Defeating Insider Threats in the Cloud

October 27, 2016 | Leave a Comment

By Evelyn de Souza, Data Privacy and Security Leader, Cisco Systems  and Strategy Advisor, Cloud Security Alliance

insider-threatEverything we know about defeating the insider threat seems to not be solving the problem. In fact, evidence from the Deep, Dark and Open Web points to a greatly worsening problem. Today’s employees work with a number of applications and with a series of clicks information can be both maliciously and accidentally leaked.

The Cloud Security Alliance has been keen to uncover the extent of the insider threat problem with its overall mission of providing security assurance within Cloud Computing, and providing education to help secure cloud computing.

As a follow up to the Top Threats in Cloud Computing and over recent months we surveyed close to 100 professionals on the extent of the following:

  • Employees leaking critical information and tradecraft on illicit sites
  • Data types and formats being exfiltrated along with exfiltration mechanisms
  • Why so many data threats go undetected
  • What happens to the data after it has been exfiltrated
  • Tools to disrupt and prevent the data exfiltration cycle
  • Possibilities to expunge traces of data once exfiltrated

We asked some difficult questions that have surprised our audience and that many were hard pressed to answer. We wanted to get a clear picture of the extent of knowledge and where the gaps lay. We hear lots of talk about the threats to the cloud and challenges that organizations facing it take. And, in the wake of emerging data privacy regulation, we see much discussion about ensuring levels of compliance. However, the results of this survey show there is a gap with dealing with both present and future requirements for data erasure in the cloud. And, that despite the fact that accidental insider threats or misuse of data is a common phenomenon, there is a distinct lack of procedure for dealing with instances across cloud computing.

To provide insights on what happens to data after it has been exfiltrated, we partnered with LemonFish to obtain their unique insights. Download this Cloud Security Alliance Survey report.

Everything You’ve Ever Posted Becomes Public from Tomorrow

October 26, 2016 | Leave a Comment

By Avani Desai, Executive Vice President, Schellman & Co.

everything-youve-ever-posted-becomes-public-from-tomorrow

As I sit here, ironically just wrapping up a privacy conference, scrolling my Facebook wall,  I am seeing dozens of posts from smart, professional, aware people, all posting an apparent disclaimer to Facebook in an attempt to protect their personal privacy from the new Facebook privacy policy. This disclaimer, known as UCC 1 1-308-308 1-103 and the Rome Statute, is in fact a hoax. It first surfaced in 2012 but is making the rounds again. The post encourages users to share a Facebook status which allows them to be immune from Facebook sharing any of their data uploaded to their platform.

As I read my Facebook wall – I realized this isn’t new, these disclaimers had the same tone as the old chain letters, which had the stark warning, “DEADLINE tomorrow.”  I suddenly got flashbacks to 1980 when my mother would walk in the door, her face full of terror, after checking the mail, holding a chain letter in her hand. She would sit down on the dining room table frantically writing the same letter over and over to make sure our family avoided famine.  This Facebook hoax is the 2016 version of the chain letter– minus the hand cramps.

My first reaction, as a privacy professional, is to scream at my screen. The second reaction is to write on every single one of their walls and explain the concept of opt-in vs. opt-out and the use of Facebook privacy settings. My third reaction, after my initial annoyance subdued, was to educate; educating Facebook users about what level of privacy they should expect from a platform like Facebook.

In our society today, we fortunately have a heightened awareness of personal privacy online – we care about what people and organizations do with our personal data.  This is especially true in the post-Snowden era.  Yet, our urge is to share, over share, it is a human instinct.  We sternly tell our children and our employees “think before you post on social media … anything you post today can be seen years from now” and “nothing is deleted in the technology era.” We question the government when there is a breach and we diligently check our credit reports to make sure we were not victims of identity theft. This increased awareness of security and privacy is borne out by industry analysts like Forrester who have seen a sea change in attitudes towards privacy, as people become more aware of the issues surrounding the sharing of personal data on social platforms. This Facebook “chain-disclaimer” proves how passionate the public is about their privacy.

However, there still lacks a fundamental understanding of online privacy since many educated people believe that you can share, share, share, but by simply pasting a short statement they will be fully protected. This then, leaves us with a question. Why doesn’t the mainstream user understand privacy? There are a number of reasons why this may be the case. I have attempted to highlight some of them here, from a technical viewpoint but I am sure sociologists, anthropologists and psychologists could offer more insights.

  1. Privacy policies are only for the lawyers. Privacy and the policies that shore privacy up are written in legalese that the average person cannot understand.  If you are like most people, you click through those policies, hitting, next, next and next until you see submit so you can go on your merry way of using your new program, software, or service.  I look forward to the day when companies offer an abridged version of their privacy policy to really understand what you are agreeing to. However, on the positive side, there have been a number of campaigns by industry leaders, such as the International Association of Privacy Professionals (IAPP) that are encouraging a more user friendly language approach to privacy policy writing, so those CliffsNotes may not be too long off.
  2. Opt-in and opt-out isn’t as clear as it should be. In good privacy policy best practice, the advisory is to always offer opt in. However, the U.S. is an “uncheck the box”  Companies will always have the box checked for you and let’s face it, we all skim through text and we don’t read the fine print, in which case you’ll probably have opted into getting a wide variety of communication that effectively becomes spam.
  3. Breaches get a lot of media attention – but prevention isn’t top of an individual’s mind. We need more education on how to protect our personal data and understand who has access and what can be done with that data.

So what can you do to be a good digital citizen?
Mostly it’s about being aware:

  1. Privacy aware – Use, update, and care about your privacy settings. They are there to allow you to make the choice of what you want to share and with whom. Configure your privacy settings; they are there to tell the hosting organization, e.g. Facebook, what to share and with whom. Putting a privacy disclaimer notice on your wall, or in an email, spoof or not, will not have any effect on what the hosting platform shares.
  2. Spam aware – Fact check before spreading the good word. If it is on the Internet, even from a reputable source, it may not be true. Remember those ‘Nigerian Prince’ spoof emails? Of course he was neither a Nigerian nor a prince, but rather a popular email scam.  Or remember that email from your mom telling you she is stuck in on some island without her passport and she needs $10,000 dollars?  A quick check on snopes.com usually will tell you if it is true or not.
  3. Spoof aware – Don’t share links or “like” things on Facebook to win prizes. Most of the time when you see Disney saying they are giving away free cruises, or Target has a $500 gift card for you, or Bill Gates is going to send you $10 for every share that post gets – put on your logical cap;  most likely, these offers are too good to be true.  Offers like these are typically after personal information, or to get access to your social profile, or even share dangerous links with friends for a social engineering attack.

At the end of the day, the Facebook privacy disclaimer hoax is a lesson for all of us on personal privacy.  Social media is like a wildfire for spreading information and the more we rely on digital venues to get our news, share updates with our family, share pictures, and for professional use, the more diligent we have to be in our understanding of what privacy is and the impact it can have.  In the meantime, please, please, please go delete that paragraph long status off your wall and instead post a picture of your cute kids!

Five Prevention Tips and One Antidote for Ransomware

October 25, 2016 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

ncsam_twitter_1024x512_asym_rjm2-01editDuring National Cyber Security Awareness Month, understanding the ins and outs of ransomware seems particularly important—given the scandalous growth of this malware. In this webinar on ransomware hosted by SC Magazine, guest speaker John Kindervag, vice president and principal analyst at Forrester, talks about what ransomers are good at—and offers best practices for hardening defenses. Code42 System Engineer Arek Sokol is also featured as a guest speaker, defining continuous data protection as a no-fail solution that assures recovery without paying the ransom.

The art of extortion
Kindervag says ransomers are good at leveraging known vulnerabilities when organizations are slow to patch. They are also excellent phishermen, posing skillfully as trusted brands to lure their prey; collaborative entrepreneurs who learn and share information; and enthusiastic teachers, eager to impart how to pay in bitcoin for the unschooled.

Like Pearl Harbor, Kindervag says, the day the enterprise gets hit with across-the-board ransomware will live in infamy—unless the organization has planned for the event with effective backup.

Kindervag advises the following to prevent the delivery of ransomware:

  1. Prioritized patch management to avoid poor security hygiene that puts computer systems at risk.
  2. Email and web content security that includes effective anti-spam, gray mail categorization, and protection for employees against poisoned attachments.
  3. Improved endpoint protection with key capabilities that include prevention, detection and remediation, USB device control to reduce the ransomware infection vector, and isolation of vulnerable software through app sandboxing and network segmentation.
  4. Hardening network security with a zero trust architecture in which any entity (users, devices, applications, packets, etc.) requires verification regardless of its location on or with respect to the corporate network to prevent the lateral movement of malware.
  5. A focus on clean, effective backups.

The ransomware antidote
Following Kindervag’s “hardening defenses” presentation, Sokol reports on the number of businesses hit by ransomware in 2015 (47 percent) and how many incidents come through the endpoint (78 percent). He also dispels the rumor that file sync and share are synonymous with rather than antithetical to endpoint backup.

ransomware-in-the-workplac

 

During the webinar, Sokol demonstrates the extensibility of modern, continuous, cross-platform endpoint backup. He describes the efficacy of endpoint backup in recovering data following ransomware or a breach, its utility in speeding and simplifying data migration and its ability to visualize data movement—thereby identifying insider threats when employees leak or take confidential data. Don’t miss it.

ncsam_blogbanner_785x150_rjm2-01

 

Happy Birthday to… Wait, Who’s This Guy?

October 11, 2016 | Leave a Comment

By Jacob Ansari, Manager, Schellman

birthday-whoHow many arbitrary people do you have to get into a room before two of them share the same birthday? Probability theory has considered this problem for so long that no one is quite certain who first posed the so-called “birthday problem” or “birthday paradox.” What we do know is that this occurs with many fewer people than we might have guessed. In fact, there’s a 50% chance that two people will share a birthday (month and date) with only 23 people. That confidence goes up to 99% with 75 people.

Beyond just awkward situations about who gets the first slice of cake, this idea has applications in cryptography and security situations. The short of the idea is that things that seem unpredictable or unlikely are often much more likely than we would think. For a security system based on random numbers and unpredictability, this can pose a few dangerous security problems. Some researchers from the French Institute for Research in Computer Science and Automation (INRIA) recently published some work that shows significant weaknesses with practical exploits in 64-bit block ciphers, particularly 3DES and Blowfish, and in their most common uses in HTTPS and VPN connections.

Most modern ciphers that use a symmetric key, that is a key that both parties need to have to encrypt and decrypt messages, are what cryptographers call “block ciphers.” They encrypt blocks of data, rather than bit by bit. Often, the block length is the size of the key, but in some cases it isn’t. So a 3DES cipher, which performs three cryptographic operations using 64-bit blocks and 64-bit keys (technically 56-bit keys with eight bits used for error checking) divides up its message into 64-bit segments and encrypts each one. The problem related to the birthday paradox is this: when you have a 64-bit key, an exhaustive attack would potentially need to try 264 guesses at the key value to see if it could decrypt the encrypted message (this is what we call a brute-force attack).

In practice, however, block ciphers use what are called modes of operation, which link blocks of messages together. In these situations, with a 64-bit block length, encrypting more than 2 (block length/2) or 232 bits of data presents a well-known cryptographic danger. The operation will inevitably repeat enough data for patterns to emerge and for an attack to determine the key from these patterns. Thus, good design prevents more than 232 bits of data encrypted by the same key, and cryptographers refer to this as the birthday bound.

This attack goes from theoretical to practical in two significant applications: HTTPS using 3DES (typically with TLS 1.0 or earlier), and OpenVPN, which uses Blowfish (which has 64-bit blocks) as its default cipher. With 64-bit blocks, the birthday bound is approximately 32GB of data transfer, which is something a reasonably fast connection can handle in about an hour. Thus, the practicality of collecting these data and attacking the key is an entirely reasonable prospect. Further, modern uses of HTTPS and VPN connections often find cases where the session lasts for long periods of time, and thus continues to use the same key for those long periods, making both the recovery of the key and its use in an attack practical and effective.

Ultimately, the solution for this kind of attack is to replace the use of 64-bit block ciphers with 128-bit block ciphers like AES. In many cases, the capability to do this already exists and organizations facing this threat can do so with reasonable expedience. In some cases, particularly when supporting legacy connections such as TLS 1.0 and the corresponding support for 3DES ciphers, this becomes more complicated. While many organizations have made advances in moving to more secure block ciphers, others have compatibility and legacy support issues. These kinds of advances in attacks make those transitions all the more urgent.

Organizations currently in transition should strongly consider accelerating those efforts and eliminating the use of ciphers like 3DES and Blowfish entirely.

Minister Denis Naughten to Address EU Security Directive at (ISC)2 Security Congress EMEA

October 11, 2016 | Leave a Comment

b076fee56e884b058184b31773b38f36Denis Naughten will address (ISC)2 Security Congress EMEA delegates on the latest developments in Ireland’s National Cyber Security Strategy since its launch in 2015, including the requirement to transpose the European Union Security of Network and Information Systems Directive (2016/1148) into national law by May 2018. The digital economy is growing at 20 percent per year, and securing this sector is vital for the country’s long-term growth and nurturing its cloud computing and big data industries.

The full agenda can be found here.

Organized in partnership with MIS Training Institute, the Congress will feature three intensive days of deep-dive workshops, interactive think-tanks, panel debates and over 40 speakers discussing current events from the use of robots in security to the need for a new ‘creative commons for privacy’.

Denis Naughten T.D., Minister for Communications, Climate Action and Environment said: “At a time when we are building capacity on cyber security to help industries bolster their cyber defences, I am pleased to support the (ISC)2 community in bringing together professionals across every tier of industry, here and across EMEA, to align international efforts against the cyber threats we face. Online threats are not confined to one industry or country, so we can no longer work in isolation but must share knowledge and expertise across sectors.”

Other confirmed keynotes speakers include:

  • Ade McCormack, Digital Strategist, and Financial Times columnist
  • Barrie Millet, Head of HSSE & Resilience, E.ON U.K.
  • Eoin O’Dell, Associate Professor, School of Law, Trinity College Dublin
  • Nick Hawes, Reader in Autonomous Intelligent Robotics, School of Computer Science, University of Birmingham (U.K.)
  • Mark Carolan, Head of Research and Development, Espion

Adrian Davis, Managing Director EMEA, (ISC)2, said: “Bringing together the largest network of working professionals in EMEA, this Security Congress will enable attendees to draw on a pool of front-line experiences and cybersecurity best practice from every sphere of society. It is also a great opportunity for professional development, with a range of speakers who are leaders in their fields sharing some of their world-leading expertise with the audience. Our vision is to create a safe and secure society and that can only be achieved by professionals from every walk of life, working together.”

The Cloud Security Alliance will be exhibiting at this year’s congress, and you can join us by booking here and quoting CSA2016.

HIPAA Violations Examples and Cases – Eight Cautionary Tales

October 6, 2016 | Leave a Comment

By Ajmal Kohgadai, Product Marketing Manager, Skyhigh Networks

hipaa-violations-blog-bannerThe Health Insurance Portability and Accountability Act (HIPAA) helps protect patient privacy by requiring healthcare organizations and their business associates to protect sensitive data — including how the data is used and disclosed. As the healthcare industry is increasingly being targeted by cyber attackers, HIPAA gives healthcare organizations minimum benchmarks for assessing and implementing their cyber defenses.

Patient health data is highly sought after by cyber criminals because they can exploit it in many different ways and for much longer periods of time as compared to information such as credit card numbers. On black market marketplaces on the Darkweb, stolen medical data can sell for 10 to 20 times more than credit card data. One report found that stolen Medicare numbers sold for nearly $500 each.

Because medical records are rich with information, they can be used for committing identity theft, medical identity theft, and tax fraud; obtaining loans or credit cards, sending fake bills to insurance companies; obtaining and then reselling expensive medical equipment — and the list goes on. And unlike a credit card number, that can easily be cancelled if it has been compromised, medical health records can’t be altered and tend to last a lot longer. Stolen medical records of terminally ill patients are especially valuable because that information can be used to receive other services on behalf of the patient long after the patient has passed away.

HIPAA requires that healthcare organizations report any data breaches involving more than 500 patient records. According to the HHS web portal, there have been 205 such breaches so far this year. Many data breaches of electronic protected health information (ePHI) that have resulted in HIPAA fines were the result of carelessness or lack of data protection and could have been avoided.

Numerous HIPAA fines have stemmed from the lack of risk assessments or properly implemented risk management plans. A risk assessment is a foundational step that healthcare organizations must take in order to evaluate all the vulnerabilities, threats, and gaps in defenses in order to mitigate security risks.

The Worst HIPAA Violations — and What You Can Learn from Them

Advocate Health Care Network, $5.5 million
This is the largest HIPAA settlement as of September 2016 and was the result of three separate data breaches that affected a total of 4 million individuals. One of the incidents involved an unencrypted laptop that was stolen from an employee vehicle and another incident involved the theft of four computers.

The Department of Human and Health Services Office of Civil Rights (OCR), which enforces HIPAA, noted that Advocate Health Care failed to conduct an accurate and thorough risk analysis of all of its facilities, information systems, applications, and equipment that handle ePHI. This risk management plan needs to include not only technical but also physical and administrative measures.

New York and Presbyterian Hospital (NYP) and Columbia University, $4.8 million
In a joint case, the two organizations were fined after 6,800 patient records were accidently exposed publicly to search engines. The breach was caused by an improperly configured computer server that was personally owned by a physician. The server was connected to the network that contained ePHI.

NYP lacked processes for assessing and monitoring all its systems, equipment, and applications connected with patient data. It also didn’t have appropriate policies and procedures for authorizing access to patient databases. Both of these violations would have been easy to prevent through administrative processes.

WellPoint, Inc., $1.7 million
The managed care company exposed the records of more than 600,000 individuals over the internet after upgrading an internet-based database containing ePHI. WellPoint didn’t know about the breach until a lawsuit notified the company that the data was available through a web portal.

This kind of incident could be avoided by:

  • Performing a technical evaluation of changes resulting from software upgrades ahead of deployment
  • Implementing technology, policies, and procedures for authenticating users that are accessing ePHI as well as limiting the categories of users who can access the data.

Anchorage Community Mental Health Services (ACMHS), $150,000
A malware infection compromised the records of more than 2,700 individuals. ASMHS did not review its systems for unpatched and unsupported software and did not regularly update its IT resources.

This case underscores the importance of having policies and procedures in place for running regular updates and patches. It’s a simple yet often ignored practice that could have major implications.

St. Elizabeth’s Medical Center, $218,400
This settlement stemmed from two incidents, one of which was in connection with staff use of a cloud-based file-sharing application. Specifically, the medical center did not evaluate the risks of using this cloud service, putting ePHI of nearly 500 people at risk.

As more healthcare organizations are embracing the cloud as a scalable, cost-effective and flexible solution for storing and sharing patient data, it’s critical to conduct a risk assessment prior to migrating to a cloud environment. This evaluation should also include a comprehensive analysis of the security capabilities of prospective vendors.

University of Mississippi Medical Center (UMMC), $2.75 million
UMMC reported a breach after a password-protected laptop loaned to a visitor went missing. Subsequently, OCR’s investigation found that users could access a network drive containing ePHI via a wireless network with a generic user name and password. The accessible network drive contained ePHI of 10,000 patients dating as far back as five years.

According to Verizon’s 2016 Data Breach Investigations Report, more than 60 percent of data breaches in 2015 involved weak, stolen, or default passwords. Passwords are a major problem that can have serious consequences for organizations, yet it’s a problem that’s easy to mitigate by implementing strong password-management policies as well as techniques like multi-factor authentication.

Triple-S Management Corp., $3.5 million
This case was the result of multiple, extensive violations involving several subsidiaries. One notable violation related to two former employees whose access rights to a restricted database were not terminated when they left the company. The two then accessed the internet Independent Practice Association (IPA) database, which contained members’ diagnostic and treatment codes, while being employed by a competitor.

Just like poor password-management policies, user-privilege policies are a major problem for organizations. Too often, user access is not terminated when employees leave the company or move to another position within same company that changes their status. Many unauthorized access incidents can be avoided with tools and procedures that manage user access.

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI), $1.5 million
OCR found multiple violations after investigating the theft of a personal unencrypted laptop containing patients’ prescriptions and clinical data. The violations included longtime failures to conduct a risk analysis and implement security measures for portable devices.

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” OCR Director Leon Rodriguez said in the announcement.

Many of the HIPAA settlements to data have involved stolen or lost devices such as laptops as well as removable media like USB drives. What makes this case stand out from many others involving stolen or lost laptops is the fact that this was a personal device.

As healthcare organizations become more open to the bring your own device (BYOD) policies, it’s important to have practices and procedures in place for devices that are not managed by the IT department. Best practices could include credentialing or “registration” of personal devices and controls for giving IT staff advance permission to remotely wipe or lock a stolen device.

 

Ransomware: Just Say No to Stronger Scare Tactics

October 4, 2016 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

ransomware-blog-postAh, those ingenious cyber criminals. They keep coming up with ever more frightening ransomware threats. JIGSAW warns victims it will delete files every hour until they pay $150 USD in bitcoins. Chimera threatens to publish the victim’s files online for all to see. Cerber ups the ante by enlisting a creepy robotic voice to tell victims their files have been encrypted. And now the latest ransomware hopes to intimidate victims by showing their location on Google Maps. In other words, “We know where you are.”

But wait, there’s more
Dubbed CryLocker, the new ransomware is getting publicity for another unusual trait, as well. Instead of sending affected files to remote command and control (C&C) servers for the attackers to access, it encodes the victim’s files into a bogus PNG image file and uploads it to a free online image hosting site, either Imgur or Pastee. Security researcher MalwareHunterTeam, which detected the new strain in August, said it found PNG images for more than 10,000 victims inside CryLocker’s Imgur album.

Although the official name of the ransomware is CryLocker, it’s also referred to as the Central Security Treatment Organization ransomware based on the bogus organization name displayed on its payment site—or Cry ransomware because it appends the .cry extension to encrypted files.

Never pay the ransom
The good news is that if CryLocker victims have modern endpoint data protection, ransomware recovery is no big deal. Because endpoint security solutions such as Code42 CrashPlan can restore files from a backup time just before the attack, users never have to pay up—no matter how creative or intimidating ransomware threats get.

Ran$umBin: Disruptive Innovation for the Black Market

September 22, 2016 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

ransomware-infographicSometimes the ingenuity of the free market is truly remarkable. And in the case of the new black market for ransomed data, remarkably scary. One of the latest triumphs of the entrepreneurial spirit is Ran$umBin, a sort of eBay for ransomers—or as Dark Reading described it, “a one-stop shop for monetizing ransomware.”

The ransomware middleman
Much as eBay acts as the middleman for sellers of all sizes, Ran$umBin popped up in early 2016 to act as a proxy for data ransomers. The site gives cyber thieves three options: Lock up the victim’s data and use the site as a payment proxy for the ransom; “dox” the victim, posting the stolen, sensitive information on the site to add extra urgency to the payment demands; or sell the stolen data to a third party and let them handle the extortion (or use the data in some other way). The site provides an easy bitcoin-based payment interface, and Ran$umBin takes a cut of every payment.

Making the ransomware business easier, lowering risk for veterans and newcomers 
Stealing or locking up data isn’t the tough part of the ransomware business (flawed systems and unreliable users make that way too easy). It’s the payment side—making direct contact with a victim and exchanging currency—that poses the highest risk. In eliminating this risk and handling the logistics of payment, Ran$umBin serves to streamline the business of ransomware.

Comparisons to eBay, Uber or Airbnb, are apt—and alarming—in this context. These disruptive innovations made it easy for the little guy to go into business for himself, particularly by streamlining and reducing risk around payment. Sites like Ran$umBin effectively lower the barrier to entering the cybercrime business, making it easier than ever for anyone to make money in the ransomware game.

Ran$umBin: We’re just an honest business—with great customer service!
The creators of Ran$umBin tell a familiar story, claiming that they’re a neutral business that just provides an honest service for activity that’s going on anyway. Interestingly, they say they view their responsibility as serving and protecting the “safety” of their customers, meaning both the data thieves and their victims. This business mission takes shape in the strange regulations that supposedly govern the site. Ran$umBin claims they validate stolen data to make sure it’s not inaccurate, old or irrelevant, though they don’t explain how this vetting is accomplished. An even more bizarre claim of business ethics: Ran$umBin says they won’t let an individual victim be extorted more than 10 times. But nine times is perfectly reasonable. How noble.

A sign of things to come
Ran$umBin hasn’t seen much activity so far, but that’s no reason for comfort. This is just the free market’s first shot at a solution for enterprising data thieves. Think of how Facebook took the MySpace idea to a higher level. With ransomware increasingly becoming big business, new and better versions of sites like Ran$umBin are sure to pop up soon, fueling the overall ransomware market with bigger incentives, more organization and greater sophistication.

The simple antidote: Back up your data—don’t pay the ransom
The free market drives some pretty crazy innovation, but it also follows some pretty simple rules. Namely, if the money dries up, the market looks elsewhere. Fortunately, snuffing out the cash flow to data thieves couldn’t be easier: Back up your data. When ransomware hits, you’ll be certain your data is preserved. You’ll be certain the restore will be fast and comprehensive. You’ll be certain that you never have to pay the ransom.

EFSS Spreads Ransomware; Endpoint Backup Guarantees Recovery

September 14, 2016 | Leave a Comment

By Kyle Hatlestad, Principal Architect, Code42

flowchartOne of the objections I’m hearing more and more is, “Why do I need backup when I have Microsoft OneDrive for Business (or Google Drive, Box or Dropbox for Business)?” On the surface, it may seem like endpoint backup isn’t needed because with an enterprise file sync and share (EFSS) tool, a copy of the data is in the cloud. But if you dig a bit below the surface, you’ll find there are several distinct differences. We cover those in our Top 3 Iron-Clad Reasons Why File Sync/Share is Not Endpoint Backup, so I won’t go into them here.

Instead, I thought I would illustrate a situation in which it’s painfully obvious why it’s important to have modern endpoint backup. Every organization today is facing ransomware. No matter how sophisticated your defenses, ransomware invariably finds a way through.

For example, Jeff, a recruiter from the Human Resources team, is reviewing resumes to fill a new position. He receives an email with a link to download a resume in Microsoft Word. As part of his process, he downloads the resume to his OneDrive “Job Postings” folder which is shared with his HR co-workers. The document is automatically uploaded to OneDrive and synchronized to his co-workers’ devices.

Unfortunately, this is no ordinary resume. It contains a crypto-ransomware. When Jeff opens the resume, the ransomware takes hold and begins encrypting the files on his local device as well as network shares. Because Jeff saves a lot of files in his OneDrive folder, as the ransomware encrypts those files, OneDrive then syncs them to the cloud. And for any shared/team folders he has, the encrypted files are synced to his co-workers as well as to any publically shared files/links. And even though Jeff is supposed to save all of his files to OneDrive, he keeps a bunch on his desktop where he likes to work. He’s also got a big .PST email archive sitting on his device as well. All of those files are being encrypted by the ransomware to lock out access.

Because Jeff saved the file to a shared HR folder, the ransomware file now appears on his co-worker Julia’s laptop. Julia takes a peek at the resume and now the ransomware starts attacking her device.

At this point, Jeff tries to open one of his files and gets the dreaded ransom note. For just one bitcoin, he can get his data back. He contacts the help desk to let them know what happened and get help. OneDrive keeps previous versions, so no problem, right? Help desk then informs Jeff that he can get his earlier file versions, but he has to do it file-by-file! And for those files that were saved outside of OneDrive, he’s out of luck. Next up is Julia who calls up help desk and is in the same boat as Jeff. Not only did EFSS not help with recovery, it actually spread ransomware!

Well, that’s when it becomes clear that EFSS is not a true backup solution. EFSS leaves it up to the user to pick the right spot to save his data. And when it comes time to remediate from an event like ransomware, EFSS is not equipped to handle large restores. Even EFSS vendors themselves recommend having a true backup of the data to recover from an event like ransomware.

Hopefully this real-world scenario makes it easier to distinguish the differences between file sync & share and modern endpoint backup—and the advantages of true endpoint backup when recovering from ransomware.

Eight Questions to Ask When Evaluating a CASB

September 12, 2016 | Leave a Comment

By Rich Campagna, Vice President/Products & Marketing, Bitglass

8_questions_casb_imageCloud Access Security Brokers are the hottest technology in enterprise security right now, topping Gartner’s Top 10 list two years running. Widespread adoption of major cloud apps like Office 365 (and corresponding cloud security concerns) are accelerating CASB adoption in every major industry, from financial services to healthcare.

If you’re like most enterprises, you’ve already decided that a CASB can help you meet your security & compliance goals when moving to the cloud. The next step is to figure out how to evaluate a CASB. There are 8 key questions you should be asking when evaluating a CASB. Drumroll please…


1. How does the CASB differ from security built into my cloud apps?
Each cloud app vendor makes their own decisions on what types of security functions to build into their application. One app may include encryption for data-at-rest, but not transaction logging. Another app might offer the opposite. Ensure that the CASB vendor is offering value above and beyond what is built into your applications. And don’t shortchange the value of a single policy enforced across cloud applications or inter-cloud user behavior analytics.

2. Does the CASB protect cloud data end-to-end?
Cloud data doesn’t only exist in the cloud – as soon as you deploy, your end users will arrive with an arsenal of devices and start syncing or downloading data. Very quickly, your cloud security problem becomes a mobile data protection problem. Ensure that your CASB is able to protect not only data-at-rest in the cloud, but data downloaded to devices (both managed and unmanaged – see #3 below).

3. Can the CASB control access from managed and unmanaged devices?
A user logging in from an unmanaged device represents more risk than the same user logging in from a fully patched and protected laptop running an approved corporate image. Whether we like it or not, most organizations need to extend at least some access to the unmanaged device. Make sure your CASB can control access from these devices as well as unmanaged devices – and note that this means you’re not likely to be able to install agents or reconfigure these devices.

4. Does the CASB provide real-time visibility and control?
If data leaks for 30 minutes is it still data leakage? Absolutely. While there are some CASBs that operate entirely via API integration into major cloud apps, API-only approaches are subject to notification delays in the APIs, which may mean minutes, even hours of data leakage before something like an external share can be revoked. Only a hybrid approach, which leverages both API and proxies ensures total data protection.

5. Can the CASB encrypt uploaded data?
Many organizations will decide that encryption is the best way for them to safely adopt cloud apps. If this is even a consideration for your company, make sure that you’re covered, as many CASBs do not offer encryption functions. Also beware that it is common for CASB vendors to weaken encryption in order to preserve application operations like search and sort

6. Does the CASB protect against unauthorized access?
Visibility into suspicious activities is helpful, but is usually too little too late. You want proactive protection against unauthorized access, something only a CASB with integrated identity management can offer. So for that often cited example of “detecting” a user logging in from two locations simultaneously, wouldn’t it be better if the CASB could force a step-up to multifactor authentication on both devices as soon as the rogue session is attempted?

7. Can the CASB help me detect risky network traffic, such as shadow IT or malware?
Understanding the unsanctioned apps in use by your employees is helpful, but what if that isn’t the riskiest traffic leaving your corporate network? Leading CASBs have moved beyond simple shadow IT discovery to rank and prioritize the riskiest traffic on your corporate network – whether that is shadow IT, malware, anonymizers, etc.

8. Will the solution introduce scale or performance issues?
Look to CASBs that have deployed on a global, high performance infrastructure. Appropriately architected and deployed, a CASB can actually have a CDN-like effect on your cloud applications, increasing performance versus going direct to the app!


CASBs are the most effective way to ensure a secure, compliant cloud deployment. By asking these 8 questions, you can ensure that you select the right vendor for your organization. Learn more about CASBs here.