November 23, 2015 | Leave a Comment
By TK Keanini, Chief Technology Officer, Lancope
In last week’s post, I covered the methodologies Mark Watney used to stay alive on the surface of Mars and how those lessons can be adapted for better cyber security back on Earth. As usual, this post will contain spoilers for The Martian, so close it now if you haven’t yet read the book or seen the movie.
This week I’ll discuss the mentalities and interpersonal skills that allowed the Ares 3 crew to successfully rescue Watney after he was stranded for more than a year on a foreign planet. Whether it is the launch of a manned space probe or defending against advanced cyber threats, these lessons can be used to pull the best possible outcome out of impossible odds.
The Power of a Cross-functional Team
In space travel, every supply and gram of weight is invaluable, much like the limited resources available to most security teams. To help cope with these limitations, every member of the Ares 3 crew served multiple functions. Watney, for instance, was both a botanist and mechanical engineer. This knowledge allowed Watney to recognize that food would be his scarcest resource, find the chemical components necessary to create arable land inside his living quarters and modify the various life support systems to make the environment suitable to plant life.
When a cyber-attack hits, you may be the only one available to address it. To be able to adequately assess and respond to the event, you need to have a working knowledge of the various tools and processes at your disposal. In addition, understanding how different systems work and how different user roles interact with the network allows you to see the security weak points and understand how an attacker may operate in your environment.
Always remember to laugh
Tense situations can have a mental toll on responders, and it is important to keep a sound state of mind to make good decisions. Watney was a serial jokester, frequently laughing at the ridiculousness of his own situation and making wisecracks about what his fellow astronauts left behind on Mars. He particularly hated disco.
Though responders are in the middle of extreme circumstances, it is important not to take yourself too seriously. Laughter helps you keep a level head and can help relieve stress, both in you and your coworkers. Then you are in a better position to make sound decisions and not to give up.
Leadership is not an option, it is a necessity
Watney never faulted his fellow astronauts for leaving him on Mars. They thought he was dead, and leaving immediately was imperative to getting the others out alive. More importantly, Commander Lewis is regretful when she finds out Watney was left alive on Mars, but instead of getting too down to do anything, she focuses on what the next course of action is.
Tough situations need leaders who will make hard calls and live with it. CISOs and other security leaders are responsible for choosing which tools to implement and what practices to employ. When a cyber-attack occurs, they need to be ready to use those tools instead of wishing they had something else.
Communication makes your job easier
One of Watney’s largest challenges throughout The Martian is his inability to communicate with mission command or his own crew. Watney goes on a cross-country trip to find the Pathfinder probe just so he can use it to establish communication. It works but only until he accidentally fries the machinery a few pages later. Fortunately, we do not have this problem, but many cyber security professionals still fail to communicate effectively in the event of an attack.
It makes sense. After all, we are usually busy investigating the attack and trying to prevent data loss. But don’t forget that good communication in an attack helps prevent duplication of efforts and generally helps the entire security team respond effectively.
In a more general sense, the security team needs to be visible to the rest of the organization. Keeping all employees abreast of ongoing security issues reminds them to be vigilant against phishing and other forms of social engineering. Remember, they may know their area of the network better than you, and might be able to identify something abnormal there before you do. Of course, there are some exceptions to this mode of communication. For instance, if an insider threat is suspected, it is likely better to keep that information to a small number of individuals until actions are taken, but for the most part, regular communication with the larger organization is a good thing.
Roles are important
While versatility is a modern virtue, it is important to understand what your role is in a given scenario, even if it changes often. The crew members of Ares 3 had specializations that enabled them to perform specific duties, but they were also general enough that they could fulfill whatever role was needed in a time of emergency. While Watney was forced to rely on his own ingenuity to survive on Mars, his rescue was left almost entirely in the hands of his fellow crewmates. Each had to perform a duty in the rescue, and several had to suddenly change that role when the rescue attempt started to go south. The important thing is they were able to shift responsibilities quickly but with a clear understanding of who was best suited to perform each role, and it was all organized with a clear order of command.
In the world of cyber security, where organizations often deploy varied tools for detection, mitigation and policy enforcement, it is essential to utilize people to their greatest strengths. Investigators, operations and management all have a role to play, and while they should be flexible according to needs, they work best with what they know.
Personal connections matter
Massive amount of money, resources, time and energy went into rescuing Watney from Mars. His struggle became a weekly news segment on Earth and no expense was spared to retrieve him alive because people feared for him, hoped for him and wanted to keep him safe. Never forget that there are real victims to data breaches. Customers, clients and employees can be deeply hurt for the simple act of doing business with your organization, so keep that in mind when you are rushing through those last few reports on Friday afternoon.
The bonds between the Ares 3 crew were unshakable, as is expected when six people spend months together traveling across the solar system to a new planet. This type of relationship should be encouraged among security practitioners because it facilitates smoother operations in the event of an emergency and reduces blaming. When a team cares about each other and their mission, attacks can be stopped and catastrophes can be salvaged.
The Martian contains many lessons that can be adapted to cyber security, but in the end it is still a work of fiction. Reality is more complex and difficult to grapple with, but we need these basic driving forces to properly prepare for disaster and to operate well under pressure. Mark Watney may not be our CISO, but we can take what he learned on Mars and use it to beat an advantaged enemy and difficult odds.
November 20, 2015 | Leave a Comment
By Willy Leichter, Global Director of Cloud Security, CipherCloud
Last week’s tragic events in Paris, and fears over similar terrorist attacks around the world, have revived a long-standing debate. Early evidence suggests that the terrorists used a readily available encryption app to hide their plans and thwart detection by law enforcement. This has led to finger-pointing by intelligence officials and politicians demanding that something be done to control this dangerous technology. Keep in mind that the terrorists also used multiple other dangerous technologies including consumer electronics, explosives, lots of guns, cars, trains and probably airplanes – but these are better understood and attract less grandstanding about controlling them.
Setting aside the obvious privacy concerns, the argument for weakening encryption ignores a basic question – can this technology really be controlled? More specifically, those arguing for diluted encryption are demanding “back doors” that would allow easier access by law enforcement. For many reasons, this idea simply won’t work and will have no impact on bad guys. It also could have serious unintended negative consequences. Here are a few reasons why:
- Encryption = Keeping Secrets
Encryption is more of an idea than a technology and trying to ban ideas generally backfires. For thousands of years, good and bad actors have used encryption to protect secrets, while communicating across great distances.
In the wake of traumatic public events, it’s easy to start thinking that only bad guys need to keep secrets, but that’s clearly not true. Governments must keep important secrets. Businesses are legally required to protect secrets (such as their customers’ personal information) and individuals have reasonable expectations (and constitutional guarantees in many countries) that they can keep their personal data private. Encryption, if properly applied can be a highly effective way to protect legitimate and important secrets.
- Who Keeps the Keys to the Back Door?
Allowing government agencies unfettered access to encrypted data is not only Orwellian – it’s also simplistic and unrealistic. Assuming back doors are created, who exactly should have access? Beyond the NSA, FBI, and CIA, should we share access with British Intelligence? How about the French? The Germans? The Israelis? Saudi Arabia? How about the Russians or the Chinese? Maybe Ban Ki-Moon can keep all the keys in his desk drawer at the UN…
As we all know, the Internet doesn’t respect national boundaries and assuming that all countries will cooperate and share equal access to encryption back doors is naïve. But if governments only require companies within their respective jurisdictions to provide back doors, the bad guys will simply use similar, readily available technology from other places.
- Keys to the Back Doors Can Easily Get into the Wrong Hands
If there are back doors to encryption, hackers will almost certainly steal and exploit them. As the Snowden revelations demonstrated, large government bureaucracies are not particularly good at protecting secrets or ensuring that the wrong people don’t get access. The OPM hack, which uncovered millions of government employees’ data (purportedly by Chinese hackers), highlights the risks when large numbers of humans are involved.
In a very real way, the existence of encryption back doors would represent a serious threat to data security across the government, business and private sector.
- To Control Encryption You Need to Control Math
Ironically, while some government agencies seek to crack encryption, other agencies such as NIST are chartered with testing and validating the security efficacy of encryption algorithms and implementations. The FIPS 140-2 validation process is globally recognized and provides assurance that encryption does not have flaws.
Today’s best encryption is based on publicly vetted and widely available algorithms such as AES-256. Most smart, college-level math majors could easily implement effective encryption based on a multitude of publicly available schemes.
So far I haven’t heard policy pundits recommend that potential terrorists be barred from high-level math education. Preventing clever people anywhere in the world from applying readily available encryption or developing their own encryption schemes is impossible.
- The Tools Do Not Cause the Actions
It does appear that the Paris terrorists used commercial encryption to hide some of their communications and it must be acknowledged that this may have hindered law enforcement. They also probably also used off-the-shelf electronics to detonate their explosives, drove modern rental cars to haul people and weapons and perhaps were radicalized in the first place through social media. Today’s technology accelerates everything in ways that are often frightening, but going backwards is never an option. And the tools, no matter how advanced, do not create the murderous intent behind terrorism.
Readily available technology likely made their jobs easier, but in the absence of easy to find encryption tools, the terrorists could have found many other effective ways to hide their plans.
- Neutering Encryption Will Hurt Legitimate Businesses
So let’s imagine that in the heat of terrorist fears, the US, UK and a few other governments demand that companies within their jurisdictions create and turn over encryption back doors. Confidence in security technologies from those countries would plummet, while creative entrepreneurs in many other countries would quickly deliver more effective security products.
The growth of the Internet as a trusted platform for business has been closely tied to encryption. The development of SSL encryption by Netscape in the 90s enabled e-commerce and online banking to flourish. And today, encryption is playing a critical role in creating the trust required for today’s rapid growth of the cloud applications.
There are many recent examples of governments trying to legally close barn doors after the horses have long since disappeared. Ironically, the US government already bars the export of advanced encryption technology to rogue states and terrorist groups including ISIS. Clearly this ban had zero effect on the terrorists’ ability to easily access encryption technology.
We live in scary times and should never underestimate the challenges we all face in deterring terror. But latching onto simplistic solutions that will not work does not make us safer. In fact, if we undermine the effectiveness of our critical security technology and damage an important industry, we will be handing the terrorists a victory.
November 20, 2015 | Leave a Comment
By Rachel Holdgrafer, Content Business Strategist, Code42
CryptoWall has struck again—only this time it’s nastier than before. With a redesigned ransom note and new encryption capabilities, BleepingComputer.com’s description of the “new and improved” CryptoWall 4.0 sounds more like a marketing brochure for a well-loved software product than a ransom demand.
Like the iterations of CryptoWall that came before the 4.0 version, the only way to get your files back is to pay the ransom in exchange for the encryption key or wipe the computer clean and restore the files from an endpoint backup archive. The FBI agrees, stating “If your computer is infected with certain forms of ransomware, and you haven’t backed up that machine, just pay up.”
In addition to encrypting the data on an infected machine and demanding a ransom for the decryption key, CryptoWall 4.0 now encrypts the filenames on an infected machine too, leaving alphanumeric strings where file names once were.
The most significant change in CryptoWall 4.0 is that it now also encrypts the filenames of the encrypted files. Each file will have its name changed to a unique encrypted name like 27p9k967z.x1nep or 9242on6c.6la9. The filenames are probably encrypted to make it more difficult to know what files need to be recovered and to make it more frustrating for the victim.
Not unlike Bill Miner, infamously known as the Gentleman Robber, CryptoWall 4.0 makes a farcical attempt at politeness. CryptoWall 4.0’s ransom note reassures its victims that the infection of their computer is not done to cause harm and even congratulates its victims on becoming part of the CryptoWall community, as if it were some sort of honor.
CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place.
Ransomware is a lucrative business. It is estimated that the CryptoWall virus alone cost its victims more than $18 million dollars in losses and ransom fees from April of 2014 to June of 2015. In the spirit that being robbed doesn’t have to be a bad experience, CryptoWall 4.0 makes a bad attempt at customer service, claiming “we are ready to help you always.” Additionally,
CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions. From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.
In closing, the ransom note states,
…that the worst has already happened and now the further life of your files depends directly on your determination and speed of your actions.
Whether hackers use CryptoLocker, CryptoWall, CTB-Locker, TorrentLocker or one of the many variants, the outcome is the same. Users have no choice but to pay the ransom—unless they have endpoint backup in place. Even with the best tech resources, decrypting the algorithm used to lock files without the key would require several lifetimes. Whereas, with automatic, continuous backup, end users will NEVER pay the ransomer because a copy of their data is always preserved.
November 19, 2015 | Leave a Comment
By Sam Bleiberg, Corporate Communications Manager, Skyhigh Networks
In the not-too-distant past, service providers had a tough time convincing enterprise IT departments that cloud platforms were secure enough for corporate data. Fortunately perspectives on cloud have matured, and more and more organizations are migrating their sanctioned file sharing applications to the cloud. Fast forward to 2020, when Gartner predicts 95% of cloud security failures will be the customers’ fault. Skyhigh Network’s latest Cloud Adoption & Risk Report shows the stakes are high for preventing “cloud user error.”
Enterprise-ready services have extensive security capabilities against external attacks, but customers have the ultimate responsibility for ensuring sensitive data is not improperly disclosed. Just as attackers can circumvent perimeter defenses such as powerful firewalls in favor of stolen credentials or alternate vectors of attack, secure cloud services can incent attackers to target the vulnerabilities inherent in day-to-day use of applications. In addition to compromised accounts, in which attackers gain access to a cloud service via stolen user credentials, enterprises need to worry about malicious insiders, compliance violations, and even accidental mismanagement of access controls.
The report, which analyzes actual usage data from over 23 million enterprise employees, uncovered an epidemic of file over-sharing. Whether IT is aware or not, cloud-based file-sharing services serve as repositories of sensitive data for the average organization. According to the report, 15.8 percent of documents in file-sharing services contain sensitive data. The employees responsible for sensitive data are not a small group: 28.1% of all employees have uploaded a file containing sensitive data to the cloud.
Most concerning is the lack of controls on who can access files once uploaded to the cloud. 12.9 percent of files are accessible by any employee within the organization, which poses a significant liability given the size of the organizations analyzed. Employees shared 28.2 percent of files with external business partners. Given the critical role business partners have played in several highly publicized breaches, companies should closely monitor data shared outside the organization, even with trusted partners. Although they make up only 6 percent of collaborations, personal email addresses raise concerns over the recipient’s identity and necessitate granular access policies; companies may not want to grant the ability to download files to personal email domains, for example. Finally, 5.4 percent of files are available to anyone with the sharing link. These documents are just one forwarded email away from ending up in the hands of a competitor or other unwanted recipient.
Breakdown of Sharing Actions
What are the different profiles of sensitive data stored in the cloud? Confidential data, or proprietary information related to a company’s business, is the biggest offender making up 7.6 percent of sensitive data. Personal data is second at 4.3 percent of said files. Third is payment data at 2.3 percent, and last is health data at 1.6 percent. The majority of these files, 58.4 percent, are discovered in Microsoft Office files.
Files Containing Keyword in the File Name
Furthermore, a surprising number of workers violate best practices for securely storing important information in the cloud. Using keywords such as ‘passwords’, ‘budget’, and ‘salary’ when naming files makes it easy for attackers to locate sensitive information, and IT security professionals typically advise against this practice. Convenience all too often trumps security, unfortunately. Past breaches have revealed instances in which credentials for multiple accounts were kept in folders named “Passwords”. The report found that the average company had 21,825 documents stored across file sharing services containing one or more of these red flags in the file name. Out of these files, 7,886 files contained ‘budget’, 6,097 ‘salary’, and 2,217 ‘confidential’.
Lastly, data revealed a few “worst employees of the month. One prolific user was responsible for uploading 284 unencrypted documents containing credit card numbers to a file sharing service. Another user uploaded 46 documents labeled “private” and 60 documents labeled “restricted”. In all seriousness, while it’s easy to point the finger and call these users bad employees, it’s likely they were simply trying to do their jobs using the best tools available to them. The onus lies with IT to make the secure path the easy path.
With more companies migrating sensitive data to the cloud, attackers will increase their efforts to exploit vulnerabilities in enterprise use of cloud services. Tellingly, attacks against cloud services increased 45% over the past year. Locating sensitive data in file-sharing services is step one for companies aimed at preventing the next generation of cloud-based threats.
November 16, 2015 | Leave a Comment
By TK Keanini, Chief Technology Officer, Lancope
First things first, if you have not seen the movie or read the book “The Martian,” stop right now and do not continue because there will be spoilers. You have been warned.
On more than one occasion in my life as a security professional, I have felt like I was stranded on Mars – all alone with only my wits and spirit to survive. As I read The Martian, I kept thinking about what skills and practices would help a security practitioner in their day-to-day life. What would Mark Watney do?
During an ongoing attack, there is no time to deploy new tools and there is no one else who is more familiar with your network environment than you. Instead, you must use the tools and knowledge immediately available to survive, and time is not on your side. Maybe that is why this book resonated so well with me.
This post is the first in a two-part series. Watney’s approaches can be divided between methodologies and psychological skills, both of which are equally important in a stressful situation such as a cyber-attack. In this post, I’ll explore how Watney approached problem-solving and what logic he used to give himself the best chance of survival.
Science is helpful for what can be explained by science
Sciences like physics, chemistry and botany teach us that a small percentage of the future can be predicted if we play within the laws that are deterministic. It is within these formulas that we can predict the future outcome of an action, but what “The Martian” illustrates is even with all that science provides, the majority of the future cannot be determined and we just need to deal with it. Science only explains a very small percentage of what we as humans experience, so if you happen to be on the high horse of science, get off before you fall.
Science only takes you so far; for the rest you are on your own.
Adapt or die
During the entire time on Mars, Watney needed to adapt to an unfriendly and deadly environment. He needed to assume the role of farmer, trucker and construction worker to survive. As a farmer, he used his limited resources to create an environment suitable for growing potatoes to sustain a diet until rescue. As a trucker, he had to get his entire living space mobile for the trek across plans and mountains to a rescue craft. As a construction worker, he needed to modify the craft and reduce weight and other properties so that he could get to orbit with the fuel that was on hand.
All of these roles are crafts, which means they encompass not just processes and skills but resources and tools as well. Watney needed all of it to survive. It is likely that an individual in your organization fulfills multiple roles such as incident responder, business leader, IT operations, etc. as they go about their daily job. Adaptation is a survival skill on any planet.
Utilize lateral thinking
While Watney had advanced machinery and materials designed specifically for Mars, none of it was meant for use beyond 31 days. Watney had to stretch it for a year and a half and use it in ways it wasn’t intended. To do that, he had to get creative. He modified machines, adapted materials and jury-rigged a potato farm in his living quarters.
In cyber-security, organizations cannot afford to buy a new tool for every specific need. In fact, attempting to do so is ineffective and can lower the overall security. Instead, we must adapt our tools. Oftentimes, we can use them for purposes the designer did not envision and make them work with our other tools in creative ways. Again, this is also applicable to processes. What doesn’t work at another organization may work in yours. Maybe your team is versatile and benefits from regular role reassignments. Maybe your tools are also beneficial to network operations, which can help garner more funding for future cooperative investments. Don’t be afraid to try new and crazy things. It just might save you.
Plan for Failure
A plan is good until it makes first contact with the enemy. Unfortunately, systems sometimes fail and processes may prove ineffective. You cannot rely on success. For every plan that Watney thought of, he tested and prepared for failure. Whenever he made modifications to the rover, Watney would drive it around his living area for days to see how it held up to use. When he reestablished communication with Houston using the remains of the Mars Pathfinder probe, he created a plan on how to provide updates via Morse code should communications fail. Of course, Watney couldn’t imagine every failure scenario, but he planned for enough to keep himself alive.
In cyber security, we must plan for failures. Having strong network perimeter defenses are important, but they cannot be relied on as the sole source of security. Monitoring internal network traffic, utilizing proper segmentation and detecting anomalous and malicious behaviors are important measures to ensure attackers can be stopped after other measures fail.
Also, don’t forget to save a nice meal for the day you survive something that should have killed you.
Testing and rehearsals are critical
According to Watney, “in space no one can hear you scream like a little girl.” We can plan for failure, but that doesn’t make it any less terrifying. To avoid that terror Watney tested and tested and rehearsed and tested some more before he did anything. His modified rover had days’ worth of travel time on the odometer before he drove further than walking distance from the Hab. He put his makeshift tent through the ringer, breaking it in the process, before he ever spent a night in it.
Some failures are so complete that there are no possible backup plans, so we must push our tools and responses until they break in order to make them as strong as possible. This is the mentality behind penetration testing. Security teams need to know exactly what to do in the event of an attack. If they don’t know something, the need to be able to find it out – in minutes. Security tools must function properly under pressure, and responses need to be effective.
Start with these questions: Do you have an incident response plan? (You should) Have you tested that plan? (You should) Do you know what to do in the event of an outside attack? What about an inside attack? What are the limits of your tools? Are there any critical blind spots or vulnerabilities in your network? How do you know? Rehearse attack scenarios to find out the answer to these questions. Then rehearse some more, and do it regularly. If you don’t identify your own weaknesses first, someone else will.
Next week, I’ll cover what Watney did to stay sane in the face of isolation and death. I’ll also touch on what interpersonal factors were present in the entire Ares 3 crew, which ultimately allowed them to rescue Watney without losing a single person.
November 12, 2015 | Leave a Comment
By Rachel Holdgrafer, Content Business Strategist, Code42
The Cyber Information Sharing Act (CISA) passed in a 74-21 U.S. Senate vote last week. Critics of CISA say the bill will allow the government to collect sensitive personal data unchecked. Civil liberty, privacy groups, leading technology companies and (via Twitter) Edward Snowden have come out against the bill.
The stated intention of CISA is “to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” In short, CISA encourages technology companies to share with the government information about cyber attacks on their networks—as a strategy to fight hacking and cyber crime. Sounds like a noble goal at first blush, but further investigation reveals something decidedly less so.
CISA empowers organizations to monitor and share private citizens’ personal data with government agencies—without the consent of the owner of the data. Given that CISA directly targets technology organizations, the data in question includes that of U.S. citizens.
Your personal data. My personal data. Monitored without a warrant or notification if it is deemed to be a “cyber threat. The challenge is that CISA’s definition of cybersecurity threat is broad; The only noted exclusion is “any action that solely involves a violation of a consumer term of service or licensing agreement.” Even more troubling, CISA incentivizes tech companies to share cyber threat indicators by providing them with legal immunity against antitrust lawsuits.
Legislators supporting CISA have gone on record saying that CISA “is not a surveillance bill” although privacy groups, technology organizations and legislators who oppose the bill disagree.
This is not the first time an information sharing bill has been proposed in an effort to fight cybercrime. CISPA, the Cyber Intelligence Sharing and Protection Act – the precursor to CISA, was passed by the House of Representatives in 2013, but was shelved when President Barack Obama threatened to veto it due to issues with the bill’s privacy protections. President Obama has endorsed CISA and indicates that he will sign the law.
November 6, 2015 | Leave a Comment
By Rachel Holdgrafer, Content Business Strategist, Code42
The results of the 2014 Protiviti IT Security and Privacy Survey reports that:
• 77% of organizations have a password policy or standard.
• 67% of organizations have an information security policy.
• 59% of organizations have a workstation/laptop security policy.
• 59% of organizations have a user (privileged) access policy.
Based on these statistics, the enterprise organization has plenty of IT and information security policies in place, and yet, data breaches are on the rise, doubling from December of 2014 to August of 2015. Given these statistics, it seems unlikely that enterprise security policies are, in fact, keeping enterprise organizations safe.
Human users are touted as the weakest link in an information security system. Historically, IT has taken a top down approach that forced users to work within the confines of a system that didn’t take user productivity into consideration. IT and security professionals focused on creating limits to protect the network from the user, throwing up barriers in the name of network security. This impacted user productivity but was accepted as collateral damage in the fight to keep the enterprise network safe. Users were left to choose between upholding security protocols and personal productivity.
Given the choice between job security and network security, most users will choose productivity and hope for the best when it comes to protecting the network. Christian Anschuetz on the Wall Street Journal blog, CIO Journal, agrees. “Forced to choose between disruptive, apparently irrational, and easily circumvented security directives and getting their job done, employees invariably choose to be productive,” states Anschuetz.
While maintaining enterprise security will always be the number one priority of information security professionals everywhere, the modern information security professional recognizes that times are changing. Network security at the expense of user productivity is counterproductive. When threatened with limitations to productivity, users have proven that they will find ways around IT and information security initiatives through shadow IT.
Progressive, security-focused organizations must consider their users when they create security policies. Backing into security policies and initiatives based on user needs allows enterprise organizations to simultaneously meet security and user-productivity demands. Rather than forcing users to work outside of their usual workflows, modern information security secures the enterprise where and how its users prefer to work, eliminating unsanctioned workarounds and shadow IT solutions. The result is greater enterprise security and happier end users.
November 4, 2015 | Leave a Comment
Our Latest Research Reveals Opportunities and Threats As Business-Critical Data Moves to the Cloud
By Cameron Coles, Sr. Product Marketing Manager, Skyhigh Networks
Cloud services are now an integral part of corporate life. Companies use, on average, 1,154 cloud services ranging from enterprise-ready services procured by the IT department such as Office 365 to far lesser known and riskier services such as FreakShare. It’s not uncommon for sensitive corporate data to make its way to the cloud, with 15.8% of documents in file sharing services containing some form of sensitive content.
Our latest Cloud Adoption & Risk Report (download a copy here) examines the cloud usage of over 23 million users at companies spanning all major industries worldwide. Across more than 16,000 cloud services, they generate in excess of 2 billion events each day including logins, uploads, edits, shares, deletes, etc. We’ve analyzed this activity and distilled some important facts about how companies are using the cloud today. Here are 11 of the most interesting findings from the report.
15.8% of files in the cloud contain sensitive data
The most common type of sensitive content found in the cloud is confidential data (e.g. financial records, business plans, source code, trading algorithms, etc.) with 7.6% of documents in file sharing services containing this data. Next, 4.3% of documents contain personally identifiable information, 2.3% contain payment data such as credit card numbers, and 1.6% contain protected health information. Sensitive data uploaded to the cloud, in and of itself, is not necessarily a bad thing, but we’ve found that data can be placed at risk if it’s misused internally or shared externally outside of policy.
1,156 files contain the word “password” in the filename
A common theme in recent data breaches is that cyber criminals use compromised passwords to execute attacks. In the Anthem breach, it’s been reported that passwords belonging to five IT employees were used to access sensitive patient data. While it’s recommended users store passwords in a safe place, such as a secure password vault, unencrypted Excel and Word documents uploaded to file sharing services are a poor place to store passwords.
1,753 Excel documents contain the word “salary” in the filename
Recent headline-making data breaches have also involved documents containing employee salaries, Social Security numbers, home addresses, and bank account numbers. Many of these files include the word “salary” or “salaries” in the filename, making it even easier for a cyber criminal to identify them. The average company has 6,097 files containing these keywords in the filename stored in cloud-based file sharing services, and 1,753 are Excel spreadsheets.
File sharing hit an all-time high this quarter
The percentage of files in cloud-based file sharing services that are shared hit an all-time high of 37.2% in Q3. Files can be shared with multiple users inside and outside the company. The most common type of collaboration is with internal users, with 71.6% of shared files shared with individual users within the company. Of shared files, 28.2% are shared with business partners, and 5.4% are visible to anyone with the link. Of the 37.2% of files shared, we’ve broken down who they are shared with here:
9.2% of files shared externally contain sensitive data
Of files in cloud-based file sharing services that are shared externally (with business partners, personal emails, or publicly on the web) 9.2% contain sensitive data, defined as confidential, personal, payment, or health data. While this number is lower than the overall average of all files that contain sensitive data (15.8%), which indicates that users are more selective with what they share externally, these sharing events can expose organizations to risk if data falls into the wrong hands.
File sharing services are a shadow code repo
Data is under siege by internal and external threats
Insider threats, which include both accidental and malicious high-risk user behaviors, occur at least once a month at 89.6% of companies, with the average company experiencing 9.3 incidents per month. On average, companies experience 2.8 privileged user threats per month, which include administrators accessing data they shouldn’t. And, organizations experience 5.1 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service. A breakdown of companies experiencing at least one insider threat, compromised account, and privileged user threat per month is shown here:
Cloud usage in Q3 grew 38.9% over the same period last year
Cloud usage continues to grow exponentially. The average company in Q3, 2015 used 1,154 cloud services, including 174 distinct collaboration services, 61 file sharing services, 57 development services, and 45 content sharing services. The average user actively uses 30 cloud services. On average, organizations upload 14.7 TB of data to the cloud each month, but only 8.1% of cloud services offer enterprise-ready security controls, which is lower than the 9.5% this time last year.
iOS has more apps in use per device, Android users upload more data
The average iOS device accesses 11.05 cloud services, compared with 9.96 for Android, and 6.82 for Windows Phone. Cloud usage on iOS is soaring, it’s now 88.1% higher than this same period last year. Across mobile platforms, cloud usage grew 62.9% in the last 12 months. However, users of Android devices upload over three times more data compared with the average iOS user.
Cloud usage is surging on Windows and stagnant on the Mac
On average, Windows desktop users use a greater variety of cloud services than users of any other platform. The average Windows device accesses 18.3 cloud services, an increase of 47.6% in the last 12 months. Today, Windows devices on average access 77.7% more cloud services than Mac devices.
Enterprise cloud services account for 72.9% of cloud usage
A common misconception among corporate IT departments is that the bulk of their cloud usage is made up of employees accessing consumer apps. However, we found the opposite is true. On average, 72.9% of the cloud services in use by a company are defined as enterprise cloud services and 71.8% of data uploaded to the cloud went to these services. Not all of these apps are approved, and companies can reduce their risk by migrating to enterprise-ready services. From a security standpoint, the top 20 enterprise cloud services are significantly more likely to have robust security controls than the average enterprise cloud service (85% vs 9.9%).
October 30, 2015 | Leave a Comment
By Andrew Wild, Chief Information Security Officer, Lancope
Most employees are honest, trustworthy people that would not steal from their employer or intentionally take sensitive, private information from their job and sell it. But many well-meaning employees are taken advantage of by attackers to steal data, and it can cost their employer (and customers) millions.
Unintentional insider threats can cost a U.S. company as much as $1.5 million, according to a report from the Ponemon Institute. The Verizon 2015 Data Breach Investigations Report noted that most of the thousands of data breaches and security incidents studied involved stolen user credentials.
This predicament is understandable – most employees don’t fully understand the importance of the role they play in ensuring the security of their organization – but there are simple measures everyone can take to ensure they don’t become the open door into the network. Here are five tips on how not to become an insider threat:
Be mindful of devices with company data on them
It’s a new world out there, and most of us have some sort of company data on portable devices. Whether you get work-related emails on your smartphone, use company laptops out of the office, access cloud-based IT solutions or just log into company systems remotely, be careful not to let this information fall into the wrong hands.
Try not to store unnecessary sensitive data on your mobile devices, and be wary of what external networks you connect to. Malware can be used to steal login credentials or compromise the corporate network if you return to the office with the infected device.
Lastly, don’t forget devices can be stolen or lost. Keep track of your devices, promptly report any device containing company data to your IT group, use a password and secure them, which leads to the next tip.
Encrypt data at rest
Most people only think about encryption when they are transferring data to a third party, but data that is sitting unused in storage is also at risk. From the perspective of an employee, this most often takes place when sensitive items are stored on mobile devices, personal computers or data storage devices such as external hard drives and thumb drives.
Encryption ensures that even if data falls into someone else’s hands, they won’t be able to access it. Most phones and mobile devices have the ability to encrypt data stored on them. Here is some information on encrypting iOS and Android devices.
Encrypting external hard drives and thumb drives is a little more difficult. Though there are several third-party applications to encrypt storage drives, if you are running Windows Vista or later, Microsoft BitLocker is a good solution. For more information on BitLocker and installation instructions, click here.
Of course, the effectiveness of encryption is highly dependent upon the strength of the key and the key management processes…
Use good password practices
You wouldn’t put your valuables in a safe but leave the door open, would you? Likewise, you wouldn’t use the same key for your car, safe, safety deposit box, etc. Your sensitive data is only as safe as the password you use to protect it.
You should use passwords that are at least 10 characters long, though the longer the better, with complexity: it should contain a mixture of uppercase, lowercase and special characters as well as numerals. Change your password often, and use a unique password for every site, system and application. If you use only one password for everything and a website you use suffers a data breach that includes user passwords, all of your accounts are as good as compromised.
Of course, it is difficult to memorize and manage so many unique passwords, but there is a solution. You can use secure password managers to generate unique passwords and keep track of them, requiring you to only remember the one password used to secure the manager. You can also employ two-factor authentication for your most sensitive accounts (your password vault, for example), which will require you to input a unique ID that is sent to your phone every time you log in, drastically reducing the likelihood of compromise.
For more information on using secure password managers and two-factor authentication, click here.
Beware of social engineering
“Social engineering” is just a fancy way of saying an attacker utilizes tactics from traditional scams in conjunction with a cyber-attack, and it is a common practice. Social Engineering attacks the human component of the security system. The most common example of this today is phishing, in which an attacker crafts an email that appears legitimate but aims to trick the recipient into divulging sensitive details such as passwords or installing malware on their machine. A more targeted approach is called “spear phishing” wherein the attacker creates an email targeting a specific person, perhaps even you.
Very few of us are truly “off the grid”; we all have information available about us online. In a matter of minutes, an attacker can find out what you do and discover your workplace responsibilities. They can then use that information against you. For instance, an attacker may identify a company’s CEO or other C-level executive and then send a fraudulent email that appears to be from that CEO to you, a company finance manager. The attacker claims they need an urgent wire transfer to close a deal or secure a service. The wire information will likely contain a legitimate vendor but a fake SWIFT code that routes the money to the criminal. Most people don’t question emails that appear to come from a company executive, or another associate, but that mistake could cost your company thousands or even millions.
Social engineering doesn’t have to be digital. Some of the largest breaches over the past few years involved an attacker using the telephone to speak with a company employee posing as a member of IT or other organization insider and convincing them to divulge passwords and other access information. Legitimate IT support staff will never ask you to divulge your passwords! Be wary of strange phone calls. If someone seems suspicious, clear it with a company security professional before you give them any information or ask the caller to hang up so you can call them on an official company phone number.
Ensure you don’t have unnecessary access privileges
This may sound like a strange tip, but most employees don’t need access to every resource on their company’s network, and limiting access to sensitive systems to only those who need it can drastically reduce the reach of a potential data breach. This is called the “principle of least privilege.”
Though access privileges are typically managed by IT Security, they do not always know everything different employees need access to, and maintaining proper access control can be difficult. If you discover you have access to data or systems that you don’t require as part of your job, you should notify your organization’s security team. This is especially true if the data or systems contain sensitive information such as customer payment information or personally identifiable information (PII).
While there is no cyber security “silver bullet” to prevent breaches, remaining aware of common security practices can help prevent attackers from using you as a way into your employer’s network. Just like you brush your teeth every morning, these practices are essential to maintaining your “cyber security hygiene.”
This post is part of a series for National Cyber Security Awareness Month, which aims to educate Internet users on how to stay safe online.
October 29, 2015 | Leave a Comment
By Paul Calatayud, Guest Blogger, Code42
Security threats from inside the organization are increasing, but too many organizations hesitate to address the issue. They’re afraid that monitoring employee behavior implies they don’t trust employees. Today, the reality is that employees are often unintentional actors. They’re increasingly being used as vectors and vessels by sophisticated cyber organizations, which want employee credentials to access valuable data.
We’re seeing an increase in employee-targeted phishing attacks and credential theft, because the credentials allow hackers to bypass a huge amount of security investment—the firewall, the perimeter, the encryption—essentially 90% of your security strategy.
As CISOs, we need to get past the insider blind spot to adequately protect our organizations. The first step is to define insider threat more accurately and more tactfully—as either a known actor with motive and opportunity or an actor who unknowingly becomes a conduit, who is essentially a victim.
I try to take an approach that defends against both scenarios, an approach that says: “I’m not sure if your credentials were handed to the bad guy or harvested through malware. Regardless of how it happened, if there’s a deviation or situation where a credential is suspect, then we will detect and respond.”
The bigger challenge is how to detect the deviations. And that requires understanding what the normal state looks like. If you were to look at Edward Snowden and say you wanted to protect against that type of data breach, then you have to be able to understand at what point his access and his abuse occurred. At what point did he go from his normal three years as a contractor to someone behaving maliciously.
Or in the case of Anthem, in which a database administrator’s credentials were stolen, when did that administrator’s normal network behavior change. If the admin logged in every day from 9 to 5 p.m. and then all of a sudden was logging in at 3 a.m., that would tell you something.
To understand what normal looks like at Surescripts, we’ve invested in advanced analytics and other technologies that allow us to profile good behavior. So if we had an Edward Snowden, I would have been able to see and potentially detect the moment he started to abuse his privilege, because I’d have a historical view of his digital behavior over the past three years.
The key for any CISO to gain support for this type of internal profiling strategy is not to focus on distrust. Rather, focus on the need to find the anomalies that lead to internal data breaches—by both intentional and unwitting internal actors.
Paul Calatayud is the Chief Information Security Officer for Surescripts.