Pwned Passwords – Have Your Credentials Been Stolen?

By Paul Sullivan, Software Engineer, Bitglass

hacker in a hoodie with credit cards, computer screenData breaches now seem to be a daily occurrence. In recent months, Have I Been Pwned (HIBP) introduced  Pwned Passwords, which allows you to securely check your password against a database of breach data. There are over 280 breaches in the database, and that’s only the tip of the iceberg. Breaches aren’t just a problem for the users who lose their data, but for the companies responsible for it.   

So how does all this data get breached?

Surely, it was some sinister character in a hoodie with extensive knowledge of computers, right? As it turns out, many of the data breaches came from misconfigured databases and Amazon S3 buckets that were left wide open for anyone who knows where to look. S3 is easy to use, which is great for security-conscious developers. However, it also makes it easy for someone who doesn’t understand security to toss some data into the cloud (so that it’s publicly viewable) and forget about it. As noted by Troy Hunt, the security researcher who runs HIBP, one company was breached because it stored personal data from IoT devices in MongoDB and Amazon S3 buckets with no credentials. It’s not just small, unorganized companies that make these mistakes either. Big corporations are losing track of their configurations, too.

Proper training is a good way to help with these problems, but it’s not always enough. Fortunately, a cloud access security broker (CASB) can help keep S3 and other cloud data secure by encrypting the data at rest. That way, even if data can be accessed by unauthorized parties, it is still unreadable and protected. A CASB can also provide auditing and analytics tools to help detect suspicious activity so that data breaches can be detected early as well as prevented from happening in the first place.

Avoiding Holes in Your AWS Buckets

AWS cloudEnterprises are moving to the cloud at a breathtaking pace, and they’re taking valuable data with them. Hackers are right behind them, hot on the trail of as much data as they can steal. The cloud upends traditional notions of networks and hosts, and it topples security practices that use them as a proxy to protect data access. In public clouds, networks and hosts are no longer the most adequate control options available for resources and data.

Amazon Web Services (AWS) S3 buckets are the destination for much of the data moving to the cloud. Given how important this sensitive data is, one would expect enterprises to pay close attention to their S3 security posture. Unfortunately, many news stories highlight how many S3 buckets have been mistakenly misconfigured and left open to public access. It’s one of the most common security weaknesses in the great migration to the cloud, leaving gigabytes of data for hackers to grab.

When investigating why cloud teams were making what seemed to be an obvious configuration mistake, two primary reasons surfaced:

1. Too Much Flexibility (Too Many Options) Turns Into Easy Mistakes

S3 is the oldest AWS service and was available before EC2 or Identity and Access Management (IAM). Some access controls capabilities were built specifically for S3 before IAM existed. As it stands, there are five different ways to configure and manage access to S3 buckets.

  • S3 Bucket Policies
  • IAM Policies
  • Access Control Lists
  • Query string authentication/ static Web hosting
  • API access to change the S3 policies

The more ways to configure implies more flexibility but also means that higher chances of making a mistake. The other challenge is that there are two separate policies one for buckets and one for the objects within the bucket which make things more complex.

2. A “User” in AWS Is Different from a “User” in Your Traditional Datacenter

Amazon allows great flexibility in making sure data sharing is simple and users can easily access data across accounts or from the Internet. For traditional enterprises the concept of a “user” typically means a member of the enterprise. In AWS the definition of user is different. On an AWS account, the “Everyone” group includes all users(literally anyone on the internet) and “AWS Authenticated User” means any user with an AWS account. From a data protection perspective, that’s just as bad because anyone on the Internet can open an AWS account.

The customer moving from traditional enterprise – if not careful – can easily misread the meaning of these access groups and open S3 buckets to “Everyone” or “AWS authenticated User” – which means opening the buckets to world.

S3 Security Checklist

If you are in AWS, and using S3, here is a checklist of things you should configure to ensure your critical data is secure.

Audit for Open Buckets Regularly:  On regular intervals check for buckets which are open to the world. Malicious users can exploit these open buckets to find objects which have misconfigured ACL permissions and then can access these compromised objects.

Encrypt the Data: Enable server-side encryption on AWS as then it will encrypt the data at rest i.e. when objects are written and decrypt when data is read. Ideally you should enable client side.

Encrypt the Data in Transit: SSL in transport helps secure data in transit when it is accessed from S3 buckets. Enable Secure Transport in AWS to prevent man in middle attacks.

Enable Bucket Versioning: Ensure that your AWS S3 buckets have the versioning enabled. This will help preserve and recover changed and deleted S3 objects which can help with ransomware and accidental issues.

Enable MFA Delete: The “S3 Bucket” can be deleted by user even if he/she does not login using MFA by default. It is highly recommended that only users authenticated using MFA have ability to delete buckets. Using MFA to protect against accidental or intentional deletion of objects in S3 buckets will add an extra layer of security

Enable Logging: If the S3 buckets has Server Access Logging feature enabled you will be able to track every request made to access the bucket. This will allow user to ability to monitor activity, detect anomalies and protect against unauthorized access

Monitor all S3 Policy Changes: AWS CloudTrail provides logs for all changes to S3 policy. The auditing of policies and checking for public buckets help – but instead of waiting for regular audits, any change to the policy of existing buckets should be monitored in real time.

Track Applications Accessing S3: In one attack vector, hackers create an S3 bucket in their account and send data from your account to their bucket. This reveals a limitation of network-centric security in the cloud: traffic needs to be permitted to S3, which is classified as an essential service. To prevent that scenario, you should have IDS capabilities at the application layer and track all the applications in your environment accessing S3. The system should alert if a new application or user starts accessing your S3 buckets.

Limit Access to S3 Buckets: Ensure that your AWS S3 buckets are configured to allow access only to specific IP addresses and authorized accounts in order to protect against unauthorized access.

Close Buckets in Real time:  Even a few moments of public exposure of an S3 bucket can be risky as it can result in leakage. S3 supports tags which allows users to label buckets. Using these tags, administrators can label buckets which need to be public with a tag called “Public”. CloudTrail will alert when policy changes on a bucket and it becomes public which does not have the right tag. Users can use Lambda functions to change the permissions in real-time to correct the policies on anomalous or malicious activity.

Convincing Organizations to Say “Yes to InfoSec”

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

security turned on in smartphoneSecurity departments have their hands full. The first half of my career was government-centric, and we always seemed to be the “no” team, eliminating most initiatives before they started. The risks were often found to outweigh the benefits, and unless there was a very strong executive sponsor, say the CEO or Sector President, the ideas would be shelved.

More recently, as a response to the security “no” team, IT staff started several “Shadow IT” projects. People began using cloud computing systems and pay-as-you-go strategies on a corporate credit card to quickly develop and roll-out projects before anyone in security could get a word in.

These “beg forgiveness” aspects hamstrung security on several projects, especially if a data leakage incident occurred or breach was in progress. What’s more, we weren’t unique in seeing shadow projects. These projects increasingly become the norm as IT staff looking to move initiatives forward come up against cybersecurity professionals hell-bent on maintaining security and, who know that in the event of a breach, heads could easily roll. Most likely theirs.

Tired of being seen as the “no” team? Here are three ideas that could reshape the value of security to your company as a whole:

Demonstrate Trust

Trust messages needs to come from outside of the department, even if it’s ghostwritten or created internally. Be it the CTO, CFO or CEO, there needs to be a bit of understanding that risk comes in many forms, and the Security Department takes all of those into account before approving or denying projects.

Many compliance frameworks have an HR or training domain, and some security departments successfully use this for mandatory training for topics like phishing. When a non-infosec colleague clicks on a fake attack, the trust point may be reiterated with a reminder of example fines and the costs. Breach notifications or PCI violations aren’t cheap after all.

Show Security as a Business Enabler

Share a couple of department wins, where the security team found involvement early in the process and added value to the program deployed. Look for examples like oAuth or Single Sign On (SSO) simplifying a portal’s usage or a project where business continuity planning or encryption helped pass an acceptance audit.

Demonstrating that security builds team success and is no longer the “no” department pays dividends.

Provide Educational Incentives

Lastly, extend the educational aspect beyond testing for ignorance. See if your organization offers reimbursement or even bonuses for security certifications, and stand-up internal lunch-and-learn or video conference preparation sessions. If your organization doesn’t provide an across-the-board financial incentive, maybe fund a raffle for five of the folks who pass the test to receive a spot bonus.

Hopefully, you’ll find these as an opportunity to impress upon the rest of the corporation the importance of the CISO’s office. There’s a long history of “no;” without efforts on the infosec staff’s part, that image will linger well past its truth.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Top Security Tips for Small Businesses

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

employees discussing top small business security tipsMost small businesses adopt some sort of cloud offering, be it Software as a Service like Quickbooks or Salesforce, or even renting computers in Amazon Web Services or Microsoft’s Azure, in an Infrastructure as a Service environment. You get Fortune 50 IT support, including things that a small business could never afford, like building security and power fail-over with 99.999-percent reliability.

While cloud has great advantages, you must know your supply chain. Cloud providers use something called the shared responsibility model. Their risks and vulnerabilities become yours, so choosing a discount provider may open you up to compliance issues you never thought possible. That said, cloud does allow small business to focus on their competitively different things, leaving the technical aspects to others for essentially a pay-as-you-go utility computing.

In today’s increasingly complex security environment, following these three top security tips will go a long way to letting small business owners concentrate on running their business rather than keeping up with the latest security issues.

Something you know

Let’s talk about authentication, typically referred to as passwords. The first thing to establish is “something you know,” like a pin or password. The worst thing anyone can do in today’s day and age is use one username with one password. If any one of the sites used becomes compromised, the username/password combination will be sold on the Dark Web as a known combination. The lists are huge, but infinitely faster on other banking or e-commerce sites that implement effective security. This happened in the Yahoo! breach that nearly scuttled the Verizon acquisition a couple years ago, sending ripples throughout the web and forced resets by nearly every company in the world.

At the very least, use a unique password with between eight and (preferably) 16 characters. Characters are more than numbers and letters. The more of the keyboard utilized, the longer testing every combination in a brute force attack becomes.

Password managers such as LastPass or KeePass will make keeping these organized easier, and they synch across the various phone, laptop and desktop devices through cloud providers like Dropbox, Box and OneDrive. Many of these are now tying in to the “something you are” such as fingerprint or facial recognition.

Something you have

The next step up is a technique known as one-time passwords. They are much more than one-step effective and take the something you know to also include “something you have” in your mobile device. That’s why banks and financial trading firms incorporated the technology a few years ago.

As security gets better, so, too, do the hackers. SIM-card duplication and other attacks gave rise to something call soft tokens from Google Authenticator and Authy. The apps use a synchronized clock and the same hard mathematics in cryptography to make a system where the next number is easy to compute in the valid minute of use but the previous is impossibly difficult before the timer clicks over to the next one.

Currently, the most secure consumer password scenario comes from mathematics developed in the late 70’s called public key cryptography. This is the same technology in the soft token apps but in a purpose-built device, typically seen as a key fob or USB from manufacturers like Entrust, RSA or Yubi. This takes the one-time password to the next level by self-erasing on any attempt to get to the originally entered number.

To recap, secure passwords should be a combination of something you know, something you have and something you are, with an order of strength: Same Passwords -> Unique Passwords -> Txt Messages -> Soft Tokens (Authenticator/Authy) -> Hard Tokens (SecureID/RSA/Yubi)

Built-in, not bolted on

Lastly, follow your industry/vertical’s rules early.

The typical adage of “built-in, not bolted on” holds true for small business if you really want to make it in the long haul. It’s always easier to include security in the beginning than shoehorn it in afterwards. A small business may be fined for non-compliance to the point of bankruptcy by a few of the below regulations:

  • US Securities and Exchange Commission’s Sarbanes Oxley (SOX);
  • Payment Card Industry’s Data Security Standard (PCI-DSS);
  • Health Insurance Portability and Accountability Act (HIPAA);
  • Privacy controls by the US Federal Trade Commission’s Fair Credit Reporting Act (FCRA) and Children’s Online Privacy Protection Act (COPPA); and
  • European Union’s General Data Protection Directive (GDPR).

 Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Cybersecurity Trends and Training Q and A

cybersecurity word montageBy Jon-Michael C. Brook, Principal, Guide Holdings, LLC

Q: Why is it important for organizations and agencies to stay current in their cybersecurity training?

A: Changes accelerate in technology. There’s an idea called Moore’s Law, named after Gordon Moore working with Intel, that the power of a micro-chip doubles every 18 months. When combined with the virtualization aspects necessary for cloud computing, technology professionals tackle ideas seen as science fiction 30 years ago. You carry around more processing power in an Apple Watch than launched the space shuttle. Big Data, Blockchain, Internet of Things, AI and self-driving cars were inconceivable. Now you see advertisements for the NCAA trend analysis (Big Data), Bitcoin (Blockchain), Alexa and smart homes (Internet of Things), AI (Watson) and Tesla. Humans create all of this new technology; we’re flaw ridden, and cybersecurity researchers find exploitable bugs every day.

Training for developers is important —they’re a small population and make a huge impact limiting the types and quantities of flaws. Training for general users helps them avoid clicking malicious links, phishing schemes and opening files of unknown pedigree. Staying current keeps users only a half step behind the latest exploitation schemes; everything turns over entirely too fast for reliance on 10-year-old security knowledge. Ransomware wasn’t something we trained people on 15 years ago, even though the PC Cyborg virus demanded the first $378 payment in 1989. Now, people clicking a link could lock out a company’s entire data store.

Q: Do you find that most organizations and agencies employ a workforce that is woefully undertrained in cybersecurity?

A: There are companies like KnowBe4 and PhishMe that specifically target under-trained employees. KnowBe4 calls it the Human Firewall—accurate when it works properly. In the cybersecurity world, we’ve said for years two things about users—you have to trust someone, and users are the weakest link in any computer architecture. We made inroads limiting the damage by segmenting networks, limiting access privileges and better authentication capabilities, but training is a moving target and people forget or get careless.

Q: Is cybercrime on the upswing? Do you have statistics or studies to back this up?

A: The trends for cybercrime show increases in the total occurrences. Part of that is “who’s” doing the work for the majority of the takeovers. In many cases, self-replicating viruses and bots do the work—they don’t sleep. Some cybersecurity researchers find flaws and immediately publish their sample code. Not contacting the product manufacturer first is irresponsible. The sample code gets weaponized and added to existing exploit development kits and loaded into malware, including ransomware, for instance. Ransomware encrypts all the files on a drive and rose from 22nd to 5th-most-common malware between 2014 and 2016 (2017 Verizon Data Breach Investigations Report). Recently, the city of Atlanta was hit with a $51,000 demand.

Executives at a company the size and stature of Uber decided to pay a ransomware demand. They clearly didn’t have good backup and recovery processes, and we can’t expect the 718,000 other victims in 2016 to do much better. Uber, in turn, funded the next round of development. According to Symantec, the cyber criminals saw per-victim value increases of 266 percent from 2015 to 2017, and continue their efforts. There are over 50 families of ransomware alone. That’s families—not applications. Cracking a single variant in a family doesn’t necessarily eliminate that version’s effectiveness. An effort by Europol and several cybersecurity vendors to inform users and collect decryption keys started last year with the site nomoreransom.org.

Q: Which organizations are currently most targeted for cybercrime, and why?

A: There was a quote in the New Yorker during the 1950’s where Willie Sutton answered the question why he robbed banks. His response was straightforward:  “I rob banks because that’s where the money is.” This trend has held true throughout history, be it land during feudal times, stage coaches and trains during the Old West, and finally cybercrime today.

So where is the proverbial money in today’s cloud-connected, on-demand, app-everywhere world?

The industry most people think of with cybercrime and fraud is the credit card and banking institutions referred to as the Payment Card Industry (PCI). They really worked to lock everything down starting with the Payment Card Industry Data Security Standard (PCI-DSS) in December 2004. The rationale was simple —rampant fraud in the late 1990’s. They were losing every time someone called about a bad charge.

Credit card companies are steadily improving to the point now where your bank tracks your location and habits and will proactively block suspicious transactions, calling or sending a text message as an additional authorization step. I’ve seen it fail miserably (a friend of mine received a deny on a charge at the local Kroger after using the same card at the same store weekly for the past 18 months) and work stupendously (a $1 Burger King charge in Mexico while I was buying snacks at the Ft Lauderdale airport). The chip cards are also reducing fraud, as they prove to the card processors that you have the original card and not a fake copy. The Payment Card Industry does such a good job now that bulk credit card numbers on the Dark Web cost pennies per thousands.

That’s not the same for the healthcare industry, however. Personal Health Information (PHI) continues to be the most profitable data, running in the $0.50 to $7 range. That is down significantly from the $150 range less than 5 years ago. However, extensive health histories provide a treasure chest of fraud possibilities but are now purchased with additional information purchases like birth dates, Social Security numbers, and driver’s license data. Knowing a patient’s previous diagnosis of high cholesterol makes fake claims for heart procedures more plausible. CIPP Guide pointed out how common abandoned medical records were 10 years ago. Doctors place a premium on their time, but the HIPAA compliance actions for Electronic Health Records (EHR) and the ease of which the information may be destroyed eliminates the same sort of abandonment. It does open up a new situation, where a patient actually wants their previous health history to continue with a new practice. At that point, people must take personal responsibility and keep their own EHR.

Let’s investigate where the money isn’t … sort of. Cyberattacks were a significant part of the Russian attacks on Georgia and the Ukraine in 2017. One of the first nation-state attributed cyberweapons, Stuxnet, set back the Iranian nuclear program in 2010 by attacking power plant equipment—Supervisory Control and Data Acquisition (SCADA)—responsible for their uranium enrichment centrifuges. The Russian Government election interference in the US elections is a continued congressional topic. And early in 2018, the city of Atlanta experienced ransomware demands. While governments typically have big budgets, getting to them will prove more difficult.

Lastly, the area I’m most concerned about is transportation. Money is replaceable. More “intelligent” features are making their way into mass production, from braking assist and lane departure to auto-pilot. Two researchers demonstrated a remote automobile attack at the DEF CON hacking conference in 2015. The conference introduced a Car Hacking Village, where attendees could try the exploits themselves. Since that time, self-driving vehicles, including cars and semi-trucks are under development by Tesla, Uber and NVidia. Uber recently suspended self-driving car tests after a pedestrian accident in Arizona on March 19, 2018.

The possibility of a driverless future, where there is limited road rage and fewer traffic fatalities sounds promising. The fact of the matter is that the systems use external connections to download updates. History shows remote updates as a vulnerability. The automobile immobilizer/remote disablement feature flaws were demonstrated in 2016. The possibilities to stop a car suddenly are already part of police controls for theft prevention and recovery. Hollywood TV shows dramatize accelerating quickly. The prospects of ransom or terrorism are frightening at 60 MPH.

Q: How bad is cybercrime expected to be in the future?

A: Cybercrime success in the future depends on the diligence of everyone involved. Punishment for unacceptable behavior was documented in biblical times. Deterrence depends on risk versus reward similar to the drug trade. The main difference surrounds education—hacking requires access to computers and coding skills. In the US, our Bill of Rights and Constitution keeps American hackers from being executed with the exception of treason. Life in prison or heavy fines are the punishments of choice. If you don’t have money, the heavy fines don’t look as daunting. A serious prison term carries a bit more weight. That’s not how most of the US laws read currently. Kevin Mitnick, one of the best known hackers, received a 5-year sentence after breaking into several corporations’ networks, including Pacific Bell’s voice mail system. The main charge that got him jail time was wire fraud.

Folks outside of the US, especially organized crimes in the poorer nations of Africa and Asia, already show a great deal of interest in cybercrime–mostly phishing schemes. Eastern Europe also has several well-known hacking groups. Their tools are getting better and easier to use. That’s a double-edged sword—less knowledgeable users will probably make implementation mistakes that allow projects like NoMoreRansom work.

Cybersecurity protections will continue evolving. Organizations within the PCI are now asking for continuous access to your location data so they can correlate your spending with your charge card and ATM usage, the next logical evolution in their fraud detection. Until you forget your phone. And at that point, we need to adjust where the “money” is, and start examining what can be done with your location information and other low-hanging fruit. If criminals know you’re not in your residence, will the crime statistics show a spike in burglaries? Will social engineers or phishing scams target you based on the most susceptible device? Email scams work best on your tablet, text scams on your phone and click fraud on your laptop?

Q: Who are these cyber criminals and where do they come from?

A: In the past, we dealt a lot with individual hackers. There were hacktivists and folks who wanted to see how they could get in and what they could do in infiltration. That has since moved to organized crime, with the bulk of cyber criminals motivated by money, and how quickly they can turn whatever they find into cash. Most of the latest attacks are external, financially focused, and automated to increase return on investment.

Q: A lot is now being discussed about cyber criminals holding the data of individuals and organizations hostage. How is this possible and what can be done to prevent it?

A: The data hostage taking refers to a type of malware called ransomware. It is so named as a ransomware infected system will scramble all the stored data using encryption and demand payment for release of the decryption key. Most anti-virus companies will catch all but the latest 0-day hacks (those not yet discovered by cybersecurity professionals).

Keep the cybersecurity software up to date. Likewise, keep ALL your systems patched—most operating systems will automatically install them and unlike the old days for desktop systems at least, everything won’t crash. Mobile device users are slightly less accepting of auto-updates, for fear of favorite apps no longer working or battery draining updates. Keep in mind, the favorite apps could be part of the reason for the patch. Lastly, invest in some sort of backup software. Plenty of choices will automatically save all of your files—Apple has iCloud, Microsoft has OneDrive, you could use Google Drive or Amazon’s S3 cloud service. There are plenty of third-party solution providers, including Carbonite, CrashPlan and others. Make the best choice that fits with your lifestyle—if you own all Apple devices, that’s probably your best choice. And as mentioned on nomoreransom.org, paying the ransom equates to venture funding the next round of attacks.

Q: Besides cyber blackmail, are there other new schemes in cybercrime that organizations need to be aware of?

A: An emerging scheme involves stealing cycles from people’s web browsers, or cryptojacking. It’s a combination of Bitcoin mining and a “free” component— the advertising revenue stream is augmented or replaced with either pornography or a game depending on the user set. There is additional code on the page that uses your computer to mine Bitcoin for them. My kids were playing a tank game that crashed my system from heat. Bitcoin thefts a couple years ago (see Mt Gox, for instance) were popular because there was little risk of getting caught. With cryptojacking, people think it’s just a poorly written web page and restart their browser/computer. You never get something for nothing.

These examples highlight the negatives and shouldn’t all be seen as daunting. The technology behind Bitcoin opens up a new world of possibilities around worldwide money transactions. A company called Ripple, an “altcoin” using the same blockchain technology, based their whole business model on efficiently and effectively moving money between countries in Southeast Asia. IBM commercials tout the advantages for our food supply and eliminating “blood diamonds.” Even with all the accident reports on driverless cars, autonomous vehicles have the potential of saving millions of lives eliminating driving under the influence or distracted driving. EHR and smart watches, for instance, allow doctors access to continuous monitoring of vital signs, looking for abnormalities day-to-day rather than relying on just the annual patient screening. All of these were science fiction or unfathomable even 20 years ago. As a society, we need to be aware and diligent of criminal activity, but being aware shouldn’t scare the world into a techno-free cave.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Cybersecurity Certifications That Make a Difference

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

cloud security symbol overlaying laptop for cybersecurity certificationsThe security industry is understaffed. By a lot. Previous estimates by the Ponemon Institute suggest as much as 50 percent underemployment for cybersecurity positions. Seventy percent of existing IT security organizations are understaffed and 58 percent say it’s difficult to retain qualified candidates. ESG’s 2017 annual global survey of IT and cybersecurity professionals suggests the biggest shortage of skills is in cybersecurity for at least six years running. It’s a fast moving field with hacker’s crosshairs constantly targeting companies; mess up and you’re on the front page of the Wall Street Journal. With all of the pressure and demand, security is also one of the best paying segments of IT.

Cybersecurity is a different vernacular, with a set of acronyms and ideas far outside even its information technologies brethren. For the gold standard as a security professional, the title to have is the Certified Information Systems Security Professional (CISSP) from the ISC2 (isc2.org). The requirements grow increasingly strict since my testing in 2001. Not lax, mind you, but five-year industry minimums and certified professional attestation gives the credential even more heft. There is an associate version available, the Associate Systems Security Certified Practitioner (SSCP) that eliminates the time and sponsorship minimums and would be appropriate for someone new to the field.

Adding to the professional shortages are new IT delivery methods, a la cloud computing. Amazon Web Services is the giant in the space, offering several certifications for cloud architecture and implementation. Microsoft and Google round out the top three. These, too, are hot commodities, as cloud is a relatively nascent industry and not very well understood. Layer security onto the cloud platform, and you find certifications such as the Cloud Security Alliance’s Certificate of Cloud Security (CCSK) and, again, the ISC2’s Certified Cloud Security Professional (CCSP). In 2017, Certification Magazine listed cloud security certifications as some of the highest salary increases available to an IT professional.

One caveat to all of the excitement of underemployment: recruiters, headhunters and hiring managers. Position requirements are sometimes outlandish or poorly vetted, such as the requisition asking for 10 years of cloud and 20 years of security experience. Amazon Web Services started in 2006. Microsoft Azure and Google Compute Platform were seen as cannibalistic to existing revenue streams. Even five years of cloud industry experience is a lifetime, and the industry moves so fast that AWS’s Certified Solutions Architect (AWS-ASA) requires re-certification every two years vs. the standard three for the rest of IT. They, too, have a security exam recently out of beta, the AWS Certified Security Specialty, though it requires one of their associate certifications first.

If you have the appetite for learning, add privacy to the mix. The number of industry vertical regulations (healthcare’s HIPAA, Payment Card Industry’s PCI-DSS, finance’s FINRA/SOX, etc…) and regionally specific requirements (EU’s GDPR) have the International Association of Privacy Professionals (IAPP), offering eight Certified Information Privacy Professional (CIPP) certifications. As an IT professional in the US, the Certified Information Privacy Technologist (CIPT) and CIPP/US are probably the most attainable and attractive.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Microsoft Workplace Join Part 1: The Security Timebomb

By Chris Higgins, Technical Support Engineer, Bitglass

timebomb countdown to Workplace Join infosecurity riskIt’s no secret that enterprise users wish to access work data and applications from a mix of both corporate and personal devices. In order to help facilitate this mix of devices, Microsoft has introduced a new feature called Workplace Join into Azure Active Directory, Microsoft’s cloud-based directory and identity service. While the intent of streamlining user access to work-related data is helpful, the delivery of this feature has resulted in a large security gap—one that can’t easily be disabled. This is another example of an app vendor optimizing for user experience ahead of appropriate controls and protections—demonstrating the basis for the cloud app shared responsibility model and the need for third-party security solutions like cloud access security brokers (CASBs).

According to Microsoft, “…by using Workplace Join, information workers can join their personal devices with their company’s workplace computers to access company resources and services. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications.”

How does it work?

When a user links their Windows machine to “Access Work or School,” the machine is registered in Azure AD, and a master OAuth token is created for use between all Microsoft client applications as well as Edge/I.E. browsers. Subsequent login attempts to any Office resource will cause the application to gather an access token and log in the user without ever prompting for credentials. The ideology behind this process is that logging in to Windows is enough to identify a user and give them unrestricted access to all Office 365 resources.

In plain language, this means that once you login to Office 365 from any device (Grandma’s PC, hotel kiosks, etc.), you, and anyone accessing that device, are logged in to Office 365 automatically moving forward.

Why is this such a big security issue?

Workplace Join undoes all of your organization’s hard work establishing strong identity processes and procedures—all so that an employee can access corporate data from Grandma’s PC (without entering credentials). Since Grandma only has three grandkids and one cat, it likely won’t take a sophisticated robot to guess her password—exposing corporate data to anyone who accesses her machine. Making matters worse, user accounts on Windows 10 don’t even require passwords, making it even easier for data to be exfiltrated from such unmanaged devices.

Workplace Join is enabled by default for all O365 tenants. Want to turn it off? You’ll have to wait for the next blog post to sort that out.

In the meantime, download the Definitive Guide to CASBs to learn how cloud access security brokers can help secure your sensitive data.