Don’t Let Your Cloud Security Strategy Get Railroaded by Old Thinking

April 4, 2016 | Leave a Comment

By Player Pate, Senior Manager/Product Marketing, Cisco Security Business Group

AM37473-432x230The standard gauge used for railroads (that is the distance between the rails) in the U.S. is four feet, eight and a half inches, which is an odd number however you look at it. The history behind it is even stranger and is a cautionary tale of assumptions and the consequences of basing decisions on old thinking.

That oddly sized gauge was borrowed from the English standard of railroad width, where they built railroads with the same tools they used to build wagons, which used that wheel spacing. And the wheel spacing had to be that width because that was the spacing of the wheel ruts that existed at the time in the roads throughout England.

So who created those?

Roman chariots created the wheel ruts in the roads when they occupied England some two thousand years ago. These Roman war chariots were built just wide enough to accommodate the rear-ends of two horses, which just happened to be…you guessed it: four feet, eight and a half inches wide. This created the standard gauge that is still used today.

Ok, so where’s this heading?

The space shuttles used in modern day space exploration carried two large booster rockets on the sides of their main fuel tanks. These rockets, called solid rocket boosters or SRBs, which gave the spacecraft initial thrust upon launch, were built in a factory in Utah. The engineers of the SRBs would have preferred to make them larger, but the SRBs had to be transported by train from the factory to the launch site. That railroad line ran through a tunnel in the Rocky Mountains and the SRBs had to fit through that tunnel. The tunnel is only slightly wider than the railroad track, and the railroad track, as we now know, is only about as wide as the hindquarters of two equestrian.

Say that again?

A primary constraint in the design of one of the most advanced transportation systems ever developed was determined more than two thousand years ago by two horses’ asses.

Interesting, but what’s that have to do with cloud security?

That is the danger of getting caught in the rut of the same old thinking. There’s danger in thinking about security in the old way when it comes to securing cloud infrastructure. Cloud security can’t be solved with legacy security technologies or siloed approaches to security. Cloud security must be as dynamic as the nature of the cloud itself and should address the issues of:

  1. Keeping valuable data secure in the data center or wherever your cloud is hosted;
  2. Securing applications and data in the cloud;
  3. Enabling secure access anywhere, to anything for the mobile user or IoT;
  4. Consistently protecting against threats across the data center, cloud and wherever users roam before, during, and after attacks; while
  5. Providing visibility across the entire spectrum to enforce governance and compliance.

Cloud security doesn’t require simply the deployment of a separate application or new technology. Nor does it require you to completely scrap your existing infrastructure. It is an extension of your entire security program where security is embedded into the intelligent network infrastructure, integrates with a rich ecosystem of applications and services, is pervasive across the extended network – not just networks themselves but all endpoints, mobile and virtual, that extend to wherever employees are and wherever data is…from the beating heart of the enterprise data center out to the mobile endpoint and even onto the factory floor.

Think of the journey to cloud security adoption as your chance to take off into space; when planning the size of your rockets, are you imagining all the new possibilities or limiting your opportunities by what we’ve always done. Hopefully the cautionary tale of the history of US railroads helps you expand your thinking.

Check out our Cisco Business Cloud Advisor adoption tool to evaluate the overall readiness of your organization’s cloud strategy, including from a security perspective. Also stay tuned to this blog as dig further into this topic.

Four Security Solutions Not Stopping Third-Party Data Breaches

March 31, 2016 | Leave a Comment

By Philip Marshall, Director of Product Marketing, Cryptzone

4-Common-Security-Solutions-that-dont-stop-third-party-data-breaches-250x167A new breed of cyberattack is on the rise. Although it was practically unheard of a few years ago, the third-party data breach is rapidly becoming one of the most infamous IT security trends of modern times: Target, Home Depot, Goodwill, Dairy Queen, Jimmy John’s and Lowes are just a few of the US companies to have lost massive amounts of customer records as a result of their contractors’ usernames and passwords falling into the wrong hands.

What went wrong? Hackers have started to see contractors as the easy way into their targets’ networks. Why? Because too many organizations are still using yesterday’s security solutions, which weren’t designed for today’s complex ecosystems and distributed (read cloud-based) applications and data.

Here are four examples of solutions that, in their traditional forms, simply aren’t capable of stopping third-party data breaches. Could your company be at risk?

1. Firewalls and Access Control Lists
Many organizations still control traffic flow between network segments in the same way they’ve done for decades: with firewalls and access control lists (ACLs). Unfortunately, security in the modern age isn’t as simple as just defining which IP addresses and ranges can access which resources.

Let’s say you have a single VPN for all of a department’s workers and contractors, with every authenticated user getting a DHCP-allocated IP address. Your firewall rules are going to have to be wide open to suit the access needs of each user on the IP range, and yet you’re not going to be able to trace suspicious activity back to a particular account and machine.

It’s also a lot of work for your IT department to set up and maintain complex firewall rules across the entire organization, so it’s not unlikely that they’ll make mistakes, respond slowly to employee departures, and leave access wider open than it should be.

2. Authentication and Authorization
Leading on from this, another problem with ACLs is that they generally rely on static rules, which in no way account for the security risks of today’s distributed workforces. A username and password pair will unlock the same resources whether used from a secure workstation at a contractor’s premises or from an unknown device on the other side of the world.

Authentication and authorization rules should be dynamic rather than static, and adjusted on the fly according to the risk profile of the connection. One of your contractors needs remote access to a management network segment? Fine – but only if they use a hardened machine during office hours. If the context of their connection is more suspicious, you might consider two-factor authentication and more limited access.

3. IPsec and SSL VPNs
More than nine in ten organizations (91 percent) still use VPNs – a 20-year-old technology – to provision remote access to their networks. It’s potentially their single greatest risk factor for third-party data breaches, because both IPsec and SSL VPNs are readily exploitable by hackers.

In an IPsec session, remote users are treated as full members of the network. Nothing is invisible – they have direct access to the underlying infrastructure. So, if they’re malicious, they can start digging around and looking for vulnerabilities in seconds.

SSL VPNs, meanwhile, deliver resources via the user’s browser. And what web application has ever been secure? Tricks like SQL injection and remote code execution attacks make it trivial for hackers to start widening their foothold on the network.

4. IDS, IPS and SIEM
Finally, a word on the technologies organizations use to detect data breaches. IDS, IPS and SIEM are generally mature and effective solutions that do the job they’re intended to do: identify suspicious activity on the network.

However, the combination of the antiquated technologies described above means that most networks are rife with false positives: legitimate users and harmless applications causing suspicious traffic in the network layer. Change this model, and IDS, IPS and SIEM systems might start to deliver more value. As it stands, though, they’re often resource-intensive and reactive rather than proactive, so they’re not really equipped to stop hackers in their tracks.

The Alternative to Prevent Third-Party Data Breaches
In the new world of pervasive internal and external threats, distributed organizations and global ecosystems, the perimeter is more porous and less relevant than ever. The old models simply aren’t working. We need to move from perimeter-centric, VLAN and IP-focused security to a model that focuses on securing the entire path from user to application, device to service – on a one-to-one basis.

That’s where solutions like AppGate that enables organizations to adopt a software-defined perimeter approach for granular security control become increasingly a must have security solution. AppGate makes the application/server infrastructure effectively “invisible.” It then delivers access to authorized resources only, creating a ‘segment of one’ and verifying a number of user variables and entitlements each session—including device posture and identity—before granting access to an application. Once the user logs out, the secure tunnel disappears.

Kicking Tires on World Backup Day: A Five-Point Inspection for Endpoint Backup

March 29, 2016 | Leave a Comment

By Rachel Holdgrafer, Business Content Strategist, Code42

032816_worldbackupday_blogLiving with the constant threat of data breach or loss, large organizations have comprehensive remediation plans designed to guarantee speedy data recovery and business continuity. March 31, 2016 is World Backup Day—the perfect time to evaluate your endpoint backup strategy to insure you’re ready if the worst happens.

A viable backup plan is a lot like having car insurance. While car insurance can’t prevent an accident, it willreplace the crumpled bumper and shattered headlamps after you’ve been rear ended, or the entire vehicle if you’ve been totaled. In the same way, endpoint backup allows you to recover several lost files, everything on the laptop, or the entire enterprise—to a point in time as recent as moments ago.

Here are five inspection points to consider as you evaluate your endpoint backup solution.

Point #1: Do you have continuous protection—everywhere? The modern workforce works when, where and how they choose; so they need endpoint backup that protects their files continuously, whether they are in the office or on the road. Choose centralized, cloud-based endpoint backup that works across geographies, platforms and devices. It should be simple to manage and scale, and offer powerful features to solve other data collection, migration and security problems.

Point #2: Does it work with Macs, Windows and Linux? The modern enterprise is no longer a PC-only environment. Employee preference for Apple devices has increased Mac’s market share in the enterprise—and there’s no going back. Choose an endpoint backup solution that protects a “hybrid workplace” that includes Windows, Linux and OS X laptops and desktops and offers a consistent user experience across all platforms. Make sure your backup solution restores files to any computer or mobile device—without requiring a VPN connection.

Point #3: Will it enable rapid response and remediation? When protected/classified data goes public, response time is critical. Choose an endpoint data backup solution that provides 100-percent visibility and attribution of file content on any device. This enables IT (and InfoSec) to quickly identify a threat, mitigate the impact and determine whether data on compromised devices—including those that are lost or stolen—requires the organization to notify agencies or individuals of breach. If there is a reportable breach, 100 percent data attribution prevents over reporting of affected records.

Point #4: Will it support fast data recovery in a dangerous world? Endpoint devices—and the humans who operate them—are the weakest link in the enterprise security profile. The 2016 Cyberthreat Defense Reportfound that 76 percent of organizations were breached in 2015, making it essential to plan for data breach and your recovery before it happens. Choose an endpoint backup solution that ensures rapid recovery of data—no matter the cause, without paying a ransom, without the original device, without the former employee. Endpoint backup is an investment in business continuity, risk mitigation and peace of mind.

Point #5: Does it let you decide where to store encryption keys? True data privacy means only the enterprise can view unencrypted files. Choose an endpoint backup solution that deduplicates locally rather than globally, encrypts data in transit and at rest, and enables you to hold encryption keys regardless of where your data is stored. On-premises key escrow ensures that only you can view decrypted data—keeping it safe from the cloud vendor, government surveillance and blind subpoena.

Proactively evaluating your endpoint backup processes at least once a year positions your enterprise for quick and total recovery before data loss or breach occurs.

Top 3 Malware Bogeymen Keeping CISOs Up at Night

March 22, 2016 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

031616_cyberthreat_blogWhat keeps CISOs up at night? Of all the cyberthreats, malware sends chills down a CISO’s spine, according to The CyberEdge Group’s recently released 2016 Cyberthreat Defense Report. Malware bogeymen come in many shapes and sizes. Here are three of the most nefarious in their respective categories:

Ransomware: CryptoWall
Ransomware has come a long way since 1989, when the AIDS Trojan first encrypted a user’s hard drive files and demanded money to unlock them. The latest version of CryptoWall, the most significant ransomware threat in the States, not only encrypts the file, it also encrypts the file name—making it a challenge to even find “kidnapped” files.

CryptoWall cost victims more than $18 million in losses in a single year, according to the FBI. While individual ransom fees are typically only $200 to $10,000, additional costs can include loss of productivity, mitigating the network, incorporating security countermeasures, and purchasing credit monitoring services for employees and/or customers.

Banking Trojan: Dyreza
Banking Trojans use a man-in-the-browser attack. They infect web browsers, lying in wait for the user to visit his or her online banking site. The Trojan steals the victim’s authentication credentials and sends them to the cyberthief, who transfers money from the victim’s account to another account, usually registered to a money mule.

For nearly a decade, the ZeuS Trojan conducted a reign of terror in the banking world. Even after Europol took down the Ukrainian syndicate suspected of operating ZeuS in 2015, new strains kept appearing. But it seems ZeuS has met its match in Dyreza (aka Dyre, aka Dyzap). More than 40% of banking Trojan attacks in 2015 were by Dyreza, according to Kaspersky Lab’s 2015 Security Bulletin. Dyreza’s one-two punch? It can now attack Windows 10 machines and hook into the Edge browser.

Mutant two-deaded worm: Duqu 2.0
There isn’t an official category yet for the most sophisticated malware seen to date. At a London press conference announcing an attack by the new version of the Duqu worm on its corporate network, Kaspersky Lab founder Eugene Kaspersky described the malware as a “mix of Alien, Terminator and Predator, in terms of Hollywood.

The original Duqu worm was mysterious enough, being written in an unknown, high-level programming code. Now Duqu 2.0 is further flabbergasting the security experts. Some describe it as a compound sequel of the Duqu worm that assimilates the features of a Trojan horse and a computer worm. Others call it a collection of malware or a malware platform.

I’m dubbing it the Mutant Two-Headed Worm because it has two variants. The first is a basic back door that gives attackers an initial foothold on a victim network. The second variant contains multiple modules that give it multiple superpowers: it can gather system information, steal data, do network discovery, infect other computers and communicate with command-and-control servers. And did I mention Duqu 2.0 has an invisibility Cloak? The malware resides solely in a computer’s memory, with no files written to disk, making it almost impossible to detect.

If Duqu 2.0 attacks increase in 2016, expect malware to be a CISO’s worst nightmare next year too.

Download the 2016 Cyberthreat Defense Report to learn how IT security professionals perceive cyberthreats and their plan to defend against them.

CIO, CISO and IT Practitioners Worry They Will Face a Datastrophe!

March 18, 2016 | Leave a Comment

By Rick Orloff, Chief Security Officer, Code42

031516_datastrophe_blogWe are not lacking choices: whether it’s in the information we consume, the things we can buy or the ability to express ourselves through multimedia channels. It’s therefore no surprise that our most valuable asset, human capital, is finding ways to work outside of the boundaries of the traditional workplace. Enterprises are increasingly porous, as is the technology infrastructure that is supposed to keep all the bits and bytes of precious corporate data within the corporate infrastructure. This is because we now have an expectation of holding data wherever we are—on endpoint devices such as laptops, tablets and in cloud storage. An enterprise can secure the core, but data has become persistently mobile and accessible outside the corporate network perimeters.

In this rapidly changing and rather troublesome security landscape, we decided in the UK to conduct a piece of research—Code42’s 2016 Datastrophe Study. This research aimed to get under the skin of how chief information officers (CIOs), chief information security officers (CISOs) and IT decision makers (ITDMs) view the porous enterprise. It also collated the views of employees who are holding most of the data outside the perimeter. Working with two independent research partners, we surveyed 400 IT decision makers—including CIOs and CISOs—and more than 1,500 UK-based knowledge workers between the ages of 16-55+, all of whom are working in enterprise size organizations.

The results are startling: 45% of all corporate data today is also held on endpoint devices—according to the IT respondents. Yet, at least one-in-four ITDMs acknowledge that they do not do enough or do not know if they do enough to protect corporate data. Putting this into perspective, the IT department knows it has a problem, but 25% of ITDMs know they are not tackling it. This is a huge risk. An impending data catastrophe. A datastophe! Well, you get the point.

We all know the issues. 88% of CIOs/CISOs and 83% of ITDMs reveal that they understand the serious implications and risks of large swathes of corporate data residing on endpoint devices—stating that losing critical data would be seriously disruptive or could cause irreparable harm to the corporation and its brand. But, awareness of data risk is also felt on the shop floor, with 47% of employees agreeing that the risks of corporate data loss would pose a threat to business continuity.

Yet, despite this understanding, three-in-ten ITDMs (30%) acknowledge that they do not have, or—very worryingly—don’t know if they have a meaningful endpoint data protection security strategy or solution in place. In turn, one in four employees (25%) say they do not trust their IT teams or companies with their personal data. And a further 36% of employees believe their company is at risk of a public breach in the next 12 months. So, the employees in the trenches with the real-world view (that the C-suite sometimes lacks) are worried.

For IT departments, the issues are not just internal. There are added regulatory pressures to consider. Sixty-nine percent of ITDMs say that the upcoming EU General Data Protection Regulation (GDPR) will affect the way they purchase and/or provision data protection and data security tools/solutions. In fact, 76% suggest they will be increasing their security tools and capabilities. Yet, 18% are waiting for the proposed regulatory changes to be finalized before making any commitments—this might be too little too late. Adding new capabilities requires careful planning with CapEx & OpEx considerations and this rarely happens overnight. Add onto this the 43% of ITDMs that say they have been affected by the invalidation of Safe Harbor—which will soon be replaced by Privacy Shield, and you might see ITDM’s engaged in a waiting game a.k.a., analysis paralysis.

Security leaders need clear, effective, and measurable strategies that pursue proactive steps to protect their companies—or risk facing a datastrophe! From the CISO to the technical administrator, each individual needs to work with the lines of business in their organizations. They need to define their unique endpoint risks, embrace the agreed upon solutions(s), and deliver them according to plan—quickly. It’s never too late for a proactive plan.

A last word: The 2016 Datastrophe Study is peppered with commentary from experts who share their views on the future of endpoint data protection including CISO’s, analyst’s and ethical hackers. To participate in the conversation, you can join us @code42 (A malware free site ☺).

EU Safe Harbor and Privacy Shield: Timelines, Deadlines and Red Lines

March 16, 2016 | Leave a Comment

What has happened since safe harbor was declared invalid and what’s next?

By Nigel Hawthorne, EMEA Marketing Director, Skyhigh Networks

blog-banner-us-eu-privacy-shield-1024x614 (1)As a quick reminder, Safe Harbor was the primary legal mechanism that allowed US-based companies and cloud providers to transfer data on European individuals to US data centers, however this mechanism was declared invalid by the European court on September 24, 2015.

It’s been five months since then and here are the main changes made by companies, negotiators, data protection authorities and lawmakers since then.

Most US-based organisations have looked at their mechanisms for transferring data and either adopted EU Model Clauses, Binding Corporate Rules, or new terms and conditions – as an example Salesforce issued new terms the day after the judgement; they were obviously ready.

More cloud providers have opened European-based data centers, (or “centres”, as they are referred to in the UK!) allowing data to stay in Europe, for example Skyhigh’s own announcement and Microsoft’s announcement jointly with Deutsch Telekom.

The various European data protection authorities that make up the EU Article 29 Working Party issued a statement on 16th October naming a deadline of the end of January for negotiations to come up with a new plan with the threat that otherwise the data protection authorities “are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.

Some of the data protection authorities issued their own news with advice for companies; this one from the UK’s ICO puts the story in context and is very helpful.

The negotiators just missed the end of January deadline, but a few hours before the Working Party was to meet and decide their actions, The EU-US Privacy Shield was announced. Frankly, there were few details at the time, so it was probably issued to hold off actions from the data protection authorities and buy a bit of negotiating time.

Another blog from the UK’s ICO makes clear that their position is to wait and see what happens “We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome”.

Move forward to February 29 and the European Commission published their FAQ fact sheet on the EU-US Privacy Shield that fills in many of the details needed. It shows that US organisations have stronger obligations, there are clearer safeguards, EU citizens have the right to redress, and the US has affirmed that there is no mass surveillance of data.

This isn’t the end of the process, but we continue down the road. The next steps are that the EU member states, the data protection working party (WP29) and the college of commissioners all need to approve the text for ratification, which is expected in June 2016.

If that happens, there could still be another claim back to the European Court of Justice that the framework is not strong enough and once the new EU GDPR (General Data Protection Regulation) becomes law in 2018, it is likely to be reviewed again.

There’s certainly been a lot of talking in the months since Safe Harbor was declared invalid. The situation isn’t completely clear, but no one with data on European individuals should be complacent in expecting that data privacy problems will all just go away.

Anyone with data on individuals in the 28 countries of the EU should consider how it is gathered, the opt-in given to users, how it is transferred, which cloud services hold that data, where those cloud services are based, where they store the data itself, which employees and third parties have access to that data, and the legal and privacy policies in use. Enterprises must look at the mechanisms being used to track the movement of data, the security technologies deployed, and the education of employees.

Ultimately, if you collect data, you are responsible for keeping it safe and the policies and mechanisms to ensure it is not lost. Transferring data from the EU to the US requires careful handling and organisations need to be able to follow the data that their users may be accessing. Outsourcing computing to the cloud may transfer personal information of EU individuals outside the EU, specifically to US cloud service providers. In this case, the employer needs to be able to track, log, manage and even block transfers made by employees if the appropriate legal and technical mechanisms are not in place to keep that data secure.

CSA Summit San Francisco 2016 Recap

March 11, 2016 | Leave a Comment

By Frank Guanco, Research Project Manager, CSA Global

IMG_0946At the end of February, the Cloud Security Alliance (CSA) concluded its CSA Summit San Francisco 2016 with a full slate of presentations, releases, and announcements. CSA Summit kicked off the week with a full day of speakers and panels on the subject of ‘Cloudifying Information Security’ with a standing room only crowd. Throughout the week, CSA shared a number of updates, announcements, and releases that touched on the entire CSA portfolio. Below are links that recap some of the activity during CSA Summit San Francisco 2016.


Cloud Security Alliance Forms Global Enterprise Advisory Board
The Cloud Security Alliance announced the formation of the CSA Global Advisory Board, a 10-member body representing some the world’s most recognized experts within information technology, information security, risk management and cloud computing industries. The Global Advisory Board has been established to support CSA in further anticipating emerging trends, and as a result, increase the influence enterprises have over the future of the cloud industry’s ability to address dynamic and optimal cloud security requirements.

Cloud Security Alliance Establishes Research Fellowship Program
The Cloud Security Alliance announced the establishment of the CSA Research Fellowship Program designation, the highest honor and distinction awarded to a CSA Research Volunteer who has demonstrated significant contributions to CSA Research. The honor aims to recognize the talented and dedicated efforts of select CSA Research Volunteers whose work has led to groundbreaking and forward-thinking advancements of the CSA.

CCM Candidate Mapping update and CAIQ minor update
The CSA announced the release of the Candidate Mappings of ISO 27002/27017/27018 to version 3.0.1 of the CSA Cloud Controls Matrix (CCM). The ISO 27XXX series provides an overview of information security management systems. ISO 27002 provides further security techniques on controls based in ISO 27001. ISO 27017 adds this security code of conduct to the procurement of cloud services. Finally, ISO 27018 is the first international standard delivering security techniques on the privacy and protection of PII (Personally Identifiable Information).

Additionally, CSA’s Consensus Assessments Initiative Working Group has released an update to version 3.0.1 of the Consensus Assessments Initiative Questionnaire (CAIQ) that included minor updates and corrections.

Cloud Security Alliance Releases New Network Functional Virtualization Security Position Paper
The CSA’s Virtualization Working Group released a new position paper on Network Function Virtualization, which discusses some of the potential security issues and concerns, and offers guidance for securing a Network Virtual Function (NFV) based architecture, whereby security services are provisioned in the form of Virtual Network Functions (VNFs). We refer to such an NFV-based architecture as the NFV Security Framework. This paper also references Software-Defined Networking (SDN) concepts, since SDN is a critical virtualization-enabling technology. The paper is the first step in developing practical guidance on how to secure NFV and SDN environments.

Cloud Security Alliance Releases The Treacherous 12: Cloud Computing Top Threats in 2016
The CSA’s Top Threats Working Group released their latest report The Treacherous 12: Cloud Computing Top Threats in 2016, an important new research report developed to serve as an up-to-date guide to help cloud users and providers make informed decisions about risk mitigation within a cloud strategy. This report serves as an up-to-date guide that will help cloud users and providers make informed decisions about risk mitigation within a cloud strategy. While there are many security concerns in the cloud, this report focuses on 12 specifically related to the shared, on-demand nature of cloud computing.

Cloud Security Alliance Research Working Group Sessions
When CSA’s big events happen around the world, like CSA Summit San Francisco 2016, the CSA’s Research team hosts working group sessions for the various projects, groups, and initiatives that comprise the research portfolio. This year, about a dozen working groups shared their status updates and recent releases. The presentations from these sessions are available here.

Thanks to all that attended CSA Summit San Francisco 2016, those that visited our exhibition booth, and those we interacted with during the convention week. It was a successful event and we look forward to seeing everyone at next year’s CSA Summit San Francisco 2017.

Between SSL-cylla and Charib-TLS

March 11, 2016 | Leave a Comment

By Jacob Ansari, Manager, Schellman & Company, Inc.

https://commons.wikimedia.org/wiki/File:Johann_Heinrich_F%C3%BCssli_054.jpgSecuring encrypted Internet traffic transmissions, such as those between web browsers and web servers, is decidedly not simple. Despite the fact that well-established protocols, namely Secure Sockets Layer (SSL) and Transport Layer Security (TLS), have seen use for many years, they still have some complexities and security vulnerabilities. The most recent version of the Payment Card Industry Data Security Standard (PCI DSS), version 3.1, published in May 2015, specifically addressed some of the problems arising from vulnerable versions of SSL and TLS, and set the stage for a more rigorous approach to evaluating the security of the transport-layer protocols and mechanisms used for secure data communications. Unfortunately, navigating the particulars of communications protocols and cryptographic implementations can prove challenging. Further, some of the requirements to remove old, insecure protocols have proven particularly challenging for some organizations and in December 2015, the PCI SSC extended its deadline to eliminate SSL and early TLS by a full two years. Perhaps to best clear up some of the confusion around good security practice for these protocols, consider three elements: protocol versions, cipher groups, and software versions.

The last 12 to 15 months has seen a significant upheaval in the threat landscape for securing Internet communications. In late 2014, security researchers at Google published the details of an attack they called POODLE (for Padding Oracle on Downgraded Legacy Encryption), which exploited a deficiency in one of the most common security protocols used on the Internet, Secure Sockets Layer (SSL), and allowed an attacker to determine the encryption key used in a supposedly secure connection and  decrypt the data in transit. Despite the fact that this particular protocol was developed by Netscape in the 1990s and had been replaced by a better protocol called Transport Layer Security (TLS), version 3 of the SSL protocol (SSLv3) remained in popular use for many years. Further research revealed that version 1.0 of TLS had similar weaknesses that allowed a similar attack: decrypting web traffic with comparatively little reference data and computing power. Security practitioners and standards organizations began advising against the use of SSLv3 or TLSv1.0, which, while entirely correct from a security perspective, has caused no small difficulty for endpoints that don’t support TLSv1.1 or v1.2, such as older versions of Internet Explorer and numerous Android devices that no longer get software updates from their manufacturer. This issue, in particular, has had a cascading effect, where organizations that interact with endpoints like old browsers often hesitate to disable support for these vulnerable protocols, particularly TLSv1.0, and then the organizations that interface with them find themselves faced with the need to continue this support. While the complexities of negotiating the interactions amongst clients and servers and differing organizations mean that eliminating vulnerable protocols will take careful planning and disciplined execution, organizations should not hesitate to eliminate actively the use of SSLv3 and TLSv1.0, as these versions of the protocols are fundamentally insecure, and attacks against them will become easier and more widespread.

Beyond the question of protocol version, when a client and server first begin communication, they negotiate the means by which they will communicate. This also includes the groups of cryptographic ciphers they use, commonly known as cipher suites. Like protocol versions, most systems open negotiations using the best options, but many systems will allow other, more insecure cipher suites for communication. Without getting too far into the technical details, a cipher suite consists of a key-exchange protocol, usually Diffie-Hellman or RSA, which is used to prevent attackers from impersonating legitimate sites; a symmetric-key cipher used to encrypt the messages that go back and forth; and a cryptographic hash function, used to verify that an error or attack didn’t alter the message in transmission. Over the years, certain ciphers and key lengths proved less resistant to attacks given currently available computing power, and security experts no longer consider them effective for secure communications. Nevertheless, many servers and clients still support their use, and this can lead to some significant security problems such as the attacks from 2015 called FREAK and Logjam. Properly securing this environment usually involves making configuration changes to only support cipher suites that contain only strong encryption.

The last major area is hardly unique to software used for securing data transmission: patches and security updates. The software used to establish TLS connections for web servers, and other types of systems has complexities and bugs and security weaknesses like any other piece of software. In fact, because of the complexity of doing cryptography right, popular implementations often release frequent updates to address security deficiencies, and, like any other vulnerability management process, organizations looking to defend against insecure transmission situations should pay attention to these releases and apply the fixes promptly.

Despite the many security vulnerabilities and potential pitfalls in using TLS, it remains an effective mechanism for securing Internet traffic transmissions. That said, it requires proper configuration and use and regular maintenance, just like any other piece of software. It has some unique properties in that advances in knowledge of vulnerabilities and security research can render previously sufficient controls inadequate quickly, but a careful and disciplined security operations practice can usually manage these issues.

 

 

15 Data Security Policies Ignored by Modern Workers

March 9, 2016 | Leave a Comment

By Rachel Holdgrafer, Business Content Strategist, Code42

02-29-16_policy_vs_reality_blogIT isn’t the only department stretched thin. In the past 20 years the economy has grown nearly 60 percent. Corporate profits have increased 20 percent. And wages have stagnated for most Americans. The workday goes from 9 to 7 and the U.S. is among a small club of nations that doesn’t require time off. See the trend? Despite data security policies, everybody is working fast and hard in a dangerous, connected world.

At this breakneck speed, IT policies—designed to educate employees and manage risk—are white noise for the modern worker.

Clearly, both parties in this relationship have to change—and clearly, that change won’t be easy. In the meantime, IT can buoy data policies with smart technology that does what employees won’t—like continuously back up laptops to ensure business continuity in the face of anything.

After endpoint backup is in place, IT and modern workers should walk a mile in each other’s shoes as a first step in lessening the gap between policy and real life.

 

code42 policy vs. reality graphic

Security Versus Privacy in Today’s Enterprise

March 3, 2016 | Leave a Comment

By Rachel Holdgrafer, Business Content Strategist, Code42

02_24_16_securityvsprivacy_blog (1)Whether enterprise security or personal data privacy should prevail in the enterprise is the debate of the century. With internal actors responsible for 43 percent of enterprise data loss and 62 percent of respondents to the2016 Cyber Defense report indicating that a cyber attack is somewhat or very likely in the next year, today’s enterprise must have endpoint security in place to protects its data. Similarly, as the FBI demands that Apple build a backdoor into its iPhone iOS, personal data privacy is becoming even more critical.

Data is the exhaust of our digital lives—both personally and professionally. Protecting it is paramount for the enterprise and the individual. Terms of use, conditions of employment and IT policies protect the enterprise. Who—or what—protects the individual?

The simple smartphone
Bruce Schneier publishes extensively about how metadata—the context around a data point—is fundamentally “surveillance data,” tracking and recording relationships, associations, locations and search terms. Smartphones are not typically backed up by the enterprise and in an individual’s quest for personal data privacy, that’s a good thing. Smartphones should remain the individual’s outlet for conducting personal business. Here’s why:

Smartphones generate an enormous amount of data when they are turned on. Location services, GPS coordinates, phone calls, text messages, email, application usage, web searches—all create data streams that reveal a stunning amount about the human being carrying the phone. The graphic below examines four basic data streams created by the average smartphone and the deductions that can be made about you as a result.

security vs privacy graphic (1)

 

Private and secure
It’s possible for individual privacy and data security to coexist in the enterprise, but both the enterprise and the end user must play a role to make it a reality.

End users must take an active part in protecting their digital privacy and recognize that the devices and networks—as well as the data being created on them—belong to the enterprise. With this in mind, employees must conduct less personal business on enterprise-owned machines and networks, utilizing their personal smartphone or laptop instead. When the use of corporate devices and networks cannot be avoided, end users should be aware that the files and the meta data associated with their actions are visible to IT.

Additionally, end users must take an active approach to current events and pending legislation that may impact personal privacy. They must take action when necessary to ensure personal privacy standards are maintained (e.g. pushing back to prevent implementation of backdoors in mobile devices and unregulated collection and use of personal data).

In turn, the enterprise must do its part to respect and maintain personal data privacy. Employees need to be educated. The enterprise must explicitly tell employees when and where personal data will be collected and where, if anywhere, on their networks employees can assume privacy. With clear policies in place, the enterprise must uphold those policies and alert employees to any changes in how personal data will be collected, indexed or used.