Five Ways Your Employees Sidestep Information Security Policies

December 29, 2015 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

code42 security policiesA good employee finds ways to overcome roadblocks and get the job done. But in the case of enterprise IT security, good employees may be your biggest threat. In fact, a recent Dell survey found that nearly seventy percent of IT professionals believe employee workarounds are the greatest risk to their organizations’ security.

We’ve all been there: juggling numerous log-in credentials, following tedious document transfer policies, struggling with subpar app functionality—all the while knowing there’s a better way. IT security policies have a knack for getting in the way of getting the job done. Dell also found that ninety-one percent of workers feel their work productivity is negatively impacted by IT security measures. So what are some of the most common workarounds used by imaginative, driven but often password-fatigued employees?

Easy-to-remember passwords. The average person today has twenty-five personal and professional digital access points. Changing those twenty-five passwords every ninety days, as recommended, results in creating and recalling 125 passwords each year. It’s no wonder people use easy-to-remember passwords; and unfortunate that simple passwords negate much of the security benefit of password-based authentication. One 2015 study found that seventy-three percent of online accounts are guarded by duplicated passwords—that is, the same key unlocks many different doors. Another study found that even those who try to be clever by using unique passwords are unlikely to beat the hackers: 1 in 2 passwords follow one of thirteen predictable (read: hackable) patterns. And finally, to skirt the password-reset problem altogether, some savvy users simply call their help desk to claim a forgotten password. The IT-driven reset often overrides the regular password reset requirements, meaning employees can continually recycle the same password. Thanks to this workaround, TeleSign found that 1 in 2 people are using passwords that are at least five years old.

Tricking the session time-out. Most systems and applications have automatic session time-out features, based on a defined idle period. But many organizations take this security feature a step further, using proximity detectors that time out a user’s session as soon as they step out of range. However, many users “beat” this security feature by placing a piece of tape on the detector, or by placing a cup over the detector. When they do step away from their desks, their devices remain completely unsecured and vulnerable.

Transferring documents outside the secure network. The mobile workforce demands anytime-anywhere access to their documents and data. Most organizations have strict protocols on accessing data through secure network connections, such as a virtual personal network (VPN). But many mobile workers aim to streamline their productivity by circumventing these protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting these images.

Intentionally disabling security features. One of the most popular workarounds is also the most straightforward. Where possible, users will simply turn off security features that hinder their productivity. This is especially true for BYOD workplaces, where employees have greater control over the features, functionalities and settings of their endpoint devices.

The Post-It Note Pandemic. The most common workaround is also very simple. A survey by Meldium found that most people record their passwords somewhere—whether in a spreadsheet containing all their log-in credentials, on their smartphones, or on a piece of paper, such as a trusty Post-It Note™—likely affixed to the very device it is intended to secure.

So, what’s an IT administrator to do with all these well-intentioned, hard-working, security risk takers? Most experts agree that communication is key. IT security policies should avoid edicts without explanation, leaving the end user with productivity loss and no apparent upside. Instead, many organizations are implementing more rigorous IT security training for all employees, showing them specifically how security protocols protect against data leakage, data breaches and other threats, highlighting how workarounds put data (and their jobs) at risk, and keeping IT security top-of-mind with regular communications and meetings with staff.

Download the executive brief, Protecting Data in the Age of Employee Churn, to learn more about how endpoint backup can mitigate the risks associated with insider threat.

A Perspective on the Next Big Data Breach

December 23, 2015 | Leave a Comment

By Kevin Beaver, Guest Blogger, Lancope

iStock_000021503754Medium (1)In looking at the headlines and breach databases, there haven’t been any spectacular, high-visibility incidents in recent weeks. It’s almost as if the criminals are lurking in the weeds, waiting to launch their next attack during the busy, upcoming holiday season. After all, the media tends to sensationalize such breaches given the timing and that’s part of the payoff for those with ill intent. Whether the next big breach will impact consumers, corporate intellectual property or national security, no one really knows. It may be that we witness all of the above before year’s end. One thing’s for sure, the next big data breach will be predictable.

Once the dust settles and the incident response team members, investigators and lawyers have done their work and had their say, I can foresee how it’s all going to go down. It’s not at all unlike what happened a couple of years ago with the crippling snowstorms that we experienced in my hometown of Atlanta:

  • There’s an impending threat that most people are aware of. Some argue that threats are evolving. I’m not convinced that’s true. I think the technologies and techniques the threats use against us are maturing, but the threats themselves – criminal hackers, malicious insiders, unaware users, etc. – have been the same since the beginning.
  • People will get caught “off-guard” and get themselves (and their organizations) into a pickle.
  • The subsequent impact will be a lot worse than expected, or assumed.
  • Key individuals will ponder the situation and try to figure out who’s to blame.
  • Management will vow to never let it happen again, including but not limited to, providing short-term political and budgetary support for much-needed security initiatives.
  • Things will go back to normal – the typical daily routine will set back in and then months, perhaps years, will go by. Either the same people will forget the pain of what transpired or new people will be in charge and then, all of a sudden, out of nowhere – it’ll happen again.

With practically all data breaches, there are no surprises. There’s really nothing new. It’s the same story that’s repeated time and again. Comedian Groucho Marx was quoted as saying “Politics is the art of looking for trouble, finding it everywhere, misdiagnosing it and then misapplying the wrong remedies.” In most cases, the same can be said for information security. There’s a lot of talk. Some tangible action (often wheel spinning and going through the motions). There are even policies and contracts that are signed and audits that come up clean. Yet, history repeats itself.

As businessman Warren Buffett once said, there seems to be some perverse human characteristic that likes to make easy things difficult. I know it’s not truly “easy” to manage an overall information security program. I don’t envy CISOs and others in charge of this business function. However, knowing what we know today, it is easy to not repeat the mistakes of others. It’s also easy to become complacent. That’s where you have to be really careful. Too many people feel like they’ve “made it” – that they’ve got everything in place in order to be successful. Then they end up relaxing too much and letting their guard down. Then they become vulnerable again. It’s a vicious, yet predictable, cycle that leads to breach after breach after breach.

When all is said and done, your primary goal should be to determine what the very worst thing is that could happen on your network and then go about doing whatever it takes to make sure that worst thing doesn’t happen. That’s how you’ll prevent the next data breach from happening to your organization. Let the criminals go pick on someone else.

Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC.

Code42 CSO says, “Beware the data-stealing Grinch”

December 22, 2015 | Leave a Comment

By Rick Orloff, Chief Security Officer, Code42

code42 shopping (1)Historically, corporations viewed security as an overhead expense required to meet regulatory controls and audits. As we head into a new year, we know breaches are inevitable and questions about security and data protection are being asked at a higher level. Boards of directors and C-level executives want situational awareness. They want to know, as much as they can, how effective their security programs are and how they compare to peer group programs.

Companies are learning that their security tech stack should enable business functions, not restrict them. Companies are focusing on securing many different layers of their corporate infrastructure but the real focus is on the data (e.g., customer PII, HIPAA, financial records and intellectual property). In today’s workplace, a company’s most critical data isn’t living on a desktop connected to a server—it’s living on laptops, tablets, third-party applications and mobile devices. Many of those devices spend less than half of their time in the office, and represent the disappearing network edge, which can mean an increased risk of data loss. Now and into 2016, the data living on endpoint devices has become a central pillar of a company’s security strategy.

But data protection isn’t just for companies, especially this time of year. We should all follow these four tips to protect our data and ourselves during the busy holiday shopping season:

TIP 1: Don’t shop online using borrowed or public computers, such as those at a cyber cafe. A borrowed computer may be infected and could be recording all of your information.

TIP 2: Public Wi-Fi spots have significant security risks and should be avoided when possible. You’re much safer using your own Wi-Fi or cellular connection.

TIP 3: Protect your passwords—and your data. Do not reuse passwords for multiple accounts. Your email password is the most important password you have. If a hacker can access your email, he or she can simply go to your bank’s website and request a password reset, and quickly gain access to your personal information and bank account.

TIP 4: Do not use your ATM card for any shopping. If you’re the victim of fraud, you often don’t know until all of the cash has been drained from your account. It’s much better to use a credit card as a security buffer. If there is fraud, they typically reverse charges in minutes but it’s not always the same situation with an ATM card.

How can people check to make sure they are going to a reputable website versus a fake one?
Customers should not provide their personal information to e-commerce sites with which they are not familiar. Secure sites use Secure Sockets Layer (SSL) and depict a “lock image” in or near their website address. As a precaution, it’s also best to always make sure antivirus software is updated.

To learn more about how endpoint backup can help your organization protect its data, download the ebook, Backup & Beyond.

Predicting Cyber Security Trends in 2016

December 21, 2015 | Leave a Comment

By TK Keanini, Chief Technology Officer, Lancope

9632811349_5a06d2c6f7_zOne of my annual rituals is to take stock of the cyber security industry and determine what trends and challenges we are likely to see in the coming year. In the ever-evolving cyberspace, technology changes on a daily basis, and attackers are always there to take advantage of it.

But before we get into what is coming, I’d like to look back on my predictions for 2015 and see how clear my crystal ball was.

2015: Three out of four

Last year, I predicted four major cyber security trends would rise to prominence – or continue rising – in 2015: Muleware, re-authentication exploitation, ransomware and targeted extortionware.

Three out of the four came true with muleware being the odd one out because it is difficult to track. That said, there were some rumblings of hotel staff physically delivering exploits to laptops left in the rooms of certain persons of interest.

Re-authentication exploitation remains popular as more attackers realize a compromised email account can facilitate the theft of many different kinds of accounts for other websites. Once an attacker controls your email account, he can begin the “forgot password” process of a website and steal the password before you notice. We need to stop looking at password authentication as single point in time, but instead as an entire lifestyle. You could have the strongest password system in the world, but if the re-authentication process is weak, then the attacker has the upper hand.

Ransomware continues to thrive in the current environment and has expanded from only Windows to Apple, Android and Linux. These attacks are countered with proper backups, which are cheaper and easier than ever, but organizations are still failing to back up their data. This method has proved to be lucrative for attackers, and as long as people are still vulnerable to it, ransomware will become even more popular.

Targeted extortionware seeks to steal sensitive data about a person and threaten to publish the data publicly if the victim doesn’t pay up. Everyone has something they would like to keep secret, and some are undoubtedly willing to pay for it. Events like the breach at adult matchmaking site Ashley Madison led to cases of extortionware, and this trend is likely to continue in 2016.

What to expect in 2016

If 2014 was the “Year of the Data Breach,” then 2015 is on track to match it. We saw insurance companies, dating sites, U.S. federal agencies, surveillance technology companies and more fall victim to attacks this year, and there are no reasons to believe it is going to slow down in 2016.

Cracking as a service
Encryption has always been a moving target. As technology becomes more advanced, encryption has to evolve with it or else it becomes too easy to crack. Certain trends such as Bitcoin mining have already led to large farms of compute clusters that could be setup for cryptanalysis without a lot effort. Like any other Software as a Service provider, it could be as simple as setting up an account. You could submit a key with some metadata and within a few minutes – maybe even seconds – a clear-text WEP key is delivered. This could include different hashes and ciphertext. Charging per compute cycle would make it an elastic business. A development such as this would require everyone to utilize longer key lengths or risk compromise.

DNA breach
Every year, more and more sensitive data is stored on Internet-connected machines, and health data in particular is on the rise. Millions of people use DNA services that track an individual’s genetic history or search for markers of disease, and it is only a matter of time until a DNA repository is compromised. Unlike a credit card number or an account password, health information cannot be changed, which mean once it is compromised, it is compromised forever. This makes it an exceptionally juicy target for attackers. A breach like this could affect millions, and compensation would be impossible.

Attack on the overlay network
As more and more organizations rush to develop and implement software-defined networking (SDN), there is widespread adoption of microarchitectures like Docker containers. In the case of Docker, VXLAN tagging facilitates an overlay network that defines the structure of the system of applications. This could have severe security implications if there is no effective entity authenticating and checking the tags. Without adequate authentication, attackers could impersonate or abuse a tag, giving them privileged access to the system and data stored within.

VXLAN is only one example of overlay technology, and frankly, there has not been enough threat modeling to determine how vulnerable it is to attack. Like all new technologies, if we don’t give enough thought to security during development, attackers will discover the vulnerabilities for us. There will be exploitation of overlay networks in 2016, and then defenders will be forced to implement security in the middle of a vulnerable and hostile environment.

Namespace is the new battleground
Software developers are quickly adopting container technology to ensure performance is consistent across different machines and environments. When hypervisor-based virtualization became common, attackers learned how to compromise the hypervisor to gain control of the operating systems on virtual machines. With container technology like Docker, these attacks take aim at namespaces in userland, including networking, processes and filesystem namespaces. In the coming year, there will be attacks originating from malicious containers trying to share the same namespace as legitimate ones. A compromise like this could give attackers complete control of the container and potentially allow them to erase all evidence of the attack.

There are companies working on cryptographic methods of securing namespace, but until a major attack on these systems take place, there won’t be a lot of demand for this as a required feature.

New approaches for new technology
Whenever new technology receives widespread adoption, people often attempt to apply old security principles to them. In some cases that works, but it often creates inefficiencies and vulnerabilities. When virtual machines first became popular, operators would often attempt to patch VMs like they were a physical machine. It didn’t take long for them to realize it was quicker and easier to just kill the VM and start a new one with up-to-date software.

As we run headlong into new technology and continue to connect more and more sensitive information to the Internet, we must consider the security implications before a breach occurs. Every year attackers develop more ways to monetize and facilitate cybercrimes, and if we fail to evolve with them then we are inviting disaster.

Smart City Security

December 17, 2015 | Leave a Comment

By Brian Russell, Co-Chair CSA IoT Working Group

RussellBrianGartner defines a smart city as an “urbanized area where multiple sectors cooperate to achieve sustainable outcomes through the analysis of contextual, real time information shared among sector-specific information and operational technology systems,” and estimates that 9.7 billion devices will be used within smart cities by the year 2020.  

A smart city connects multiple technologies and services together, often in manners that were not previously thought possible. According to Juniper Research, there are five essential components of a smart city: technologies, buildings, utilities, transportation and road infrastructure, and the smart city itself. All of these building blocks are brought together, according to the Intelligent Community Forum (ICF), to “create high quality employment, increase citizen population and become great places to live and work.

There are myriad use cases for smart cities. City Pulse provides a great starting point for defining some of these. In the near future, citizens will benefit from improved service delivery as cities enable capabilities such as smart waste management, pollution sensors and smart transportation systems. Cities will also be able to stand up improved security and safety capabilities – from managing crisis situations using coordinated aerial and ground robotic tools, to monitoring seniors to identify elevated stress levels (e.g., potential falls or worse) in their home. New services will likely be stood up, both public and private, to leverage these new capabilities.    

This smart city ecosystem is dynamic.  This is true for the devices that will make up the edges of the smart city, as well as the cloud services that will support data processing, analytics and storage.  The data within a smart city is itself dynamic, crossing private and public boundaries, being shared between organizations, being aggregated with other data streams and having metadata attached, throughout its lifetime.  This all creates significant data privacy challenges that must be adequately addressed.    

These complex smart city implementations also introduce challenges to the task of keeping them secure. As an example, services will likely be implemented that ingest data from personal devices (e.g., connected automobiles, heart-rate monitors, etc) making it important that only permitted data is collected and that citizens opt-in. Interfacing to personally-owned devices also introduces new attack vectors, requiring that solutions for determining and continuously monitoring the security posture of these devices be designed and used.    

City infrastructures will also be updated and extended to support new smart capabilities. There are smart city management solutions that tie together inputs from smart devices and sensors and enable automated workflows. These solutions can be hosted in the cloud and can reach out across the cloud through integration with various web services, creating a rich attack surface that must be evaluated on a regular basis as new inputs and outputs are added. This requires the upkeep of a living security architecture and routine threat modeling activities.  

Understanding the threats facing smart cities and the vulnerabilities being introduced by new smart city technologies requires a collaborative effort between municipalities, technology providers and security researchers.  Technology providers would be well served to review secure development guidance from organizations such as the Open Web Application Security Project (OWASP) and smart device vendors should make use of 3rd party security evaluations from organizations such as builditsecure.ly.  Municipalities should look to secure implementation guidance from organizations such as the Securing Smart Cities initiative, as well as the Cloud Security Alliance (CSA).  .    

The CSA Internet of Things (IoT) Working Group (IoTWG) recently teamed up with Securing Smart Cities, to publish a document titled Cyber Security Guidelines for Smart City Technology Adoption. This document is an effort to provide city leaders with the knowledge needed to acquire secure smart city solutions, and includes guidance on technology selection, technology implementation and technology disposal. Download the document.  

The CSA IoTWG will continue to support the Securing Smart Cities initiative in their focus on providing security guidance for smart cities, and we will continue our work on providing security guidance for the IoT as a whole, to include recommendations for securing IoT cloud services, research on the uses for blockchain technology to secure the IoT, and guidance on how to design and develop secure IoT components. Keep a look-out for new publications from our WG.  

Join the CSA IoTWG.

Brian Russell (twitter: @pbjason9) is Chief Engineer/CyberSecurity for Leidos.

Humans: Still the weakest link in the enterprise information security posture

December 16, 2015 | Leave a Comment

By Rachel Holdgrafer, Content Business Strategist, Code42

code42 unpredictable humansWhen it comes to protecting enterprise data, it’s more about understanding processes, procedures and the humans using the system, and less about defending the physical hardware. Seventy-eight percent of respondents to the Ponemon 2015 State of the Endpoint Report: User-Centric Risk indicate that the biggest threat to endpoint security is negligent or careless employees who don’t follow security policies. The Skyhigh Report finds that 89.6% of organizations experience at least one insider threat each month while the average organization experiences 9.3 insider threats each month. Humans are the weakest link in information security—for a number of reasons.

According to McAfee, internal actors are responsible for 43% of enterprise data loss. In half the cases, data loss is accidental, while the other half is intentional. In 2013 alone, U.S. companies and organizations suffered $40 billion in losses from unauthorized use of computers by employees, including “…approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent.” Whether accidental or deliberate, data loss at the hands of employees is a real and present danger.

 

Accidental data breach or loss
Well-meaning employees threaten data security every day, often without realizing it. They open suspicious email attachments, fall for social engineering ploys, carelessly manage network passwords or use shadow IT applications that give hackers a way into the network. Regardless of how data loss or breach happens, insider threat poses a significant risk to organizations.

  • Shadow IT applications. In an effort to get their jobs done, employees may install unsanctioned software on their devices, and in doing so, expose their employer to hackers and malware via vulnerabilities in the software.
  • Sync and share technology. Sync and share applications are powerful collaboration tools for increasing employee productivity, especially for distributed and remote teams. Unfortunately, sharing data has a down side; 28% of employees have uploaded a file containing sensitive data to the cloud. A team member might inadvertently delete a shared document or corrupt the only version of a key file, rendering the data useless. Sensitive data, such as social security or customer payment information, could be shared with internal employees or with external users, putting the data at risk and the company out of compliance.
  • Social engineering. From urgent emails that appear to come from C-suite executives requesting large wire transfers to “friendly” phone calls from hackers posing as corporate IT staff, social engineering is on the rise at organizations of all sizes.
  • Poor password security. What appears to be innocuous password sharing can result in significant data loss. Employees good-naturedly share passwords with coworkers or post their network passwords at their workstations, unintentionally allowing others to access the system using their credentials.

Intentional data sabotage
In a perfect world, employees would always work in the best interest of their employers. Unfortunately, this is not always the case. As a result, organizations must monitor individuals on the payroll to spot incidents of intentional data sabotage.

  • Dealing with disgruntled employees. Malicious cyber-sabotage conducted by disgruntled employees is on the rise. Whether passed over for a promotion, terminated for cause or as a part of a reduction in force, unhappy employees pose a risk to data security. Disgruntled employees may delete important files or emails, lock administrators out of admin accounts by changing passwords or take sensitive data with them when they leave. NakedSecurity by Sophos reports that:

The FBI has found that terminated employees installed unauthorized RDP (remote desktop protocol) software before they exited their companies, thereby ensuring that they could retain access to the businesses’ networks to carry out their crimes.

  • Malware introduction and planting logic bombs. Employees on their way out the door may purposely infect the employer’s network with malware or plant logic bombs that “go off” in the future, wiping out data when the employee is long gone.
  • Selling corporate data for fun and profit. It’s troubling, but true; current employees may extract and sell sensitive corporate data to the highest bidder on the black market. They may also sell customer account lists, product plans or other intellectual property to their employer’s competitors for financial gain. Some enjoy the challenge of accessing the data, some need the cash and others, like arsonists, enjoy watching the company burn.

Conclusion
Humans continue to be the weakest link in information security. Whether deliberate or accidental, the actions of employees can quickly destroy a company. Organizations must keep this in mind when creating information security policies and while implementing safeguards.

Learn more about the impacts of insider threat. Download the executive brief, Protecting data in the age of employee churn.

The Twelve Days of Cyber Plunder

December 14, 2015 | Leave a Comment

By Phillip Marshall,  Director of Product Marketing, Cryptzone

christmas-1078714_1920As the holiday season approaches, we caution you to take heed of the cyber perils in this familiar holiday tune.
While we had a little fun with the verse, this cautionary tale unfortunately rings true for many.

On the first day of Christmas the Cyber Grinch sent to me, a holiday invitation phishing to see if I would give him info on me.
On the second day of Christmas the Cyber Grinch gave to me, malware on my PC.
On the third day of Christmas the Cyber Grinch took from me, my personal passwords and IDs.
On the fourth day of Christmas the Cyber Grinch stole from me, a credit card and bought a TV.
On the fifth day of Christmas the Cyber Grinch went on a shopping spree, and bought his girlfriend five golden rings – courtesy of me.
On the sixth day of Christmas the Cyber Grinch took from me, my company login and ID.
On the seventh day of Christmas the Cyber Grinch used my credentials to slink about the network and VLANs to boot, seeking something to loot.
On the eighth day of Christmas the Cyber Grinch got even bolder and found a password folder.
On the ninth day of Christmas the Cyber Grinch found, to his glee, some really neat company IP.
On the tenth day of Christmas the Cyber Grinch did the deed, and exfiltrated all our customer data, in his greed.
On the eleventh day of Christmas the Cyber Grinch tripped a false security alert, his detection he managed to avert.
c. Someone bought it on the dark web, the guy is now some hacker celeb.
To protect you and your company from further verses of this song,
Please consider taking us along,
Try our Segment-of-One and you’ll be safe,
Context and content controls in place,
You’ll be the envy of all the companies in your space,
And the likes of the Cyber Grinch lockout,
Let Cryptzone help you out.

 

Fix Insider Threat with Data Loss Prevention

December 10, 2015 | Leave a Comment

By Rachel Holdgrafer, Content Business Strategist, Code42

code42 insider threatWhat do the Mercedes-Benz C Class, teeth whitening strips, the Apple iPhone and personally identifiable information have in common? Each is the item most commonly stolen from its respective category: luxury cars, personal care items, smartphones and corporate data. In the 2015 study entitled Grand Theft Data – Data exfiltration study: Actors, tactics, and detection, Intel Security reports:

• Internal actors were responsible for 43% of data loss, half of which is intentional, half accidental.
• Microsoft Office documents were the most common format of stolen data (25%).

• Personal information from customers and employees was the number one target (65%).
• Internal actors were responsible for 40% of the serious data breaches experienced by respondents and external for 57% of data breaches.

Whodunnit?
The report describes internal actors as employees, contractors and third-party suppliers, with a 60/40 split between employees and contractors/suppliers. Office documents were the most common format of data stolen by internal actors—probably because these documents are stored on employee devices—which many organizations do not manage.

In a 2013 report by LogRhythm, a cyber threat defense firm, a survey of 2000 employees found that 23 percent admitted to having looked at or taken confidential data from their workplace, with one in ten saying they do it regularly. In this study, two thirds of respondents said their employer had no enforceable systems in place to prevent access to data such as colleague salaries and bonus schemes.

Employees that move intellectual property outside the company believe it is acceptable to transfer work documents to personal computers, tablets, smart phones and file sharing applications and most do not delete the data because they see no harm in keeping it. As reported in the Employee Churn white paper, many employees attribute ownership of IP to the person who created it.

Four quick fixes to curb insider threat
As the rate of insider theft approaches the rate of successful hacks, organizations can start with four common sense principles to shore up security immediately:

  1. Trust but verify: Understand that the risk of data loss from trusted employees and partners is real and present. Watch for data movement anomalies in your endpoint backup data repositories and act upon them.
  2. Log, monitor and audit employee online actions and investigate suspicious insider behaviors.
  3. Disable employee credentials immediately when employees leave and implement strict password and account management policies and passwords. Astonishingly, six in ten firms surveyed do not regularly change passwords to stop ex-employees from gaining access to sites and documents.
  4. Implement secure backup and recovery processes to prepare for the possibility of an attack or disruption and test the processes periodically.

Download the executive brief, Protecting Data in the Age of Employee Churn, to learn more about how endpoint backup can mitigate the risks associated with insider threat.

An Overview of the Security Space and What’s Needed Today

December 9, 2015 | Leave a Comment

By Kevin Beaver, Guest Blogger, Lancope

Backlit_keyboardFairly often, I have friends and colleagues outside of IT and security ask me how work is going. They’re curious about the information security industry and ask questions like: How much work are you getting? Why are we seeing so many breaches? Are things going to get better? Given what’s happening in the industry, I’m always quick to respond with some fairly strong opinions. So, where are things now and what’s really need to resolved our security issues?

First off, based on what I see in my work and what I hear from friends and colleagues in the industry, I’m convinced that what we’re seeing in the data breaches and hearing about in the headlines is merely the tip of the iceberg. I suspect that there are three to four times the number of breaches that go undetected and unreported. I also see many IT and security shops merely going through the motions just trying to keep up. Putting out fires are their daily tactics. Big-picture strategies don’t exist.

In my specific line of work performing security assessments, I see people sweating bullets anticipating the results, unsure of how the outcome is going to reflect on them, their credibility and their jobs. I’m not saying this to speak negatively of the people responsible for information security. I just think it’s a side-effect of how IT and security challenges have evolved in recent years. The rules and oversight are being piled on. Ironically, in an industry that traditionally offers a strong level of job security, it seems that more and more people are concerned about that very thing.

A core element contributing to these challenges – and something that doesn’t get the attention it deserves – is a glaringly obvious lack of support for information security initiatives at the executive and board level. Sure, there are occasional studies that show that security budgets are increasing, however, more often than not I’m seeing and hearing sentiments along the lines of a recent study that showed the majority of C-level executives do not believe CISOs deserve a seat at the leadership table. So, it’s more than just budget. It’s political backing as well. This begs the question: who’s responsible for this lack of respect for the information security function? I believe it’s a chicken and egg debate-type situation involving responsibility and accountability on the part of both IT and security professionals as well as business leaders. I’ll save that for another blog post.

Politics and business culture aside, there are still many situations where all is assumed to be well in security when it is indeed not. The lack of visibility and data analytics is glaringly obvious in many enterprises, including large corporations and federal government agencies that one might assume really have their stuff together and are resilient to attack. In fact, I strongly believe that many – arguably most – security decisions are made based on information that’s questionable at best and this is why we continue to see the level of breaches we’re seeing.

So, where do we go from here? I’m not convinced that we need more policies. Nor am I convinced that we need better technologies. People are continually chasing down this rabbit hole and that rabbit hole in search of the latest magical security solution. Rather than a new direction, what we need is discipline. For decades, we’ve known about the core information security principles that are still lacking today. Unless and until everyone is on board with IT and security initiatives that impact business risk, I think we’re going to continue with the same struggles. I hope I am proven wrong.

Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC.

Gartner’s Latest CASB Report: How to Evaluate Vendors

December 7, 2015 | Leave a Comment

Market Guide Compares CASB Vendors And Provides Evaluation Criteria

By Cameron Coles, Senior Product Marketing Manager, Skyhigh Networks

blog-banner-gartner-casb-report-1024x614As sensitive data moves to the cloud, enterprises need new ways to meet their security, compliance, and governance requirements. According to Gartner Research, “through 2020, 95% of cloud security failures will be the customer’s fault,” meaning that enterprises need to look beyond the security capabilities of their core cloud services and focus on implementing controls over how those services are used in order to prevent the vast majority of potential security breaches.

Many companies invested in firewalls, proxies, intrusion prevention systems, data loss prevention solutions, and rights management solutions to protect on-premises applications. The cloud access security broker (CASB) offers similar controls for cloud services. According to a new Gartner report (download a free copy here), a CASB is “required technology” for any enterprise using multiple cloud services. By 2020, Gartner predicts 85% of large enterprises will use a CASB, up from fewer than 5% today.

“By 2020, 85% of large enterprises will use a cloud access security broker product
for their cloud services, which is up from fewer than 5% today.
– Gartner “Market Guide for Cloud Access Security Brokers”

The need for a solution is clear. Cloud adoption within enterprise is growing exponentially – driven in large part by business units procuring cloud services and individual employees introducing ad hoc services without the involvement of IT. IT Security teams need a central control point for cloud services to understand how their employees use cloud services and enforce corporate policies across data in the cloud, rather than managing each cloud application individually. This functionality is not available in Web application firewalls (WAFs), secure Web gateways (SWGs) and enterprise firewalls, driving the need for a new solution that addresses these challenges.

Why do companies use CASBs?
In the report, Gartner explains there are three market forces driving enterprises to consider using a CASB. First, employees are moving to non-PC form factors. Employees use mobile devices to store corporate data in cloud services, and IT Security teams lack controls for this activity. Second, as corporate IT budgets are redirected toward cloud services, companies are beginning to think strategically about the security stack needed for the cloud. And lastly, as the largest enterprise software companies like Oracle, Microsoft, and IBM invest heavily in migrating their installed base to cloud services, more of these enterprise are looking to secure this data.

“CASB is a required security platform for organizations using cloud services.
– Gartner “Market Guide for Cloud Access Security Brokers”

While some cloud providers are beginning to add security and compliance controls to their solutions, companies need a more centralized approach. The average enterprise uses 1,154 cloud services, and managing a different set of policies across each of these services would not be practical for any organization. A CASB offers a central control point for thousands of cloud services for any user on any device – delivering many of the security functions found in on-premises security solutions including data loss prevention (DLP)encryption, tokenization, rights management, access control, and anomaly detection.

Gartner’s 4 Pillars of CASB Functionality
Gartner uses a four-pillar framework to describe the functions of a CASB. Not all CASB providers cover these four pillars, so customers evaluating solutions should carefully evaluate marketing claims made by vendors and ask for customer references.

  • Visibility – discover shadow IT cloud services and gain visibility into user activity within sanctioned apps
  • Compliance – identify sensitive data in the cloud and enforce DLP policies to meet data residency and compliance requirements
  • Data security – enforce data-centric security such as encryption, tokenization, and information rights management
  • Threat protection – detect and respond to insider threats, privileged user threats, compromised accounts

Deployment architecture is an important consideration in a CASB project. A CASB can be delivered via SaaS or as an on-premises virtual or physical appliance. According to Gartner, the SaaS form factor is significantly more popular and easier, making it the increasingly preferred option. Another factor to consider is whether to use an inline forward or reverse proxy model, direct API connectivity to each cloud provider, or both. Gartner refers to CASB providers that offer both proxy and API options as “multimode CASBs” and points out that certain functionality such as encryption, real-time DLP, and access control are not possible with API-only providers.

How to choose a CASB
Not all CASB solutions are equal and the features, deployment architectures, and supported cloud applications vary widely from provider to provider. Gartner splits the CASB market into Tier 1 providers that frequently appear on short lists for Gartner clients, and other vendors. Tier 1 providers are distinguished by their product maturity, scalability, partnerships and channel, experience in the market, ability to address common CASB use cases across industries, and market share and visibility among Gartner clients.

In its latest report, Gartner offers numerous recommendations that customers should consider when evaluating a CASB, including these considerations:

  1. Consider the functionality not available with API-only CASBs compared with multimode CASBs before making a decision
  2. Start with shadow IT discovery in order to know what’s in your environment today before moving to policy enforcement
  3. Look for CASBs that support the widest range of cloud applications, including those you plan to use in the next 12-18 months
  4. Look past CASB providers’ “lists of supported applications and services,” because there are often substantial differences in the capabilities supported for each specific application
  5. Whether the CASB deployment path will work well with your current network topology
  6. Whether the solution integrates with your existing security systems such as IAM, firewalls, proxies, and SIEMs

One way to evaluate claims made by CASB vendors is to speak with several customer references. Another recommended element in the selection process is conducting a proof of concept. Using real data for the proof of concept enables a potential customer to try out the analytics capabilities of a CASB, including the ability to discover all cloud services in use by employees and detect internal and external threats that could result in data loss. When you’re ready to begin looking at solutions, Skyhigh offers a free cloud audit that reveals shadow IT usage and high-risk activity within approved cloud services.