Category: All

TOP 6 TIPS FOR MANAGING VENDOR RISK

This year has gotten off to a great start… if you’re a cybercriminal. Already threats like ransomware are on the rise, with the FBI’s April blog post on the issue showing the prevalence and success of this type of malware. Of course, if you’re not a cybercriminal then this isn’t such a great start. Cyber security, which was once almost an afterthought, is now a critical part of a business strategy and a board level consideration. As our business and vendor eco-systems become ever more connected, through Internet communications and the ensuing Internet of Things, cybercrime considerations can only become even more of a focus for our businesses. This is why it is of paramount importance to extend your security thinking and strategy out into the reach of your vendor eco-system, as you can guarantee that cybercriminals will take advantage of any chink in your armor. 

With this in mind, let’s look at some approaches to keeping your vendor relationships optimized for security.

Top Tips to Keep Your Vendor Eco-System Secure

Controlling vendor risk management is the key to creating secure vendor eco-systems. It results in an all-round better way to do business as it increases trust and decreases risk. If done well, it can also bring about more collaborative and productive partnerships that can be used as best practices for other relationships. The following tips are a good place to start on the road to a more secure vendor relationship management program. But the main thing to remember is that this is a process and all good processes need feedback from which to improve.

Tip 1:  Don’t reinvent the wheel: Use NIST advice.

Before you set out on creating your own vendor relationship security strategy, you should get to grips with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The framework outlines a set of guidelines that give you the starting points for creating a robust security strategy. The five main areas it looks at are: Identify, Protect, Detect, Respond, and Recover. You can read more about this on the Atlas blog.

Having a well thought out security strategy in place is the starting point for creating an extended strategy for your vendor eco-system. Your security strategy must reach out to encompass all of your assets, which includes those shared across that eco-system. Setting out your stall in this way lets you have a clear view of your security needs and allows you to move onto the next part of the process of securing your vendor relationships.

Tip 2: Make wise choices. 

Choosing which vendors can become part of your wider eco-system is part of the process of risk management. This process can also encompass security, by adding in security requirements to your vendor due diligence.  Knowing how a vendor handles, for example, the sharing of sensitive documents, can give you a heads up of any issues that may occur down the line. Attending to potential vulnerabilities at the point of entry to a partner program can alleviate future breaches. Having a partner program and vendor enrolment process, which emphasizes security aspects of the relationship, creates an ethos of secure thinking. If a vendor has an issue with this at the start, then they may not be right for your organization going forward.

Tip 3: Communication is king.

One of the driving forces in modern cyber security is collaboration. The U.S. government has brought in the Cyber Intelligence Sharing and Protection Act (CISPA), for the purposes of sharing information between commercial and government organizations around security threats; the idea being that a “problem shared is a problem halved”. Not everyone agrees with the tenets of the act, but the concept of collaboration around security issues is a sound one. Having inter-vendor security collaboration will help you to mitigate risks though a program of education and shared knowledge. Even setting up partner program awareness sessions, covering general security training and compliance requirements can be an important step in ensuring everyone is at the same level of security thinking.

Tip 4: Get authentication right.

We’ve seen from a number of high profile cyber attacks that the root cause has been poor authentication measures. For example, the Target Corp. attack was due to a third party (HVAC) vendor being phished; their username and password used for privileged access to Target’s systems being stolen. If there had been better authentication measures in place this could have been prevented, even if the original vendor had been successfully phished. There are ways authentication can be hardened against phishing attempts. Second factor authentication can be applied to many applications. This can be in the form of an SMS text code, mobile app code, or hardware token code. If user experience is a concern, then you can use adaptive authentication to ‘up the ante’ in terms of authentication requirements. For example, if you detect a login request is coming in from an internal IP address, then you can apply single sign on (SSO), but if it’s from a third-party vendor’s IP address, or other, then you can force the use of second factor, or even further login credentials, like requesting an answer to a personal question.  In any extended system where you have an arms length control, strong authentication should be a serious consideration.

Tip 5: Automation equals  

Don’t go it alone.  Most modern enterprise organizations are dealing with tens of thousands of vendors in their supply chains.  Manual spreadsheet assessments and required documentation sent and received via email worked just fine when there were only a couple of hundred outside vendors to deal with.  As mentioned earlier, supply chains are only getting larger and we are growing more connected over time.  To truly pinpoint risks in the supply chain, you must have an automated system on which to conduct vendor assessments and collect supporting documentation.

Tip 6: Assume there is no perimeter and always innovate around security. 

The world has never been smaller because of the interconnectedness of almost everything. This is being embraced by vendor platforms too, with Cloud delivery being seen as a way of increasing productivity. This takes your security thinking into a new arena of web-based threats.  If you encompass the previous 1-5 tips to begin the process of securing your vendor relationships, and you use the advice from OWASP on the top ten web threats, then you will be well on your way to having a robust overall security strategy for your eco-system, protecting your own organization as well as all of those in your vendor programs.


The Bad ads effecting cybersecurity

One of the most worrying vectors ever in the history of cybersecurity is starting to become the weapon of choice of the cybercriminal. With a 325% increase in attacks according to Cyphort, Malvertising, or malicious ads, is a force to be reckoned with.

What is Malvertising?

Malvertising isn’t new. Using malicious ads as a vector to push out malware has been around as a technique since around 2007.  However, it is becoming even more sinister and successful because of some hacker innovations in the area. The original version of a malvertising campaign relied on user intervention. However, in recent attacks, no user intervention was needed to end up infected with malware. This is the sinister twist in the malicious ad tale that is leaving consumers and businesses alike reeling.

The reason that malvertising is so successful is down to how the cybercriminal plays the system. Ads are served up across Internet sites from centralized ad networks, such as Google AdSense and Media.net. There are many of these types of networks, serving up ads that reach hundreds of millions of users across the Internet. Cybercriminals use these networks to push their malicious ads out across legitimate websites. It is this use of a legitimate and trusted process and website that makes malvertising so difficult to control and spot. As the networks become savvier about spotting infected ads, the cybercriminals are one step ahead. They are known to place clean ads (paying themselves for the service) and once accepted and pushed out across the network, they are then able to use command and control services to infect the ad with malware.

Malicious ads do still occasionally use the click to install method of malware infection. In this case, the malware is activated on clicking the ad. If a vulnerability is present in the user’s browser, or software add-ins like Flash or Java, then the malware runs using that exploit. However, there is an increase in the use of independent exploit kits to perform the infection, as these require no user intervention. In this scenario you have an infection method known as a ‘drive-by-download’ taking place. Drive-by-downloads work by performing a silent redirection from the site hosting the ad, to a spoof site hosting the exploit kit. This redirection is often very fast and hardly noticeable. On the spoof site sits an exploit kit; the Angler exploit kit seems to be a popular choice. In fact, in Cisco’s Midyear Security Report for 2015 they found that 40% of user penetration was caused by the Angler exploit kit. An exploit kit works by finding vulnerabilities in software on your computer, usually browser and browser add-in software; if found, it uses these to install the malware.

The types of malware installed by malvertising attacks are varied, but a spate of ransomware attacks have taken place recently. Other types of malware popular with malvertising cybercriminals are those that steal login credentials.

Examples of the Success of Malvertising

Using legitimate networks to push ads out means that attacks are prevalent on well-known and trusted websites. Here are some examples of recent malvertising attacks:

In an attack, in early 2015, which infected major sites like Huffington Post, a Hugo Boss ad was used as the conduit for malware. This attack didn’t use a redirect to an exploit kit (EK). Instead the kit was packaged up into the ad, which got through the ad network security and out into the wider Internet. The ad based EK utilized Flash vulnerabilities to do its work. Anyone infected ended up with the notorious, ‘ransomware’, on their system, which encrypted all of their files and attempted to extort money to decrypt them.

Also in 2015, Yahoo’s ad network suffered a major malvertising breach. The attack was based on the Angler exploit kit, which used a drive-by-download to infect user’s machines. The Yahoo network receives 6.9 billion monthly visits so had the potential to impact a massive number of end users: a perfect conduit for malware.

In a most recent attack, earlier this year, a major malvertising campaign affected major news sites like the New York Times and again used a redirect to an exploit kit. This time the EK took advantage of vulnerabilities in Microsoft Silverlight. Again ransomware infection was the end result.

Mobiles aren’t immune to malvertising either. According to the Bluecoat’s 2014 Mobile Malware Report, malvertising is the top threat to mobile users. Mobile as a platform for malvertising makes sense in the light of a BI Intelligence report, which shows that mobile advertising is growing faster than other forms of advertising – why would a cybercriminal not take advantage of that?

It is hard to find out accurate figures on just how many successful infections have been made with a malvertising campaign. However, the fact that this mechanism is increasingly being used, and that ransomware is bringing in as much as $325 million per strain, means that cybercriminals will be willing to spend money to make money by placing ads across legitimate networks that people trust.

What Can be Done?

If ad networks are unable to manage the problem and the number of successful attacks seems to point to this, then we need to take steps to protect our computers directly.

All malvertising based exploits are based on finding vulnerabilities in your browser or browser plug-ins. This means there are some things you can do immediately to help reduce the risk:

1.     Make sure all of your browsers and associated software, such as Adobe Flash and Java are up to date.

2.     Instead of patching, remove: Flash and Java have known vulnerabilities, which cybercriminals can exploit. If possible remove software such as Adobe Flash and Java. However this can impact the functionality of some websites so may not be possible. It is also likely that HTML 5, at some point in the future, will be used as a method of inserting malware, so removal of Flash and Java may become a mute point.

3.     Don’t use deprecated software plug-ins such as Microsoft Silverlight as they won’t be supported going forward. Some browsers, such as Chrome have already stopped supporting Silverlight.

4.     Make sure you have a company wide strategy for dealing with this threat, both to prevent infection and to handle the results if you do get infected.


THE GOOD, BAD AND UGLY OF MODERN AUTHENTICATION

Logging into any type of application has to be one of the most talked about topics in security. It sometimes feels like it is the last frontier as far as technology innovation is concerned. Why is this so? Well it is likely because it is the point where the human – computer interface first comes into contact. This creates usability vs. security conundrum which is always hard to resolve. Part of the issue has been ‘password fatigue’ which has been a topic raging in the industry for many years and yet we don’t seem a lot further forward. But this isn’t true, technology in the area of authentication is moving forward. I’ve named this post “The Good, Bad and Ugly…” but in truth, each authentication measure can have a little of each and it really is more about choosing the right one, for the right scenario that counts.

The Password is Dead, Long Live the Password

The first ever type of login option in computing, used by MIT in 1961, was of course the humble password. We have used it almost religiously ever since, for everything, from logging into online banking to offline desktop computer login. It is so successful because it is both easy to program support for username and password access, but its also easy for the user logging in…mainly.

I say mainly because we now find ourselves in a situation whereby both security and usability have been severely compromised. In terms of security, the use of username and password in an Internet connected world has left the password highly vulnerable. Phishing, and in particular spear phishing, has meant that cybercriminals can very easily steal a username and password. Either by sending the phished individual to a spoof site which then tricks the user into revealing their login credentials, or by installing malware which exfiltrates them when they are used.

And then there is the usability aspect. The average user has to use passwords across many multiple sites and counting. Either you use the same or a few similar passwords, which is insecure, or you have to remember a different one for each site. Whichever it isn’t ideal. A report by identity vendors CSID found that amongst U.S. consumers, 61% reused the same password across multiple sites and 46% of them had 5 or more passwords to remember. You can, of course use a password manager, but that brings its own issues.

As an alternative, social and similar platforms, such as Facebook, Twitter, Google, Papal and Amazon, offer federated login which can be used as an alternative to a username and password. There are pros and cons to the use of this type of credential, of course.

And when you bring the password into the Enterprise, usage behavior becomes even more concerning.  Password sharing is one of the most prevalent insider threats. A survey by Centrify into password habits, found that 52% of U.S. based IT administrators had shared their username and password with a contractor and 59% of them with a colleague.

A Multitude of Options with Multiple Factor Authentication

The above username and password issues leads onto how can we improve things without upsetting the apple cart too much, after all, we like passwords, in the main.

If username and password are something we know, we can call this a first factor. If something we have, like a mobile device is also used to login with, alongside username and password, then that becomes a second factor or 2FA. 2FA is becoming more popular for the reason that it allows you to multiply the security needed to login to any system and it can be highly preventative in any phishing attempt.

The types of second factor authentication available are increasing, but the most common are mobile device based apps, or codes set by SMS text. You do also get hardware devices or ‘security tokens, especially in enterprise environments, but these were becoming less attractive as they cost per device and BYOD meant that employees were using smartphones at work, so why not utilize those. However, a recent innovation in security tokens, U2F, has made them more attractive as an option.

Mobile App Based 2FA

Mobile based 2FA apps offer support for the following options:

  • HOTP: A code is sent to the mobile app. This code is hashed. The user enters the code into the application during login, after they have entered their first factor.
  • TOTP: This is also a code but it is time-limited, i.e. It only lasts for a few seconds and must again be entered after a first factor has been entered for login.

One of the issues surrounding mobile code based access is the security; some implementations being more secure than others. The most secure way of using a mobile app based 2FA method is for the app to communicate the code directly to the back end of the application, rather than the user inputting the code into a user interface, which is open to a Man-in-the-Middle attack.

SMS Based 2FA

Mobile phones, including those that aren’t smart, as well as modern landlines, can use SMS based codes to login as a second factor. One of the downsides of using SMS code based 2FA is that it costs the vendor who is sending out the codes as generally this is done via a third party SMS gateway system.

Security Tokens

The security tokens mentioned earlier have been improved in recent years using a new authentication protocol called U2F developed by a consortium of large technology vendors, including Google, and known as the FIDO Alliance. In fact Google have implemented a version of U2F based on a key, which is inserted into a USB port, the user ‘clicking’ a button on the key to sign into web apps. Of course the issue with this is that if you are using an iPad or Smartphone for access there is no USB port.

You’ll Know It’s Me

The next major advance in authentication is the biometric. Anyone with an iPhone 5S or later, will know about their TouchID biometric login system, which uses a fingerprint to open the phone for use. This is probably the most well known type of biometric in common use and certainly it has broken down some of the barriers to biometric acceptance.

One of the earlier barriers to success with biometrics was an alarmingly large rate of false negatives or positives. Advances, such as that seen at Carolinas Healthcare System, which uses the veins in a person’s palm, has seen match rates increase to 99.9% in the last ten years. This is another issue with biometrics that is breaking down to allow a more global uptake of the method.

It looks like biometrics will start to be used more. As we see advances in biometric management, accuracy of biometrics results, and as the spectrum of biometric types increases, then it is a natural way to login and so will be opted for by the user.

Adaptive Authentication

Adaptive authentication is less of an authentication method and more of how you use existing methods, more efficiently, with added security and improved usability. Adaptive authentication allows you to configure policies, which determine the level of authentication required under any given circumstance.  It works by accessing the risk level of a specific access attempt. The best way to describe it is with examples. So, for example, you could set a policy that says that if a user is attempting access from a given IP or IP range, such as you’d get by accessing within the headquarters of an enterprise, then single sign on (SSO) is allowed. Or you could allow access from certain devices within a given geographic location but only using a second factor. Another example could be to increase the requirements of login, even going as far as to ask knowledge based questions, if you don’t meet certain criteria, or there is a pattern of failed login attempts and so on.

Adaptive authentication is a really good method of making the most of what you’ve got and it can really help with resource protection and handling varying levels of risk, especially in an extended supply chain where a variety of people across many jurisdiction require access rights.


A KINGS RANSOM: 4 WAYS TO AVOID BEING INFECTED WITH RANSOMWARE

One of the most nasty and sinister malware threats to come out of the minds of cybercriminals has been the creation of ‘ransomware’.

Ransomware is a type of malware that encrypts data, and then extorts money from the victim. Infection is carried in either an email, as an attachment, or using an exploit kit on a website where the malware will be downloaded and executed. Once infected with ransomware, the files, on your computer, across the network and even on remote file storage like Dropbox, are encrypted. When the malware has done its job, it then is programmed to pop up an onscreen message letting you know that if you pay X amount, within X days, your files will be decrypted. The x amount is usually $500-$1000, but can be much more, and payment is expected in the form of bitcoin; they ask for bitcoin because it is less easily traceable than a traditional money transfer.

Cryptowall is probably the most infamous of all ransomware. Cryptowall is up to version 4 and according the Cyber Threat Alliance the malware had, by version 3, made at least $325 million worldwide from infections. Each version of Cryptowall becomes even more sophisticated than the last. Cryptowall 3 was built to hide from detection and Cryptowall 4 changes filenames so users can’t even find out which files have been encrypted.

Ransomware: The Impact

People are paying the hackers. If you suddenly find all of your data: customer records, intellectual property, documents, flow charts, presentations, accounts, etc. are encrypted and essentially gone, you’ll pay up. The fear that the ransomware hackers instill in people is real. The FBI reported losses in the U.S. alone of around $18 million between 2014 and 2015. And that’s just in payments out. This doesn’t include material losses through lost time and network issues that ensue. And of course there is no guarantee that just because you pay the cybercriminal that they will decrypt your data – we are dealing with a criminal mind here, after all.

The FBI research was from a year ago, but MacAfee in their 2016: Threat Predictions report state that: “Ransomware will remain a major and rapidly growing threat in 2016…. we predict that the rise of ransomware that started in the third quarter of 2014 will continue in 2016. “.

It is hard to read the mind of a cybercriminal into the 2020’s, but the likelihood is that with a successful money-raising venture, like Ransomware, it will only proliferate. The Internet of Things being an area that will likely be utilized by cybercriminals as a means of infection. IoT devices have a very wide security surface to attack and thus far security of the IoT is still far from perfect.

Who Is Being Affected by Ransomware?

Ransomware hackers are targeting rich nations. They need to find companies that can afford to take the risk of paying $000’s to get their data back. The target sector the hackers are after is widespread and getting wider. They are coming after businesses of all sizes, rather than just being a consumer problem.

One of the most insidious ways ransomware is getting onto a network is via ‘malvertising’. Hackers are using the ad placement network and actually paying for infected ads to be served up on legitimate websites. Major websites like the New York Times have run infected ads. The most worrying thing about much of ad-based malware is that it is based on ‘exploit kits’ like ‘Angler’. If you access a site running a malicious ad and you happen to also have a vulnerability in your browser or Flash, then you have a very high likelihood of becoming infected with ransomware without even clicking a mouse. Scary stuff.

U.S. SMB’s are as much a target as their larger cousins because the hackers know that they are a ‘soft target’. Smaller companies are less likely to have a dedicated security team and systems in place to handle such an attack.

And no one is safe, in the past few months several U.S. hospitals have been infected with ransomware and one, the Hollywood Presbyterian Medical Center had to pay out $17,000 in bitcoin to the cybercriminals.

Is There Hope?

You can help prevent a ransomware infection by making sure that:

1.     Your staff is well trained in the way that malware infections work – make them aware of the danger of attachments in emails for unknown sources.

2.     Keep your OS and other software up to date and patched

3.     Keep backups of your data (but be careful not to use certain backup software that synchronizes with your directories as this can also become infected with ransomware)

4.     Have a security strategy in place to deal with the complexities of ransomware prevention and infection

Of course, if you do get infected, one thing is apparent. Even if you pay to have your files decrypted, the chances are that the cybercriminals behind the scam have already exfiltrated any data using remote access and will be selling that data, especially personal information, on the dark web. So simply put, the best way to deal with ransomware is to avoid infection in the first place.


THE BIG PHISH: HOW HACKERS USE OUR BEHAVIOR AGAINST US

A while back a colleague of mine was spear phished. It was really clever how they did it. She was contacted, not through a direct email, but via a message system of a professional group she was a member of. The message purported to be from a ‘worried colleague’. They had seen her profile on the professional group website and had also noticed that a Facebook account had been created using her photo. The Facebook page was real, her professional photo was being used and a variety of less than complimentary Facebook posts were in the timeline.

The person, who sent the phishing email, came across as being ‘a friend’ trying to help out and pointing to the abuses made in my colleagues name. They offered help saying that they’d also been a victim of this sort of identity theft and knew how to counter it. They asked my colleague to email them and they’d show her what to do.

It was a very convincing email. It used some of the oldest tricks in the book; tricks that conmen have used for centuries. It attempted to build a connection with my colleague, to find a common ground. The email was from a trusted source – her professional network. The writer created a scenario shrouded in fear, uncertainty and doubt, to cause my colleague to feel anxious and that her reputation was at risk. The phisher then held out a helping hand to make it all go away. It was a perfect example of highly targeted social engineering, in other words, using normal human behavior to manipulate a person into revealing far too much.

The case above had a happy ending. My colleague is a cyber security professional and recognized the signs of a sophisticated spear phishing attempt. But not everyone is so lucky and human behavior manipulation has become the pivot upon which cyber security attacks are based.

To Err is to Be Human

Social engineering is a technique used to manipulate a behavior. It isn’t new. As mentioned above, conmen and tricksters have been using this in one form or another for centuries. One of the most famous cases of social engineers was Frank Abagnale; the film “Catch Me If You Can” was a portrait of his life as a confidence trickster. Frank used people’s natural need to trust to commit fraud.

Social engineering in the context of cyber crime has been used extensively. One of the most infamous examples was the ‘I Love You’ virus. This was an email born malware infection, which swept the world in 2000. The email contained the subject ILOVEYOU and contained a ‘love letter’ which when opened ran the malicious code and infected the computer. This trick played on our own vanity – how exciting to get a love letter, almost impossible to resist opening it, just in case it was a secret admirer. And that is exactly what happened with the virus infecting about 45 million computers within 2 days of its release into the wild.

Since then, cybercriminals have embraced social engineering and human behavior manipulation turning it into almost an art form. The whole area of phishing is based on this very concept.

The Big Phish: Business Email Compromise

Phishing and its rich cousin, spear phishing, is arguably the most successful cyber security vector ever with 123,972 unique phishing attacks in 2015. Phishing emails are very cleverly pulled together by the cybercriminal. In the mass mail out, less targeted ‘phishing’ variant, the hacker makes the email look just like a legitimate site, one that you’d enter login credentials; these credentials then being stolen by the hacker behind the spoof site. According to research by APWG Internet Policy Committee into Phishing, PayPal, Apple and TaoBao are the most popular spoofed sites for phishers, with 54% of all spoof sites representing one of the big three.

But the true art of phishing is seen in spear phishing.  Spear phishers have to spend quality time getting to know their target. The emails are crafted to reel in their prey, using full personalization and creating trust and connection between the phisher and the victim. One of the latest scams to be based on the principles of manipulation of human behavior is the Business Email Compromise or BEC. BEC scams have been hitting business, of all sizes, big-time.

A BEC is a form of spear phishing. It has a complicated profile. Firstly, deep reconnaissance is made to identify a business owner, or key employee, that will become the proxy for the phish. This individual then has their email account either spoofed or compromised.  The phisher will then learn as much as they can about their victim and the company they are targeting. They use this information to create highly convincing emails and instructions – using the ‘personality’ of the victim to come across as real. An example of the type of information that is really useful to phishers would be the calendar of the victim- are they away on business on certain days and so on. This allows the phisher to build up a personal profile and so mimic the person more precisely.

Once they have control of the email account, they can then apply email rules to make sure they don’t get detected when they utilize the account. Or, if they spoof the account, they make the email look like it is from that individual. With account control they can then enact their plan, which goes something like this:

1.     Create an email from this key staff member, to ask for a wire transfer of monies to a new creditor.

2.     This email will go to one of the compromised users subordinates. So for example if the CFO’s account is compromised the email might go to the finance controller.

3.     A variation on the above is where the phisher asks Human Resources for ‘employee details’ and thereby stealing identities which they can use for fraudulent tax returns and so on.

There are a number of different tactics being used, based on a compromised business account. Each one of them uses our natural trust system to trick us into performing actions we’d normally be reticent to do. BEC attacks are working. The FBI has recorded 7000 U.S. business BEC scams since late 2013 with losses of around $740 million.

Controlling Our Behavior

Phishing is so popular and successful that phishing is moving into other spheres. ‘SmiShing’ is the new phishing; with mobile devices being targeted with SMS based phishing messages – like this one. When checked the ‘Apple’ link goes to a spoof site in Romania where you are requested to enter your Apple login credentials. If you did so, they would be stolen and used to login to the real Apple site. Variants on this attack type also include a SMS message from a bank asking you to call a number to talk about a possible fraud attack on your account. When you do, you are asked for various details including your online banking password – the result being your bank account is cleared out.

There are ways that we can use to counter this abuse of our humanness, but it means being more aware of ourselves, how we react and how cybercriminals operate. Some basic checks include:

Caution is the watchword for anyone receiving an email requesting a funds transfer (for example).

Do not click directly on a link in an email, but instead, if it refers to an account, go to that account through the browser first.

Check email addresses – if you expand the address you may see it has unusual characters or is simply not the name it pretends to be.

Build a robust security strategy across the whole organization, taking both technologies and human behavior into account.


Five reasons to prioritize Privileged Access Management as-a-service

Five reasons to prioritize Privileged Access Management as-a-service

Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major security breach. Privileged Access Management (PAM) as-a-Service is a good way for organizations to get their PAM programs up and running faster and easier than ever. If you are reading this, you’re likely familiar with Software-as-a-Service (SaaS) and the benefits that it can bring your organization. We see that organizations are moving more and more of their applications and infrastructure to the cloud for a variety of reasons including: security, cost savings and ease of management. Likewise, in cybersecurity, organizations are starting to turn more and more to Security-as-a-Service to capitalize on the benefits above and marry security with operational ease of use.

After privileged access has been identified as a priority, deciding how to deploy it is the next step. In CyberArk’s Global Advanced Threat Landscape Report: Where Security Accountability Stops and Starts in the Public Cloud, we found that the number 1 reason organizations are moving to the cloud is security.

However, the harsh reality is that no organization can ever fully secure all their applications and infrastructure, whether their data center is on-premises, in the cloud, or hybrid. There is no single solution available in the market today that will prevent every advanced cyber-attack. But prioritizing what matters most first, privileged access, and taking advantage of all the benefits a SaaS solution can provide is increasingly becoming the option of choice for organizations who are embarking on a Privileged Access Management program. Privileged Access Management (PAM) as-a-Service is becoming a popular method for deploying security solutions for a variety of reasons. In this Ebook we’ll discuss five reasons to prioritize PAM as-a-service.

About PAM
About CyberArk


A STORY OF DESTRUCTION BY THE INTERNET OF THINGS

Once upon a time, in a world long, long ago…well actually not that long ago, there was an enterprise. This enterprise had control. It controlled who accessed its applications and data; it controlled who took that data outside of its company walls. It was a fine kingdom, protected by a strong wall.

Then the Internet happened. The enterprise could no longer keep everything inside the kingdom walls. The walls started to break apart and the company had to look at new ways to protect itself.

The short story above is a very simplified history of what has happened to organizations of all types and size, across every industry sector in the last ten years. We all are now very aware of the changes to the organization perimeter, how it has been extended and then made fuzzy. How the tools to control the cyber security threats have had to evolve to handle this change.

Now, just when we have gotten used to the extended enterprise perimeter, a new technology has entered our kingdom, not only making the perimeter fuzzy, but also smashing it apart. This technology is the Internet of Things or the IoT.

The Internet of Things meets the Supply Chain

Supply chains can be complex and convoluted. If you were to map one out on paper, including all of the possible tiers of suppliers, it could end up looking like something only a mathematician could understand. The IoT has just taken this complexity and added an order of magnitude to it. The IoT is big and getting bigger. Gartner have predicted that by 2020, half of all new business processes will incorporate some element of the IoT. These new elements are adding more ‘moving parts’ to the chain; and of course, any additional point is a potential point of failure. In our Kingdom analogy, it is like the castle walls have fallen away almost completely.

As we know, the supply chain can work like a domino effect. If one domino is knocked over, it hits any connected dominos until the whole chain falls over. One example of many was with the car manufacturer, Citroen, where a breach of customer records took place. In this case, it was a supply chain member, a site selling Citroen related gifts that opened the doors to the kingdom. Hackers added a backdoor to the sales site using an Adobe ColdFusion vulnerability. The impact isn’t always just direct loss of data, etc. either, reputational loss, from association can also be very costly to a brand. Simply put, any application or device (IoT or not) across the supply chain is a domino. If each part does not have the correct security in place, the rest of the chain is impacted – security is the responsibility of every member of the supply chain because it has the potential to impact every member. 

IoT and Supply Chains: The Good, The Bad and The Ugly

The IoT is a force for both good and bad. The World Economic Forum in their Global Risks 2015 report stated that, “While the “Internet of Things” (IoT) will deliver innovations, it will also entail new risks.” In terms of the supply chain, the IoT will add a whole new level of complexity to the chain. But the Internet of Things is also a force for good. The IoT can certainly improve supply chain processes and logistics. One of the key offerings of IoT devices is the data the devices can generate. This information can be used to analyze processes, creating a more demand driven chain, improving logistics and ultimately cutting costs. However, it is the very benefit of the IoT that is also its potential security downfall. As more IoT devices are used to make the chain more efficient and data focused, more points of failure are added to the chain. All of these new devices and things need to have security risks analyzed. The risk assessment of such complex chains is in itself, highly complex. More devices increase the risk of breach and therefore more points in the system need to be secured.

And of course, as expected, cybercriminals will exploit this new technology. Gartner have said that on the back of the IoT a ‘black market’ will take shape, selling fake IoT sensors which can then be used for cybercrime. Without due care, these sensors will then become an intrinsic part of the overall supply chain, creating baked in security holes and back doors. If your chain becomes infected with a spoofed IoT device the whole chain is compromised.

Having It All

The use of the IoT within a supply chain offers us focused intelligence. We can use the data generated to improve chain efficiency, make more informed decisions and offer better services to our customers. But we must recognize, this sea change in the way we generate data and extend our touch points, brings with it new security challenges and increased risks. To ensure the benefits of the IoT out way the risks, we need to ensure that we take those risks seriously and put measures in place to mitigate them. Only with insight, analysis and knowledge of effective security measures can we ensure that the IoT becomes a kingdom maker, rather than a kingdom destroyer.


TWO KEY SUPPLY CHAIN TRENDS THAT YOU SHOULD KNOW

One of the topics this blog likes to explore is how to make the whole supply chain process more efficient, less risky and ultimately more profitable for everyone involved. We look at this from a real-world perspective, using our deep knowledge of this area, especially around automation and security. So it is really good when external sources back up your own knowledge and experience and this has been the case looking at the report by PWC on “Next Supply Chains: Efficient, Fast and Tailored”. In today’s post I’ll take a look at some of the findings of this survey by PWC and discuss their implications on supply automation, chain management and risk.

Supply Chain Trends

The PWC report had a particular pertinent and insightful finding. This was that the supply chain is regarded as an actual strategic asset by 45% of organizations. Strategic assets are vital for competitive edge and keeping them well managed is therefore an important business consideration.

In their report, PWC has identified a number of supply chain trends, all of which show an expectation of increasing in importance and which have a material impact on the effective management of the supply chain. The following graphic, taken from the report, shows the 12 most important trends; noticeably all are expected to increase in importance.

In this post I’ll concentrate on two of these top trends, which we come across time and again, “Implementing techniques to automate and increase transparency” and “Managing supply chains security and risk”.

Automation to Increase Transparency

In the PWC report, they noticed that the most successful companies had a program in place to reduce supply chain complexity and to use automation methods to make supply chain processes more efficient. This has been instrumental in the leaders identified in the survey, having delivery performance figures of over 96%.  Part of this comes down to transparency across the supply chain. Transparency greatly helps to improve the smooth running of a supply chain. A report by electronics manufacturers, Jabil, found that 96% of the surveyed respondents said that an opaque supply chain put efficient operation at risk.

Gartner analysts concur with PWC and identify automation of supply chain processes as a supply chain trend. In a recent supply chain conference, Gartner linked automation and the Internet of Things (IoT) arguing that this has the potential to impact transparency across the chain. Gartner stated that, “functions such as procurement, logistics and inventory management often operated in silos with not enough coordination or focus on the end result”. Gartner reiterate this sentiment in their latest supply chain predictions of 2016, saying that automation will double in the next 5 years due to increased digitization of companies. 

The PWC report shows clearly that automation leads to better performance, and Gartner is backing these findings up. This comes at a time when the digital landscape is moving underneath us all, as digitization of services and the IoT grow in importance – this makes the move to automation of supply chain processes inevitable as the complexity needs to be countered by transparency. In fact, the idea of having greater control over the processes and bringing all of the steps together in a seamlessly connected manner should be the goal of any eco-system. The PWC report stresses that digitization and automation of supply chains will create greater transparency, if managed correctly, which will ultimately result in reduced costs and efficiency.  They also point out that automation is seen by two thirds of respondents as a “vital” part of the supply chain process. In fact, PWC show that automation is seen as one of the best ways to differentiate a business across a number of industry sectors including automotive and retail, giving them a method to “optimize their logistics and distribution operations”.

Managing Risk

The supply chain has not been immune to the global challenges we are currently facing. These challenges extend to financial market turbulence and the increasing cyber security pressures felt by all enterprises.

Growing risk from the supply chain is something that the vast majority of organizations seem to suffer from. Zurich Insurance found that in 2014, 81% of companies suffered a supply chain disruption, an increase of around 4% since 2010 and almost a quarter of survey respondents saw losses of around $1million due to such disruptions – cyber security being one of the most concerning.

The PWC survey identifies the management of chain security and risk as a top trend. They point out that to have a successful supply chain operation, an organization has to take personal responsibility for tracking the risks across the chain. The complexity of risk management rears its head most noticeably when the supply chain is a global one. Risk come in many shapes and sizes and a global chain can involve environmental, financial and certainly cyber-security risks. Ensuring stability of the extended supply eco-system is a management challenge and one, which requires a holistic approach.

PWC found that risk mitigation, through close management of supply chain partners was one of the top differentiating practices of effective and high performing supply chains.

A Transparent Approach to Risk Management

The two top trends we have looked at here are not mutually exclusive. Both of these trends impact each other. By using automation to improve transparency, you can in turn enhance the management of risk across the chain. A move towards automation is a leap forward to take your supply chain to the next level, but it will afford greater rewards in the guise of more optimized, efficient and risk minimized processes.


HOW TO USE THE PHILOSOPHY OF YIN AND YANG TO MAKE BETTER PROCUREMENT DECISIONS

Business as well as life is a balance. It was the Chinese New Year on the 8th of February, so it seems pertinent to use the philosophy of yin and yang to discuss the interactions of critical controls in the enterprise procurement process. The idea of yin and yang is that opposite/contrary ideas can in fact be complementary and build a stronger whole. This approach may well be useful in providing the right balance between the various control systems that come into play as any procurement process develops.

The Elements of Critical Control During Procurement: The Yin

There are a number of ‘critical controls’ within any given procurement program. Security is often seen as the main critical control and one, which can have the greatest impact on assets and infrastructure. However, security is not the only element that can have a potential impact on the procurement process and on vendor risk management. Of course, the criticality of each part is dependent on the industry. But in general, the type of things that you need to know about a vendor before procurement choices can be made include:

Security:   If you read this blog regularly, you’ll know that data and privacy breaches often have their origin with a third party supplier. A number of studies corroborate this, including the 2013 Trustwave study, which found that 63% of the investigated breaches began with 3rd party administration exposure. There is also a general and historical problem in the communication between procurement and security, security being seen to ‘slow down’ procurement.  However, this is starting to change as more breaches, like those mentioned above, occur. In a previous post we have talked about how KPMG have found that 70% of procurement managers now realize how important it is to know how a third party will handle their client data. This is a move in the right direction. An end-to-end security strategy, across the vendor/client eco-system is increasingly important and often needed for compliance with industry regulations.

Legal:   The legal aspects of vendor onboarding can be arduous. It seems that once you involve the lawyers, everything comes to a standstill. There are, of course, good reasons for this; legal needs to make sure that all eventualities are covered. This is never truer than when you have regulations to comply with, which often extend outwards to your suppliers systems. Other factors, such as competition law and the legalities around origins of goods, personnel and services, need due consideration.

Social and environmental:   As green laws take effect, a number of environmental constraints can come into play in the procurement process. You may need to develop a sustainable procurement policy to comply with regulations around these areas and to make sure the vendor choices you make, fit in with this overall strategy.

Having effective know your vendor (KYV) policies in place before making final decisions is part of your supply chain risk assessment. This is a key part of the procurement process as it offers a way to minimize the future risks and protect the business against uncertainty. Gartner in their recent evaluation of the role of the CIO and risk, have stated that “Procurement teams develop contracts that improve security agreements with cloud vendors and security managers” to be able to meet the challenges facing business today, especially when dealing with Cloud based data.

What Prevents Efficient and Accurate Procurement Choices?

Procurement choices that are educated and based on checks and balances will ultimately benefit the company, because they reduce the risks associated with unknowns. Getting this process right is a challenge. For example, procurement and security need to work together for the greater good. The SANS Institute in their paper on “Combatting Cyber Risks in the Supply Chain”, recommend a combination of ‘people, processes and technology’ to deal with the problem of good vendor evaluation for procurement. Communication and transparency is the key to risk reduction. It may seem like a slower process to add in the assessment stage, to audit vendors’ data security procedures, but in the long term, this will benefit your company, through informed choice – the old adage, “more haste, less speed” is highly applicable to the procurement process.

Procurement is the natural place where communication can start. It is often the main channel between the enterprise and the vendor and as such, can create effective dialogue to manage critical controls, like security, and ensure they don’t slow the process down any more than necessary. Seamless, clear communication in this area can also help to identify any hurdles. For example, if the vendor needs to go through a certification or validation process this needs to be identified early on. It is only be having open discussions and actively building frameworks to work to, that we can ensure we have those critical controls incorporated into the procurement process.   

Get it Right, Now, Not Later: The Yang

Getting your procurement controls in place before you sign that purchase order is vital. If you do it after knowing your vendor and any critical exposure points they may have, then you may well end up with security or compliance issues down the line. Once the ink is dry on the contract, it is much more difficult to put controls in place. This can result in overall increased costs, as well as a risky project that potentially could end in a catastrophic data breach. Putting controls into the mix, at the right time and to the right level, is part of a good, holistic approach to procurement. Getting the yin-yang balance right will create the type of vendor eco-system that gives you true value for money, whilst minimizing your risk of privacy and data breaches.


Why IBM for Privileged Access Management – Get scalable, enterprise-grade security solutions, backed by unmatched service and support.

When you deploy IBM Security Secret Server and IBM Security Privilege Manager across your organization, you unlock the full potential of PAM with solutions that are:

Partner with IBM for incredible service and benefits

  • 24/7 access to IBM support
  • Unlimited feature set within IBM Secret Server
  • Simple pricing and packaging options
  • Quick time-to-value—install in minutes and see value immediately
  • Supports large-scale distributed environments from on-premise to cloud environments
  • Integration with the IBM Security portfolio including IBM Cloud Identity, QRadar®, Guardium® Data Protection, and IBM Security Identity Governance & Intelligence.
  • Access to IBM Security PAM Professional Services
  • Access to IBM Security Expert Labs for deployment and configuration

Protect privileged accounts to reduce your attack surface. Sign up for a free trial of IBM Security Secret Server now.