A Few Lessons from Recent Adware Insecurities Arrow to Content

March 11, 2015 | Leave a Comment

Recent adware has made significant waves in some information security circles for its security vulnerabilities and 
for its potential larger impact on one of the essential systems of trust that Internet sites use – the Browser [1] [2].

 

By Jacob Ansari, Manager, Brightline

image001While users can obtain fixes or removal tools for both Superfish[3] and PrivDog, the issue remains that our browsers can make trust decisions for us that we do not always know about or understand, and to which we may not consent.

This problem isn’t new as public-key infrastructure (PKI) systems (e.g., systems that use digital certificates, which are used to verify the authenticity of websites on the Internet) ultimately rely on a series of ostensibly trustworthy entities not abusing that trust.  For users, this often means understanding what root certificates their web browsers trust.  These root certificates, issued by organizations called certificate authorities (CAs), digitally sign or verify the authenticity of other certificates that sites on the Internet use to substantiate their identity.  Modern browsers come with several root certificates installed, usually from CAs, although users, or the software they install, can modify this repository.

This was the core problem with Superfish.  The utility, installed by default on Lenovo laptops, subverted that trust relationship by installing not just a certificate that the browser trusted, but a root certificate which would then re-sign other certificates and allow the holder of that root certificate to decrypt the web traffic to those sites.  The ad company intended for this to inject advertisements into browser traffic, even on encrypted sites, but the Superfish phony root certificate would allow an attacker to manipulate any encrypted web traffic and make it appear legitimate.  The plot thickened a few days later when researchers and savvy users discovered that an ad blocking and replacement tool called PrivDog[4] did the same thing, although it had the potential to create even more security issues as it would re-sign any certificate, including otherwise invalid or questionable certificates without any verification whatsoever.  The situation with PrivDog has a particularly troublesome quality to it in that the developer of this software is the founder and CEO of Comodo, one of the largest CAs in the world; however, it appears that the versions of PrivDog with this particular problem do not appear to come bundled with Comodo security software for users.

Attacks that target this system of trust before exist.  An attack in 2011 took place against DigiNotar[5], a Dutch CA.  The attacker or attackers (thought to be agents of the Iranian government trying to spy on dissidents) issued numerous certificates that appeared legitimate.  However, they had access to the corresponding private keys, and thus the ability to decrypt any intercepted encrypted traffic authenticated by these fraudulent certificates or any certificates derived from them.  In 2012, another CA issued a subordinate root certificate, encased in a specialized hardware device called a hardware security module (HSM), to a third party as a product for monitoring traffic from an organization, ostensibly for preventing company confidential information from leaving[6].  However, in doing so, this yielded the same sort of result as it allowed the device with the root certificate to impersonate any other encrypted site on the Internet in a fashion that most users would not detect.

These developments create significant dangers for safe Internet use in that an attacker who obtains these certificates can potentially manipulate many users into trusting hostile sites.  Even without the scenario of a criminal gaining access to root certificates, placing root certificates outside of the most protected and trusted sort of environments tampers with one of the underpinnings of the Internet.  The trust that needs to exist will subsequently erode away if users cannot trust that the site they intend to visit is the actually the site in the browser.  Adversely affecting website security and authenticity for criminal purposes, or as an act of surveillance, has its own issues, legal, political and otherwise.  Doing so merely to serve up advertisements in browsers shows a breathtaking measure of recklessness.

So what do we learn from this?
Primarily we learn that the world is full of organizations that play with fire and adversely affect Internet security for a variety of self-serving reasons.  Perhaps this isn’t surprising.  Users will need to fully understand how these trust relationships work, so that they can make decisions about what sites to visit and trust from a more informed standpoint.  This may be an unrealistic expectation that puts a lot of burden on ordinary people who just want to use the Internet in the ways they always have. Additionally, Certificate Authorities and other intermediaries should undergo more scrutiny in terms of how they manage security of certificates, keys, and the likes.  There several audit standards out there to guide CAs from WebTrust for Certification Authorities to the various CA Browser Forum guidelines. More than likely however, the responsibility will fall to the community of security professionals to connect all interested parties out about these sorts of threats and mount effective defenses against them.

[1] PCWorld.com – CEO says Superfish is safe as US issues alert to remove Superfish from Lenovo PCs
[2] A Few Thoughts on Cryptographic Engineering
[3] Lenovo – Superfish Uninstall Instructions
[4] nakedsecurity.com – Anatomy of a certificate problem – the “PrivDog” software in the spotlight
[5] Wikipedia – DigiNotar
[6] Trustwave issued a man-in-the-middle certificate

24 Hours After FREAK, 766 Cloud Providers Still Vulnerable Arrow to Content

March 6, 2015 | Leave a Comment

The Average Company Uses 122 FREAK-vulnerable services

By Sekhar Sarukkai, Co-founder and VP of Engineering, Skyhigh Networks

blog-banner-freak-1024x614This week a group of researchers at INRA, Microsoft Reseach, and IMDEA discovered a widespread vulnerability in OpenSSL that has rendered millions of Apple and Android devices vulnerable to man-in-the-middle attacks when they visited supposedly secure websites and cloud services. You can read the detailed description of the vulnerability from the discovering researchers here.

The researchers have dubbed this the “FREAK” vulnerability (CVE-2015-0204) or Factoring Attack on RSA-EXPORT Keys, and it enables attackers to force clients to use older, weaker encryption , known as the “export-grade” key or 512-bit RSA keys.

Currently, the media have focused on tracking vulnerable websites and highlighting specific sites, such as the White House, FBI, and NSA that suffered from the vulnerability.  As of Wednesday at 12PM PST, 36.7% of browser-trusted sites, 26.3% of Full IPv4, and 9.7% of Alexa’s top 1M domains were vulnerable (Note – this website is not vulnerable).  For the latest website vulnerability metrics, check https://freakattack.com/

Naturally, here at Skyhigh we’re most concerned with identifying and tracking vulnerable cloud services and helping enterprises manage their IT Security response and protect their users and data. Below we’ll share the latest data on cloud service vulnerabilities and share the security steps organizations must take to protect themselves. You can read our detailed advice on how to protect corporate cloud data from FREAK here.

First, a little background (why is their “export grade” security anyway?)
In the 1990’s Netscape developed an SSL technology that was widely used to protect credit card transactions using public key cryptography. However, US policy required the creation of an intentionally weakened version of the technology and dictated that a maximum key length of 512 bits would be permitted for “export-grade” encryption.

The idea was that, with 512-bit encryption, the NSA would have the ability to access communications, while theoretically providing crypto that was still good enough for commercial use.  And now, despite the fact that these export restrictions have been modified or lifted, “export-grade” cryptography support was never removed, so many devices can be tricked into accepting the lowest “export-grade” encryption, opening them up to man-in-the-middle attacks.

How does the man-in-the-middle attack work?
Mathew Green, a research professor at Johns Hopkins Information Security Institute, has a simply stated (and widely cited) description of how the FREAK-enabled man-in-the-middle attack works:

  • In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
  • The MITM attacker changes this message to ask for ‘export RSA’.
  • The server responds with a 512-bit export RSA key, signed with its long-term key.
  • The client accepts this weak key due to the OpenSSL/Secure Transport bug.
  • The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
  • When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
  • From here on out, the attacker sees plain text and can inject anything it wants.

How many cloud services are vulnerable?
Skyhigh’s Service Intelligence Team tracks vulnerabilities and security breaches across thousands of cloud providers, including the FREAK vulnerability. Almost 24 hours after the vulnerability was widely publicized, 766 cloud providers are still not patched, making them vulnerable to attack. These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services.

The average company uses 897 cloud services, making the likelihood they use at least one affected service extremely high. Across over 350 companies using Skyhigh, 99% are using at least one cloud provider that is still not patched and the average company uses 122 vulnerable services. We’ll continue tracking these services, working with customers to diagnose and remediate vulnerabilities and provide updates as cloud services are patched.

Here’s how to eliminate the FREAK vulnerability from your cloud service
In order to close the vulnerability, cloud providers should disable support for export suites. Rather than excluding RSA export cipher suites, administrators should disable support for all known ciphers and enable forward secrecy. Mozilla published a guide here, and a SSL Configuration Generator, which will provide good certifications for common servers.

Here’s how to protect your company from FREAK
Enterprises need to determine and contain both their service-side and client-side exposure. Skyhigh has contacted each of the cloud providers affected and is working with them to ensure they are aware of their vulnerability and perform remediation. We’ve also alerted our customers who use affected services.

There are 4 steps that every company needs to take in response to FREAK:

  1. Determine your service-side exposure: Skyhigh automatically alerted customers to services they use that are affected by FREAK. If you’d like to identify all the affected services in use at your company for free, email [email protected]. If you’d like to look up an individual service to see if it’s vulnerable, visit: https://tools.keycdn.com/freak
  2. Contain your client-side exposure: Ensure that only browser versions that are not susceptible (Chrome, or later versions of IE & Firefox for example). If employees use unmanaged BYOD devices, educate them on the current safe browser list at http://www.computerworld.com/article/2892926/time-to-freak-out-how-to-tell-if-youre-vulnerable.html
  3. Validate proxy configurations: If you manage your enterprise network and your enterprise uses a MITM proxy (like a web proxy) ensure that the configurations are properly set so it does not degrade.
  4. Ensure any OpenSSL use within enterprise is updated: If not careful, external facing sites may be fixed first and internal sites/development environments never. Ensure that you don’t take your eye off internal deployments, as well.

What Does Customer Managed Encryption Keys Really Mean for Cloud Service Providers? Arrow to Content

March 6, 2015 | Leave a Comment

By Todd Partridge, Director of Strategy, Intralinks

This is the first in a 3-part series examining information security in the cloud.

shutterstock_216282499

Have you ever leased a safety deposit box from your bank? For years the security and privacy of a safe deposit box has been the standard in the physical world. People have put their most important and their most valued information in bank vaults around the world with the confidence that it would remain secure and kept away from unsolicited parties. Safe deposit boxes provided the extremely high security measures and processes needed to protect these assets at scale.

In essence, the hundreds of customers a bank may have shared the cost of providing that ongoing security and privacy. Today’s SaaS industry is predicated on the same principles: that it is far more cost effective for customers to share the cost of computer power, infrastructure, and application maintenance. The question that often remains is whether or not SaaS providers are capable of providing the same level of confidence that banks have provided for safe deposit boxes.

On the consumer side of the SaaS market, users hear the stories of large enterprises losing priceless intellectual property and they listen to ‘experts’ saying that cryptography could have protected them. To the average user of a cloud service the question becomes, “why not just encrypt the data and be done with it?” Reality becomes even murkier when it is mixed with strong PR campaigns of companies looking to make a name for themselves as they capitalize on the misfortune of these companies that may not have taken the appropriate measures to protect their data in the cloud. In the cloud, customer data faces different threats when at rest, in transit, or in use.

There are important differences to each of these threats and their associated responses that bear further discussion. Here we’ll take on data at rest, but as a backdrop we must not forget that it is the intricate weave of all three that is important.

Data at Rest
Any service hosting customer data must provide assurances that it is protected while in their custody from external hackers, malicious insiders, and as we learned recently, governments. So, data must be encrypted at rest, which is relatively easy to implement. Many players, big and small, may declare that they give their customers full control of the encryption keys, also known as Customer Managed Keys (CMK). As companies begin to realize the importance of owning and managing the encryption keys used to protect their data in the cloud, the important question is – how is that control implemented?

There are several questions that today’s enterprises should consider when evaluating a cloud service provider’s claims of customer managed encryption keys:

  1. Can the customer login directly to the appliance that houses the keys and suspend the key without provider’s help or knowledge, if needed?
  2. Is there any provider software in the middle that can be compromised and leak the key?
  3. Keys need to be rotated. What happens to data at the time of key rotation?
  4. Does the customer need to wait for re-encryption of terabytes of data with the new key?

Arguably, if the chosen managed keys solution cannot provide these capabilities, it may fall short of many enterprise requirements for secure storage of that company’s most valuable information assets. Businesses need to pay attention to the details of the proposed solution just as you would pay attention to whether or not your bank has the right measures in place to protect those items you place in their safe deposit boxes.

Keeping Data Protected
It is obvious that data protection, especially in a SaaS model, is a complex task where science, engineering, and operations must be aligned perfectly to protect information assets from any number of threats. Just as banks provide a multi-layered security model to protect their customer’s value assets, cloud service providers need to give their customers analogous capabilities such as:

  1. A container suitable for the storage of a company’s most valuable information
  2. Customers’ ability to choose the geographic location of said container
  3. Secured channels of access to the data
  4. The ability to provide controls that allow no single entity to own or control access to the encryption keys
  5. The solution should be able to account for all copies of the data
  6. The solution should provide compliance reports and audit trails that document which users access, or attempt to access, the protected data, as well as when the action took place

In our next two articles in this series on information security in the cloud, we’ll explore the threats and security considerations of protecting data in transit and while in use.

Todd Partridge is the Director of Strategy at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management and enterprise records management practices.

Why Companies Must Adopt the ‘Assume Mentality’ When It Comes to Breaches Arrow to Content

February 27, 2015 | Leave a Comment

By Christopher Hines, Product Marketing Manager, Bitglass

Assume_MentalityRecently Target announced that the credit card data breach that they suffered back in 2013 ended up costing them $162M. Now, I know some may argue that to a company like Target, that number is a drop in the bucket, and you’re right. But there is a lesson to be learned from this. Companies must realize that no security infrastructure is 100% fool proof, not the multi-billion dollar corporations, not the mom and pop shops in your local neighborhood, not the start-ups in Silicon Valley. But why?

This is the question that millions of people (maybe even yourself) are trying to wrap their heads around. Yes, your company has a dedicated security team, and has invested in security infrastructure, using technologies like SIEM solutions and products that provide “visibility.” Yet your SSN and employee information still ends up in the hands of cyber criminals!

If there is only one thing that you take away from this blog, understand this. Having security in place doesn’t mean you are somehow bulletproof and exempt from breaches. There’s no hacker guide that says “Leave X company alone. They’ve got cool security.” The increased number of cloud applications like Box, Office 365 and Salesforce, coupled with the rise in BYOD at work has allowed more data to flow outside the corporate firewall. Data is now EVERYWHERE, not just your company’s corporate network. Your IT security team must first realize this, accept it and then solve for it. Not the easiest thing to do.

Hackers Use The Goat Paths
When King Leonidas and the 300 Spartans took on the Persian army at the Hot Gates, they believed that they could hold their ground due to the mountain’s impenetrable walls. What they failed to consider was that an old goat path that Greek shepherds often used to cut through the mountains could also be found and used by the Persian army. The Persians found the goat path and were able to surround the 300 Spartans, and defeat them. Why the random story?

Since companies want to benefit from the cloud’s flexibility and the productivity of BYOD, they have to also build ways of allowing their employees to reach their corporate data (goat paths). This simultanously gives hackers a bigger attack surface to work with. In the past they relied mostly on malware since data was kept inside corporate networks. Now, since data has moved outside, they can also use techniques like Phishing attacks to steal employee credentials, and then use them to access company data. Since employees often have more access to sensitive data than they actually need, companies end up placing their data at risk.

This means that the same goat paths that company employees use to access sensitive company data can now also be used by hackers.  All they need is employee credentials.

Security teams must keep these goat paths in mind.

Adopt the “Assume Mentality”
Companies must now assume that a breach is on its way and that’s its only a matter of time until they experience one. Instead of denying its possibility make sure you prepare your IT security teammates, as well as your employees, for the inevitable.

Start building a security infrastructure designed with the goal of limiting the damage of a breach once it occurs instead of getting your hopes up on preventing them altogether.

Breaches are not preventable. But they are discoverable. Learn about Breach Discovery, a new solution that will help you limit the damage of breaches.

The Dark Side of the Web: 14 Essential Cloud Usage Facts Every CISO Should Know Arrow to Content

February 12, 2015 | Leave a Comment

By Kamal Shah, Vice President, Products and Marketing, SkyHigh Networks

Between frequent headlines on data breaches and the growth of Shadow IT, it is easy to be captivated with what people are saying, blogging, and tweeting about the state of cloud adoption and security. But the fact is – it’s hard to separate the hype from the truth, and stories about security are often rich in speculation or exaggeration.

The sixth installment of our quarterly Cloud Adoption and Risk (CAR) Report presents a hard data-based analysis of enterprise cloud usage. With cloud usage data from over 15 million enterprise employees and 350 enterprises spanning all major verticals, this report is the industry’s most comprehensive and authoritative source of information on how employees are using cloud services.  And, with a full year of usage statistics, this latest edition of the report is the industry’s most comprehensive to date.

You can download the full report here. In addition to popular recurring features such as the Top 20 Enterprise Cloud Services and the Ten Fastest-Growing Applications, the latest report contains several eye-opening findings. View the slideshow below for more highlights from the report.

The Dark Side of the Web from Skyhigh Networks Cloud Security Software


The Average Number of Cloud Services in Use Increased 43%

The average company had 897 cloud services in use in Q4, up from 626 in Q4 last year. This growth was lopsided across categories. Development services (e.g. GitHub, SourceForce, etc.) experienced the largest rate of growth at 97%. The second fastest-growing category is collaboration (e.g. Microsoft Office 365, Gmail, etc.), which grew 53% despite already having a high number of services in use.

The Number of CSPs with Enterprise Security Capabilities Doubled

The number of cloud service providers investing in key security capabilities more than doubled in 2014. Specifically, 1,082 (11% of all services) now encrypt data at rest versus 470 in Q4 2013, 1,459 (17%) offer multi-factor authentication versus 705 in Q4 2013, and 533 (5%) hold ISO 27001 certification versus 188 in Q4 2013. At the same time, over 89% of the cloud services lack basic security capabilities required by enterprises.

Over One Third of Employees Upload Sensitive Data to File Sharing Services

37% of employees upload sensitive data to file sharing services, and 22% of all files uploaded to file sharing services contained sensitive data. Beyond file sharing, 4% of fields in other critical business applications such as CRM contain sensitive personally identifiable information (PII) or personal health information (PHI) data subject to regulatory compliance.

One Tenth of Corporate File Sharing Is External

Analyzing the use of file sharing and collaboration services revealed that 11% of documents were shared with business partners outside the company. Of externally shared documents, 9% contained sensitive data. Even more concerning was the fact that 18% of external collaboration requests went to third party email addresses (e.g. Gmail, Hotmail, and Yahoo! Mail).

92% of Companies Have Compromised Credentials

The vast majority of companies have users with at least one stolen credential, and the average company had 12% of users affected. The most exposed industries are Real Estate, High Tech, and Utilities, while the least exposed are Government and Healthcare. With 31% of passwords reused across websites and applications, stolen login credentials pose significant risk to corporate data.

Anthem’s Breach and the Ubiquity of Compromised Credentials Arrow to Content

February 9, 2015 | Leave a Comment

By Sekhar Sarukkai, Co-Founder and VP of Engineering, Skyhigh Networks

Blue-Stethoscope[1]The year is still young, and we’ve already witnessed a breach of potentially historic proportions. Anthem Inc, the nation’s second largest health insurer, released a statement last week announcing the breach of a database with 80 million customer records. Anthem estimated the number of stolen accounts at “tens of millions,” which would be the largest healthcare breach to date. For comparison, hacks at Target and Home Depot exposed 70 million and 56 million records, respectively. In this case, the records contain sensitive customer data including names, birthdays, addresses, and social security numbers. Fortunately the company reported no medical or financial information was stolen.

Let’s run through the mechanics of the attack based on available information. The source of the breach was a compromised login credential. The attackers initially ran a database query using a system administrator’s credentials. They then uploaded the hacked data to a cloud storage service. Anthem declined to name the service but did mention it is commonly used in US companies. This last fact may have made the exfiltration more difficult to detect. The average company uses 37 different file sharing services, which include a mix of enterprise ready services such as Box and high-risk services such as 4shared.

Anthem Only the Tip of the Iceberg

The circumstance through which hackers gained entrance into Anthem’s system is not rare; in fact it is the norm. User login credentials are sold on the Darknet by professional cybercriminals. Skyhigh’s analysis of cloud usage data of over 15 million enterprise employees across 350 enterprises indicates that 92% of companies have users with compromised credentials. On average, 12% of users are affected. In other words, over one in ten enterprise users have their credentials for sale on the Darknet. With 31% of passwords reused according to a study by Joseph Bonneau, stolen login credentials pose a huge liability for enterprise security.

Avoiding “The Big One”

To start, companies should enforce two-factor authentication to reduce the likelihood that a stolen credential alone is sufficient to gain access to a mission-critical system. Security should also put in place role-based access control for corporate systems so that no single credential has unfettered access to all data. With the prevalence of stolen credentials available to attackers, these are critical steps in preventing a breach of this scale.

There are two parts to this story, however. Security teams would be wise to guard the way out as well as the way in. In this case and in an increasingly high number of instances, attackers used a cloud service to exfiltrate data. The cloud is a easy path  for removing data from the corporate environment because many organizations lack visibility into the flow of traffic to cloud services. This points to the need for security intelligence systems that provide visibility into cloud usage and identify anomalous behavior. With this technology in place, alerts for anomalous behavior can not only identify external threats, but they can also protect against insider threats.

As in the vast majority of cases, no single misstep or shortcoming led to this breach. There are clear steps companies can take to lower the likelihood of suffering from a similar attack and to minimize the damage in the event hackers do gain access to corporate systems. Anthem’s breach should serve as a wakeup call to all enterprises.

What The Anthem Breach Means For Healthcare Security Arrow to Content

February 6, 2015 | Leave a Comment

By Christopher Hines, Product Marketing Manager, Bitglass

Anthem_pic“Healthcare orgs oh how we love you so, with your data so un secured no wonder we give it a go. SSNs, birthdays and addresses information galore, we can’t wait until next year when we steal some more.”

This is the song that healthcare data thieves must be singing every time they gain entry into the database of healthcare organizations across the globe. This week we learned of the giant Anthem breach that may have affected over 80 million customers and what may be the largest healthcare breach in history. For those of you who aren’t familiar with Anthem, they are the second largest insurance provider in the USA. Ironic how an insurer tasked with protecting their customer’s health and wellness couldn’t secure their data. The information stolen? SSNs, employee names, birthdays, addresses, email addresses and employment information.

The breach was discovered on Jan 27th and began on Dec 10th. The breach was the result of cyber criminals gaining access (no one is sure as to how exactly but guessing lost mobile devices or phishing attack) to an un-encrypted database that allowed them to then exfiltrate data. Now, to give Anthem some credit, 6 weeks actually isn’t too terrible given the fact that the average breach today lasts for about 229 days! But the failure to encrypt sensitive data stored at rest in their database is certainly an epic fail. By now, encryption or at least solid plans to begin encrypting should be a best practice for any company holding sensitive data.

“You essentially have the keys to the kingdom to commit any type of identity theft.” 
– Paul Stephens, director of policy and advocacy at Private Rights Clearinghouse, San Diego, CA 

Although no medical information and credit card data was stolen, the information obtained is still more than enough for cyber criminals to cash in on (think about all of the use cases for SSNs alone). Employer information was also stolen so who knows what the residual effects will be for the employers as well. They themselves may find themselves at risk of hackers using employee credentials to gain access to protected databases. And just so you know, this wasn’t the first time that Anthem has caught some heat. Back in 2013 they were asked to pay a fine of $1.7 million bucks to resolve the exposure of PHI data from over 614,000 people online due to weak security.

5 Tips for Improving Healthcare Security From Bitglass

It’s quite simple actually. Healthcare organizations must first see security as an urgent matter and realize that customer trust is not a given, but is a privilege. Unfortunately breaches like Anthem serve as a reminder of the lack of data security in healthcare organizations. In addition to database encryption, here are 5 tips we have devised for securing data within healthcare institutions:

  1. Establish comprehensive IT visibility and control over all data transactions
  2. Control the flow of all information
  3. Track and protect sensitive data anywhere it travels to
  4. Deploy a Single Sign-On solution for increased password security
  5. Make sure the security solution is easy to deploy and easy to use

We hope the victims of the Anthem breach are unaffected and hope that healthcare organizations take action before it’s too late for them.

To learn more about securing healthcare data, visit our healthcare security page.

Cutting Out The Security Blind Spots Arrow to Content

January 30, 2015 | Leave a Comment

By Chris Hines, Product Marketing Manager, Bitglass

security_blind_spotsWhen Henry Ford’s Model T was introduced to the world in 1908, with a list price of $850, it revolutionized transportation for the masses at the time. What many folks don’t know is that it had absolutely no mirrors attached to it. Early drivers had no visibility into who or what was behind or beside them. In fact, the only way for drivers to see what was around them was to completely turn their head. It wasn’t until in 1920 when mirrors were available for an extra charge. I’m sure some of you are thinking “I still turn and look over my shoulder.”

Today, the newest generation of cars now has an indicator (red dot or car symbol) on their side mirrors that blinks when someone is in your blind spot. We have all seen the TV ads showcasing this. This blind spot awareness is crucial because changing lanes without any visibility into who is already in that lane places you and your passengers at risk of an accident.

The same concept applies to data security. Companies are changing lanes, moving to cloud applications and BYOD infrastructures. Because of this, there are blind spots that exist in security infrastructures that need to be filled. Some of these blind spots include: what sensitive data is travelling outside of the firewall, where data is travelling to, and who is accessing this data. Without this visibility companies are blind to all potentially risky applications and sources.

Historically, traditional security vendors and IT teams have focused the majority of their energy on the prevention of breaches, and because of this were not innovating in areas of post breach security. This is why many existing security solutions are no longer viable, because what happens when a breach does occur? If you really think about it, products like SIEM and MDM solutions are deployed today because they were the best technologies around when they were first created. They worked well for some time, and like all things have become outdated.

Companies must adapt to a very new cloud and mobile world. Which is by no means an easy feat. Instead of the traditional 80% of energy spent on the prevention of breaches, security teams must become more well-rounded. Prevention, dwell time reduction and advanced security are equally important today as breaches are now a fact of life. Visibility plays a massive role in achieving them.

Since data security is everyone’s job, it’s up to you, the employee to empower your company’s data security with visibility, so your company doesn’t have to be worried and unsure when changing lanes into cloud and BYOD.

To learn how to gain true visibility be sure to save your seat for our webinar on February 11th. We’ll discuss how to limit the damage of data breaches with our new product Breach Discovery.

 

 

Limit The Damage Arrow to Content

January 23, 2015 | Leave a Comment

By Chris Hines, Product Marketing Manager, Bitglass

the-boy-who-cried-wolf_blogDespite investments in security, breaches are still occurring at an alarming rate. Whether the result of the world’s nefarious cyber criminals sending phishing or malware attacks through company emails, or insiders simply misusing sensitive data. Given the speed of which cyber criminals are able to pivot and create new security threats, companies must change their approach to security. We now live in a world where the prevention of breaches has become too difficult. The proliferation of data outside the firewall via mobile devices i.e company laptops, personal smart phones has created an attack surface too large for company IT security teams to guard.

Criminals are no longer going for the quick win, they’re stealthily slipping through firewalls, nestling in deep within your infrastructure, and are slowly exfiltrating data through company firewalls into remote servers (they own). This often takes place for months until the criminals are finally ousted, or have gathered enough data to go off and sell in the black market, or ransom off to the victim.

Visibility into what data is being exfiltrated is crucial in limiting damage from breaches. Now, before you start thinking about your SIEM solution that sends you 17,000 alerts a week or the “visibility” company that only tells you what apps are currently running on your network (there are so many “Shadow IT” visibility companies out there but Shadow IT only represents 4% of breaches) I want to explain what I mean by visibility. Visibility is the awareness of what data is leaving your network, and tells you what the riskiest sources are, in a way that prioritizes alerts for you. It provides actionable intelligence so that you can quickly identify areas of risk, and at the end of it whether or not you are experiencing a breach.

Lessons from “The Boy Who Cried Wolf”

We all know the story of the boy who cried wolf. A small boy, who is tasked with protecting his family’s sheep, jokingly yells “wolf, wolf!” multiple times, causing the townspeople to come running with their pitchforks and torches to aid him in fighting off the wolf. When the wolf actually comes, and the boy yells “wolf wolf” again, no one comes. The boy is then eaten.

This is the problem today. Companies are relying too much on their SIEM solutions. These solutions create WAY too many meaningless alerts per day. No IT team can manage 17,000 alerts per week, and definitely doesn’t want to. SIEM solutions cry “wolf wolf” so often that IT teams no longer view them as a real threat. This is actually what happened in the Target breach. Alerts were recieved, but were not treated as true breach threats.

IT security must be able to limit the damage caused by breaches. In order to do so they need a solution that can provide them with actionable intelligence. They need to be able to identify the risky sources within their infrastructure so they can protect their data from the wolves trying to gobble up their sensitive data.

To gain true visibility and shorten breach dwell time learn about a new service called Breach Discovery. Here’s a data sheet for you.

The Truth About Encryption Arrow to Content

January 20, 2015 | Leave a Comment

By Christopher Hines, Product Marketing Manager,  Bitglass

Cloud_Encryption“Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.” – TechTarget

Encryption has gotten some much-needed attention over the past few weeks. With the release of a secret US security report unveiling the importance of encryption and how in 2009 private computers were vulnerable to attacks from cyber criminal gangs operating in Russia and China, plus David Cameron’s anti-encryption angle that he hopes to use to influence Obama, the topic is certainly worthy of discussion.

I know some of you may be looking at “2009” and thinking “Chris, it’s 2015 get with it” but the fact is, encryption is even more valuable and necessary than ever. Since 2009, cloud app usage (think Salesforce) and BYOD has expanded significantly. 60% of organizations now utilize cloud apps. Since data now resides outside of corporate firewalls, companies need ways of encrypting their data, making sure that the growing number of cyber-criminal gangs in Russia and China don’t get their hands on it. But what’s the truth about encryption? And how do you know if it truly is as strong as you might think?

The Truth

Encryption has two main components. The first part is the Cipher. This is the piece that transforms human readable text to something unreadable (ciphertext). It’s the piece you probably think of the most i.e turning “Chris” into “WxoPNHz.” The second piece (the piece often overlooked) is called the Initialization Vector. This piece is an unpredictable random number that ensures that encrypting the same message repeatedly will yield different ciphertexts each time. To ensure sufficient randomness, the length of the Initialization Vector should be the same number of bits as the cipher.

To clarify, a lot of vendors promote AES-256 bit encryption, I am sure a lot of you are reading this now and saying “yes, this is exactly what my vendor says they provide” (think of the biggest vendors in the encryption space, I promise that by the end of this blog you’ll have some questions for them). For the less encryption inclined, AES-256 bit encryption is the de facto standard for strong encryption in the enterprise. It implies that there are billions of combinations that can be made for each piece of plain text (regular name, credit card number, SSN etc.) and that the chance of cyber criminals breaking the encryption is close to impossible. Which would be true, if it were actually what some of the world’s biggest encryption vendors provided. But, unfortunately, there’s a good chance that your cloud encryption vendor has you duped.

Remember how I mentioned before that the initialization vectors were crucial? In order to make data searchable once encrypted and placed in the cloud (think Salesforce encryption), vendors have actually begun cutting down on the number of initialization vectors used in their products. This means that instead of the billions of combinations companies think they are purchasing, they are actually only getting 1 million in some cases. This is a HUGE difference! 1 million combinations is insanely less secure than multiple billions of combinations. Put differently, that 256 bit encryption turns into 20 bits. And at 20 bits, you might as well keep your money in your pocket because it’s just as useful as having no encryption at all.

So that’s the truth. Don’t be fooled by vendors claiming to have true AES-256 bit encryption. Yes their cipher will be on point, but it’s the initialization vectors that are also crucial. Limiting the number of these vectors to preserve cloud app operations like search changes your 256 bit super encryption, into a puny 20 bit encryption. Reach out to your encryption vendor now and ask them about their vectors, and don’t be surprised if you hear something you don’t like.

For more information on Salesforce encryption, view this presentation on slideshare

 

Page Dividing Line