to the internet more and more, the risk will only increase. Researchers warn that these devices must be designed in ways that ensure more security.

The internet of things creates risk for the enterprise
As enterprises adopt IoT devices for the efficiency that they provide, they are also increasing the number of attack surfaces that can be exploited by malicious parties. These devices serve as entry points for malware and can enable access to corporate networks.

The cybersecurity landscape is constantly shifting. Organizations must stay ahead of threats with advanced security solutions. To learn about cloud access security brokers, download the Definitive Guide to CASBs.


Why Next-Gen Firewalls Can’t Replace CASBs

By Joe Green, Vice President,/WW Solutions Engineering, Bitglass

A security solution is only as good as the data it protects. Some solutions focus on data protection on the corporate network, others focus entirely on cloud data, and a select few enable security at access from any network.

Next-gen firewalls (NGFWs) are the traditional solution for many organizations looking to secure their corporate networks. They are effective at what they do, securing corporate network traffic by routing everything through on-premises appliances. As corporate data begins moving outside the corporate network, as it does with cloud and mobile, the NGFW can no longer provide protection. Major gaps include access from managed devices that don’t use VPN while outside the corporate network, access from unmanaged devices like employees’ personal mobile devices, and cloud data-at-rest.

Why are cloud and mobile such a big gap? With the flexibility and mobility provided by cloud apps, employees often work outside premises-based security infrastructure. Additionally, unmanaged devices with unmitigated access to corporate apps (whether in the cloud or on premises), can be lost, stolen, or abused by malicious insiders. IT needs to secure data in these situations, yet a perimeter-focused security tool like an NGFW has no way to secure this traffic.

Providing security beyond the firewall typically requires a data-centric approach rather than a control-oriented approach. After all, with cloud and BYOD, the organization neither controls the applications nor the underlying infrastructure on which those applications reside. As a result, organizations must move from network- and application-based allow/block controls to robust, data-centric tools like data loss prevention (DLP) and encryption. Other key requirements of a data-centric approach are remediation (such as DRM, redaction, and more), identity integration and strong authentication, and data-at-rest scanning. All of these capabilities must be delivered via an architecture that can intermediate users’ connections to an app, like Office 365, even when they use a personal device or public network – no small task, and definitely not one an NGFW can handle!

Recognizing these gaps, and the future impact on the firewall market, some NGFW vendors have acquired or built basic API-based cloud access security broker (CASB) offerings. Unfortunately, these offerings don’t provide real-time data & threat protection, and have proven unable to keep up with the rapidly evolving CASB use cases in the enterprise. As a result, the last couple of years have seen CASBs rise from an unknown acronym to the de facto standard for data & threat protection in the cloud and mobile enterprise, complete with their own Magic Quadrant from Gartner.

Apps have evolved and moved to the cloud – shouldn’t you?

Only a CASB built from the ground up to protect data in a cloud- and mobile-first environment can secure cloud apps and BYOD. Instead of opting for a tool that simply augments existing firewall capabilities, adopt a solution that provides visibility and control over all corporate data wherever it goes.

Download the Top CASB Use Cases.

EMV Chip Cards Are Working – That’s Good and Bad

By Rich Campagna, CEO, Bitglass

For many years, credit card companies and retailers ruled the news headlines as victims of breaches. Why? Hackers’ profit motives lead them to credit card numbers as the quickest path to monetization. Appropriate data in hand and a working counterfeit card could be cranked out in seconds and used to purchase a laptop or TV at the local Walmart — easy to fence in the local black market.

Sick of being the target, the payment card industry got smart about fraud detection, created a set of regulatory compliance requirements (PCI-DSS) and perhaps even more importantly, rolled out EMV “chip-and-pin” technologies, which are meant to reduce counterfeit card fraud by presenting a unique cryptographic code for each transaction — much more difficult to duplicate than the static information embedded in the magnetic stripe of older cards. The results have been astounding — according to Visa, “for merchants who have completed the chip upgrade, counterfeit fraud dollars have dropped 66%!” That’s great news, but bad news at the same time.

The bad news comes in that hackers, still seeking profit motive, will continue to seek out the fastest and most lucrative path to monetization. Since credit card information has essentially become valueless, data that can be used to apply for new cards (or other monetary instruments or services) is now the target. This is why we saw a massive increase in healthcare-related breaches over the past few years. As healthcare gets their act together, hackers will move on to the next most viable target, whatever industry that may be.

Not only does this impact information security professionals in enterprises, but it also impacts consumers in a big way. For consumers, credit cards have always had limited liability, meaning outside of a few calls to the credit card company, fraudulent card use didn’t make much impact. Unfortunately, you can’t “cancel” your social security number, date of birth, and mother’s maiden name — those are permanent. And once someone gets their hands on that data, they own them permanently as well.

So, kudos to credit card issuers and retailers for making tremedous progress. Hopefully peers in other industries will continue to follow suit.

BTW, it’s entirely likely that your organization’s shift to cloud and mobile includes some of the aforementioned data to be protected. Might be time to check out a cloud access security broker (CASB).