Busting Top Myths About Privileged Access Management

January 14, 2020 | Security and Risk | Sam Flaster | Read original article here

Today, businesses everywhere are investing in infrastructure to support growth – whether that’s moving to the cloud or automating tasks and processes.  However, the newly introduced devices, application stacks and accounts that come with this modernization all present additional opportunities for attacker exploitation. For any organization – big or small – identifying and addressing security risks across this expanding attack surface can be a formidable challenge.

Privileged access management (PAM) programs that secure pathways to critical business information are foundational to an effective corporate cybersecurity program. Why?  Attackers view privileged accounts as one of the best ways to gain a foothold within an organization’s infrastructure. In fact, the vast majority of cyber attacks involve compromised privileged credentials and PAM solutions provide a critical layer of defense.

But, while securing privileged access consistently tops the lists of projects that can reduce risk and improve operational efficiency, some misconceptions surrounding PAM persist. Today, we’re going to bust five of the most prevalent PAM myths.

Myth #1: Because privileged access exists everywhere, it is impossible to secure.

While the scope of privileged access can be intimidating based on the complexity of your environment, dedicated PAM solutions and related policies can actually shrink the attack surface by shutting down pathways to critical resources.

Leading PAM solutions can automatically map privileged credentials across cloud and hybrid environments, saving security teams significant time and effort. And for those unsure of where privileged accounts exists, there are free tools like CyberArk Discovery & Audit to help organizations gain visibility into their privileged account landscape.

Additionally, modern PAM tools also incorporate automatic rotation of SSH keys and other privileged credentials at regular intervals to eliminate the time-consuming and error-prone manual tasks required for regulatory compliance. Meanwhile, automatic session monitoring capabilities systematically record all privileged account sessions and identify which users are operating privileged accounts.

Finally, the best PAM tools also provide detailed session monitoring recordings that can be sorted into searchable metadata for compliance and incident response teams and leverage user behavior analytics to automatically detect and suspend risky privileged sessions.

The impossible just became achievable.  Between account mapping, automatic credential rotation and detailed session monitoring, privileged access can be uncovered, managed and secured.

Myth #2: Privileged access management tools are challenging for administrators to manage.

That may have been true in the past, but today’s PAM solutions greatly ease and simplify administrator workloads. Collecting all privileged accounts in a centralized vault eliminates the need to manually search for and manage privileged credentials. In increasingly dynamic network environments, centrally locating the necessary tools to appropriately manage users’ privileged access can improve the efficiency and efficacy of IT projects. Automation tools also enable administrators to eliminate time-intensive tasks in favor of more strategic initiatives.

Especially as organizations move to the cloud, PAM tools can be particularly useful to address emerging risks of cloud migration. When adopting a hybrid or public cloud infrastructure, even slight misconfigurations can create new vulnerabilities.  Having holistic tools in place to discover risks associated with privileged access can improve an organization’s security posture.

Myth #3: Identity and Access Management (IAM) solutions are sufficient to protect privileged access.

It’s true that IAM tools and Multi-Factor Authentication (MFA) methods are strategic investments – but they do not replace the value of a PAM solution.  PAM solutions can independently protect privileged accounts with human and non-human identities like application accounts used in robotic process automation (RPA) or DevOps – something IAM solutions simply aren’t designed to do.

Focused on risk reduction, PAM tools can also protect privileged business users from sophisticated social engineering attacks capable of bypassing MFA. Most importantly, IAM tools require direct connection to user databases like Active Directory (AD). These connections are often hosted on-premises. If any on-premises server is compromised, attackers can gain control over AD to implement Kerberos attacks, such as Golden Ticket, and exist undetected in a company’s network. PAM can provide a vital security layer for servers hosting IAM’s direct connection to user databases like AD.

To create a strong enterprise security fabric, IAM systems and PAM solutions should be deployed as collaborative tools.

Myth #4: Privileged Access Management solutions interfere with operational efficiency.

The truth is that the daily tasks of most workers don’t require elevated privileges – and therefore PAM solutions won’t impact them at all.  For those who do require elevated privileges, leading PAM tools offer a variety of user-friendly formats, including RDP, SSH and web-native access, to provide credential vaulting and session management in the background of their daily workflows. Native and transparent access provides organizations with comprehensive privileged session recordings while minimizing disruption for end users.

In fact, using PAM tools to automate time-consuming tasks for IT and security employees can improve productivity by freeing up time for higher-value projects. Audit teams can achieve the same benefits by automating compliance tasks — especially in highly regulated industries like healthcare and banking.  Manually sorting through all sessions that involve privileged credentials to find high-risk activity can be extremely time consuming. PAM solutions can automate these tasks and identify risky behavior for audit teams, freeing them up to spend their time on other critical tasks.

Modern PAM solutions can actually be a boon to operational efficiency – not an impairment.

Myth #5: It’s Difficult to Calculate ROI for Privileged Access Management solutions. 

The average cost of a data breach in 2019 came in at nearly $4 million dollars. Notably, this figure does not include the additional costs of lost business from reputation damage and theft of intellectual property. Privileged access is a focal point for organizations to demonstrate where security solutions can have a high impact.

In any security program, cost-efficiency is key. Organizations must take a risk-based approach, applying finite resources where they can achieve quick wins and long-lasting impact. And it’s in this area where PAM solutions can really shine. PAM is a high-leverage point where modest investments can achieve outsized ROI and risk reduction.

After deploying a PAM solution, organizations can scan their systems to see the decrease in the number of unsecured and unprotected systems. Since any unmanaged privileged account is a potential attack vector, each privileged account that has been discovered, secured and protected by a PAM solution is a direct reduction in the exposed attack surface and proof of ROI.

Effective security starts with protecting an organization’s most valuable information, and as a common target in most cyber attacks, unmanaged and unprotected privileged access represents a significant threat. By locking down privileged credentials, organizations deprive attackers of their preferred routes to critical data and assets. Simultaneously, session monitoring and threat detection capabilities can help teams detect and investigate misuse of privileged credentials — improving an organization’s response time to in-progress attacks.

Furthermore, many PAM solutions can PAM solutions can integrate with other enterprise software  solutions – from IoT device gateways  DevOps tools and network devices to vulnerability management systems – enhancing their value and streamlining security operations on the whole.

Want to learn more?  Read more about PAM and our solutions here


CYBERCRIME AND INDUSTRY #5: HOW CYBERCRIME IS AFFECTING THE ENERGY INDUSTRY

The USA is a major consumer of energy; a North American household uses, on average, 11,698 kilowatts per hour compared to the average Indian household, which uses 900 kilowatts per hour. According to the World Energy Council, North America is also one of the biggest energy producers in the world, as one of the top three producers of all types of energy, except hydropower. 

Critical Infrastructure Security and Cyber Terrorism

Cyber espionage and cyber terrorism / sabotage, are the main cyber threats targeting our energy sector. This sector holds much intellectual property and, as a critical infrastructure, is a seductive prime candidate for terrorism and sabotage, especially by state actors. 

One of the keys to the vulnerabilities within the energy sector is that our energy systems are becoming digitized to ensure improved efficiencies, and to keep up with the changing needs of the industry. This includes the connectivity requirements of the extended supply chains used within the sector. Industrial Control Systems (ICS) are part of this digitization program and are being connected up to the Cloud to allow distributed data capture and sharing. This has resulted in increasing their attack surface, making them increasingly vulnerable to cyber attack.  In a review by IBM X-Force, entitled, “Security Attacks on Industrial Control Systems”, IBM found a massive increase in ICS attacks in the three years prior to August 2015. Hacktivists and malicious insiders are carrying out these types of attacks, and the USA has had, by far, the greatest number of attacks at around 70% of the total. The attacks are increasing because of the change from closed systems to an Internet facing ICS.

Like many cyber security attacks, the vectors used are the usual suspects. Phishing, specifically spear phishing, is a key method being used to gain access to network resources and infect systems with malware.

A recent high profile attack that specifically targeted ICS’s was carried out by the group of cyber criminals known as ‘Dragonfly’ or ‘Energetic Bear’. The group used three types of attack vectors:

1.     Spear phishing emails targeting employees and supply chain members.

2.     Watering holes, i.e. malware infected sites that were commonly used by the targeted companies.

3.     Installation of Trojan malware into software code developed by third parties that was used to update ICS units.

The group attacked mainly U.S. and European based energy sector companies in the petroleum and electricity-generating sector. However, they went after suppliers to the sector as well. Energetic Bear is a perfect example of an attack capitalizing on Internet facing systems and a supply chain infection.

The Department of Energy in collaboration with the National Institute of Standards and technology (NIST) have developed a set of guidelines to use in the energy industry to help inform the Risk Management Process within a security strategy plan, “Cybersecurity Risk Management Process (RMP) Guideline”. Using sound advice such as this helps in informing a robust security strategy to manage energy sector targeted attacks.

Personal Energy, the Internet of Things and Cyber Security

A report by MarketsandMarkets has predicted that the Internet of Things (IoT) device market within the energy sector will be worth over $22 billion by 2020. This isn’t surprising, as the IoT has become very popular as a method of controlling energy supplies on a personal and business basis. Smart Grids and IoT devices, like Nest, give us the opportunity to generate data, which can then be used to ensure we have the right energy tariff. They can also be used to make sure we use our energy in the most efficient way, turning off lights remotely being one, small example, of the control features the IoT gives us. The Nest thermostat is one such device that helps consumers and offices make the most of their energy requirements.  However, as we’ve seen in previous posts, the IoT is a cyber criminal’s dream. An IoT device offers a way into our homes and offices. Connected up to Cloud platforms to collect and analyze data, they are open to the same sorts of web-based threats as any other Internet facing system. You can envision the scenario whereby a hacker has control of thermostats across the nation, exploiting them as methods of data extraction, energy control, and doors into other devices and accounts. It is even possible that the information gleaned from such devices would allow burglars to know when you’re away from home. Fortunately, white hat hackers are on the case and finding holes in IoT devices, like Nest, and offering fixes before the true hackers find them.

To help stem the potential tidal wave of IOT generated crime, the Online Trust Alliance (OTA) has built a framework of guidelines for ensuring IoT devices, in the energy sector and beyond, taking security and data privacy into account. It is up to the industry to follow this advice to protect consumers from IoT based cybercrime.

Switching Off Cybercrime Not the Lights

The Stuxnet virus that shut down the Iranian nuclear power industry, and that allegedly originated from state sponsors in the USA and Israel, is the most infamous energy sector attack in known history. We should expect that Stuxnet will be ‘out famed’ soon by a similar critical infrastructure based cyber attack, as our energy sector reaches out into the connected world and opens up our industrial systems to the world of cybercrime. Our energy infrastructures are too much of an interesting prospect to a cyber criminal group for them to not already be planning attacks. If we work in this sector, we are facing the challenges of new ways of working, but with those challenges we also need to face cybersecurity head on. Guidelines and frameworks can help us build robust and achievable security plans, that work across the entire energy ecosystem.


Threats and opportunities in 2020

Original Dutch article: http://my.socialtoaster.com/splash/cjbRT/ written by Annelies Heuvelmans

The year 2020 has just begun, and Security Management already spoke with several cybersecurity experts about the threats, but also the innovations that will turn the tide, that we must take into account in 2020. One of the essential points you have to keep in mind is the employee, as they have a crucial role. If it does not recognize the importance of proper security, then even the best security policy will fall like a house of cards.

Malware is sent en masse

“In recent years, cybercriminals have discovered the world of operational technology (OT),” says Bastiaan Bakker, director of Business Development at Motiv. For example, the Operational Security Trends Report from Fortinet shows that as many as 77 per cents of all OT managers have been dealing with malware in the past 12 months.

Protecting vital infrastructures

Bakker explains: “One of the reasons for this is the far-reaching professionalization of the criminal circuit. Cybercriminals are forming teams with specialists who make clever use of vulnerabilities within companies. Government-driven hacking groups are also active in carrying out attack and damage techniques within OT. We, therefore, see that the demand for specialist security of operational technology is quickly increasing. Given the high degree of dependence on operational systems, which, for example, regulate our electricity and drinking water supply, security plays a crucial role. However, the environments differ significantly from traditional IT environments. OT environments are often less easy to replace because of usually old legacy and the high complexity of the domain.

“Employee awareness is an important part.”

Bastiaan Bakker, Director of Business Development at Motive

The first step is to map your OT environment. Where do you see links between your IT and OT environments? And who has access to what? The management, as well as the authorization, must be set up well and mature. Employee awareness is an essential part of this. You can equip your environment with the best security solutions. Still, if your staff is insufficiently aware of the crucial role they play as gatekeepers of the company, this investment is of little use.”

Gamification

Mats Ros, managing security and privacy consultant at IT service provider Ilionx, agrees with this statement. “Apart from the technical enforcement of good security, we always come back to one point in the IT world: people are the weakest link. After all, people make mistakes. Of course, there are already enough solutions and tooling to instruct people and lift them to a higher level of consciousness, but taking your employees with them is more complicated. What I notice is that only fifty percent of employees get started with this tooling. That is, of course, way too low. The other half does not see the importance of it and is therefore much quicker susceptible to a phishing email.

“By using gamification, the support base will grow, and it makes the tooling more fun.”

Mats Ros, Managing security and privacy consultant at IT Service Provider Ilionx

By using gamification – a game component that employees challenge to measure up with their colleagues on a scoreboard – the support base will grow, and it makes the tooling more fun. For example, we developed a solution for our own ISO 27001 certification that precisely ensures this.

The SaaS solution, including point counting, looks at how many questions you have answered and how often you give the correct answer. Employees can compare their results with colleagues, but this can also be disabled. Achievements and certificates make this even more fun. For example, someone who completes a quiz at night earns the ‘night owl’ achievement. In this way, you playfully raise the support base and make your employees aware of the much-needed contribution they make to keeping the organization safe.

A world without passwords

Dirk Geeraerts, regional director for cloud protection and licensing activity at Thales, sees a future without passwords: “The time when the use of passwords only offers sufficient protection is far behind us. Seventy percent of employees reuse passwords from work and personal accounts. Unsurprisingly, 81 percent of hack-related data breaches start with a user’s identity, such as a weak or stolen password. In 2020, a world without passwords will become more and more reality. “

Solution for password challenge

Geeraerts continues: “Until now, multi-factor authentication has been the most apparent solution for tackling the password challenge. Access is granted to a user based on his identity, something he owns, and something he knows. Although this method is more secure than the traditional password, it is less user-friendly due to the time-consuming operations. Access Management solutions with password-free security offer a solution.

There is never a one size fits all solution.

Dirk Geeraerts, regional director for cloud protection and licensing activity at Thales

PKI or a one-time password via a token or device that is used to give users access, in combination with biometric data or a PIN. It offers a solution to the vulnerability of traditional passwords. Also, organizations can thereby increase the ease of login and user-friendliness. However, it would be best if you did not forget: even with this form of authentication, there is never one size fits all. It is always important to match the authentication method to the security needs to ensure the highest level of security.”

Managed security services that relieve organizations

Organizations see the necessity and have the financial room to invest in security, but they lack the people to make security solutions profitable. “We also see an increase in the demand for managed security services, with which organizations are entirely relieved. This trend will intensify in the coming years. We also see the rise of automation of security. Simple incidents can be automatically handled so that engineers can focus on complex incidents. This also compensates for the shortage of security engineers, “said Twan van Ravestein, Cyber ​​Security Expert at Telindus.

In 2020, more and more organizations will embrace the zero trust principle and view the network without a perimeter.

Twan van Ravestein, Cyber Security Expert at Telindus

Who or what can you still trust?

“Automation takes place along different axes in 2020. With artificial intelligence and machine learning solutions, you can set up the analysis of network traffic in such a way that deviations and strange behavior can be detected quickly within the business context of the customer.

You are then able to automatically take the right measures to, for example, repair leaks. Systems for User Behavior Analytics (UBA) and Security Orchestration, Automation, and Response (SOAR) are becoming increasingly sophisticated. Finally, in 2020, more and more organizations will embrace the zero trust principle and view the network without a perimeter. In the cloud age, you can certainly no longer speak in terms of a secure internal network and the insecure outside world. This awareness will penetrate many boardrooms,” concludes Van Ravestein.


CYBERCRIME AND INDUSTRY #4: HOW CYBERCRIME IS AFFECTING THE AUTOMOTIVE INDUSTRY

In the 1990 Arnold Schwarzenegger film, Total Recall, there was a futuristic car, called a ‘Johnny Cab’. The Johnny cab was a sort of self-drive automobile, although driven by a robot. In one scene, Arnie was being chased by some baddies. He jumps into a Johnny cab and asks the cab to ‘drive, drive!’ but of course, the robot doesn’t know where to drive. The end result is Arnie, ripping out the robotics of the car and driving it himself. The Johnny cab was a prediction about the near future of the automotive industry, one of robotics, automation and the Internet of Things.

Only 16 years on from the film and we have found ourselves with our own self-driving cars, at least in prototype. BI Intelligence is predicting that by 2020 there will be around 10 million self-drive cars on our roads. Google has its own self-driving car project. Tesla has created the first semi-automated car that is in release, the Model S – although a recent crash by a test pilot has sent some shockwaves through the industry around the safely of the self-drive.

And then there are the changes happening within the industry due to the Internet of Things (IoT). IBM’s Watson, for example, is an IoT platform that is used across the automotive industry. It allows you to connect, collect, and analyze data associated with all aspects of transport. It is being used to manage vehicle fleets, improve car efficiency, and handle data across the extended supply chain of the automotive industry. With Gartner predicting that 250 million connected cars will be on the road by 2020, we can expect an enormous amount of Cloud bound data to be generated by this industry sector.

In terms of cyber security threats, the automotive industry feels the same cyber pain as other industries. They are threatened by phishing, extorted by ransomware, and breached by APT’s. In the 2016 IBM X-Force review of cyber attacks, automotive was one of the most targeted industries seeing 30% of the total attacks across manufacturing, which came in as the second most targeted industry sector.

However, it is the future that may hold the most concern for the automotive industry as it becomes ever more connected.

Future Fears – Cyber Crime and the Automotive Industry 

Platforms, like Watson, which offer a way of creating highly connected networks, are creating greater opportunities by improving collaboration. In an IBM survey, 74% of executives rated collaboration outside of their key industry as being a positive change and bringing growth to their business. However, collaboration and connectivity require you to reach out and share data. The IoT allows the sharing of this data across fast Internet connections. In the automotive industry, this includes information used to keep us safe as we drive, and data that reveals company and product proprietary information to our partner suppliers. Once you begin to store and then transfer data, especially large amounts of sensitive data, the data radar of the cybercriminal begins to twitch.

The problem starting to unfold with the IoT is that in the rush to market to get IoT connectivity into products, and be ‘first to market’, security has taken a back seat. A Hewlett Packard report on the Internet of Things found that at least 70% of IoT devices had security flaws.

We are already seeing IoT focused cyber attacks. For example, the worm, Linux.Darlloz was specifically designed to target IoT devices. Last year a white hat hacker showed how easy it was to hack a self-drive car. The researcher used an off-the-shelf device, like a Raspberry Pi, to trick the car into thinking there was an obstacle in its way – potentially causing it to crash.

This insecurity of things has a greater impact when the ‘things’ are multiplied. One of the issues that the automotive industry has at a larger scale than most other sectors is that of its highly extended supply chain. Vehicles tend to be built from parts created by a myriad of specialist suppliers. As the IoT starts to pervade all aspects of the build, manufacturers will be put under pressure to ensure the security of each part is upheld – it is bad enough having a single point of failure, but multiple points of failure can place manufacturers in a difficult position.

The Supply Chain as a Point of Failure

Keeping the supply chain secure, as our automotive industry embraces the cutting edge of technology, is crucial to not only the protection of sensitive and proprietary data, but also the physical safety of anyone using this new technology. As digitization of the industry takes hold, each individual part that is manufactured is at risk of being compromised by a cyber attack. The software that is created to control engine emissions may end up infected with a worm, that then replicates itself across any digitized part of the vehicle, including IoT sensors. This has already happened to an Internet enabled security camera that had infected software installed during manufacture.  The company ended up being fined for security violations by the FTC.

Vehicle manufacturing is an industry highly dependent on an ecosystem of players, utilizing parts from a variety of companies across the supply chain. This means the automotive industry has to have a clear and effective vendor risk management program. Making sure that each part of the whole is manufactured using security best practices, keeping watch on counterfeit parts entering the chain, and generally managing the changes across the security landscape as new automation enters the industry is more important than ever. It is vital to have a holistic approach to the security of our vehicles to retain consumer safety and trust in the industry.


CYBERCRIME AND INDUSTRY #3: HOW CYBERCRIME IS AFFECTING OUR MANUFACTURING INDUSTRY

In the third in our series of articles on cybercrime and industry we will look at how manufacturing is being impacted by the rise of cybercrime. The manufacturing industry is going through a period of fast change. Many industrial systems are being overhauled to bring them into an era of high connectivity. The Internet of Things and automation / robotics are being used as a productivity booster, and a way of bringing the notoriously complicated manufacturing supply chain more closely under control.

The manufacturing sector has some fundamental challenges above and beyond those of the previously discussed sectors, healthcare and financial. This includes protection of intellectual property and corporate espionage / sabotage.

Manufacturing Pain Points

Advanced Persistent Threats (APT) in manufacturing: APT’s play the long game. Cybercriminals use techniques like spear phishing to get malware onto a system, and then use stealth and avoidance techniques to slowly exfiltrate data, such as proprietary information, often over many months. APT’s are a real threat to manufacturing because of the difficulty in detecting the underlying malware. This is down to the ability of the hacker to remotely control the malware (using a ‘command and control’ center) – morphing it to hide it from detection by traditional anti-virus and monitoring techniques. Kaspersky run an APT logbook, and it’s interesting to see how APT’s have become more prevalent over time. Filtering the logbook across manufacturing related industries shows how this area has become an increasing target for APT style attacks.

Intellectual property: Intellectual property (IP) is the mainstay of our manufacturing industry and its theft is a major contributor to economic issues in the USA. According to the IP Commission’s report into IP theft, they found that $hundreds of billions worth of IP was stolen each year from U.S. firms of all sizes. They described the situation as “the greatest transfer of wealth in history”. The loss of IP affects jobs and innovation. The theft is often state sponsored, the IP Commission report pointing to China as being a likely source, but insider threats are also an issue, including supply chain insiders. Verizon found that 46% of IP theft cases start with an employee. The staff member is likely collaborating with cybercriminals to extract the data – the prime driver being financial gain. When insiders are used, access is often through misuse of privileged credentials. But it may not be the system administrator actually behind the breach. Centrify found that in a survey of U.S. IT staff, 52% had shared a login credential with a contractor, and 59% with a fellow worker.

Cyber-espionage: According to Verizon’s “2016 Data Breach Investigations Report” manufacturing is one of the top three industries to suffer from cyber espionage. Cyber espionage is an external threat, sometimes state sponsored, or at least competitor sponsored, where the target is proprietary data and trade secrets. The vector into the manufacturer is most often via a spear phishing email, which is ultimately behind an APT attack (see above). The attackers can then quickly get at the credentials needed to login to the system and implant malware that exfiltrates data back to source. Another method that is gaining ground are drive-by-downloads; This vector is the sneakiest of all and is completely silent, so the user isn’t aware that they have been infected with malware – usually keyloggers which then go on to steal login credentials. Drive by downloads use exploit kits within a website – typically a site that is commonly used by that sector will be infected by the hacker. If the user visits that site, the exploit kit then looks for a vulnerability in a browser or other software application like Adobe Flash. The exploit kit uses this vulnerability to silently install the malware. It literally takes seconds, and you don’t even notice it happening. Once infected user credentials can be stolen, allowing access to the extended network.

Attacks against automation: The fourth industrial revolution is built upon automation and robotics. These devices are primary candidates for cyber attack. In an industry that is heavily reliant on connected and automated components, points of automation-targeted attacks make the industry highly vulnerable. In a report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), they found that in the 12 months from October 2013 there were 245 cyber security incidents, with 32% of those affecting the energy sector and 27% critical manufacturing; of these 55% of them were due to APT’s (see earlier). You can imagine a scenario whereby a hacker has accessed a crucial automation unit, and sends malicious commands to it, causing chaos, resulting in the shutdown of the unit. Similarly critical infrastructures, such as those controlled by power and water suppliers are under increasing threat, including threats of cyber-terrorism. Examples include the 2014 cyber attack against the U.S. federal weather station network (NOAA) and the 2014 German steel mill attack, which caused the failure of multiple automated systems.

As our manufacturing industry becomes ever more interconnected, and the extended supply chain becomes more intrinsically hooked up to the network, the threat surface will become more complex. This brings deep level security issues that need to be addressed at the operating system/platform level. This does not however preclude the need for security training and awareness. The ever-present threat of phishing, especially spear phishing, which often is connected to an APT attack, can be handled through user training programs. The cyber security problems facing manufacturing as they undergo the fourth industrial revolution, need to be handled by a multi-layered approach, from ensuring that the systems manufacturers use are themselves utilizing appropriate safety measures to the awareness of security risk across the extended supply chain.


CYBERCRIME AND INDUSTRY #2: HOW CYBERCRIME IS AFFECTING OUR FINANCIAL SERVICES INDUSTRY

In the second in our series of articles on cybercrime and industry we will look at how the financial services industry is being impacted by the rise of cybercrime. The financial services sector has always been a traditional target for cybercrime. However, as we saw in the previous article, healthcare has taken over the title from financial services as the number one most targeted industry sector. But does this mean the beady eyes of the cybercriminal are no longer focused on financial services? This article will explore the current climate for hacking our financial sector.

Cybercrime and Financial Service

The financial sector is like the perfect package for a hacker. Bank and other financial institutions contain information that spans everything a cybercriminal wants all wrapped up in one place; from your financial details and bank account, to identity data. If you look at some of the breaches in the financial services sector just in 2014 and 2015, you can see that they are some of the most major in history. For example, in 2014 JP Morgan Chase had 83 million bank accounts exposed in a phishing (including Text phishing or SMishing) scam.

Security attacks are perpetrated using several methods. Phishing is still a major issue for the financial sector as it has been now for many years. The Carbanak bank heist, which purportedly has cost around $1 billion so far, began with a phishing email. The email contained a piece of malware that stole login credentials once installed. The fact that access to bank accounts can be potentially compromised from an email shows how integrated banking is in all of our lives. A new variant of this is the targeting of personal accounts that use mobile banking. For instance, an Android-based malware spots what bank a user is navigating to from their smartphone, and overlays a spoof page that looks identical to the mobile banking page. It then steals the credentials used to access the site, which the hacker can then use to access the real mobile banking account.

But phishing isn’t just hitting individuals. Companies are being targeted by a variant known as Business Email Compromise or BES. This technique uses the natural hierarchy of an organization to scam employees. Typically, a company accountant or other similar role, will receive an email from someone high up in the organization, like a CFO or CEO. The email will look exactly like it is from that person is supposed to be from – as the phisher will have done a lot of research into their target. The email will ask that the person make an urgent transfer of money to a supplier who has had to change their bank account for some reason. This scam has already cost around $2.3 billion according to the FBI.

Advanced Persistent Threats which use stealth and the long game to extract information and monies, are also being used against the financial sector. In a recent Financial Sector Cyber Intelligence Group identified APT threat, spear phishing was the way in for the APT actor. The first step in this type of attack is to implant a Command and Control center (C&C) so that hackers could add further malware to the compromised system. A C&C is like the hacker having their finger right inside the pie – they can control malware and update it remotely. APT’s are notoriously difficult to detect as they morph (via the C&C) when any hint of possible detection is observed.

Financial sector attacks are not just about direct access to money anymore. They are also about identity theft and breaching data. The financial sector was ranked third for identity theft last year by the Identity Theft Resource Center. This is because in the world of cybercrime, personal information equates to money. Financial records fetch on average $221 per record- compared to the $30 that a U.S based stolen credit card commands on the dark web.

Denial of Service (DDoS) attacks are also a major threat for the financial sector with DDoS and web app attacks against financial services having increased 31% since 2015, according to the ‘2016 Data Breach Investigations Report’. However, DDoS attacks are less about pulling down websites and more about being a smokescreen to allow hackers to implant malware, which is then used to steal data and login credentials.

Where Should We Concentrate Our Efforts in Controlling Financial Sector Security Threats?

One of the issues in the banking sector is getting the word out to all the stakeholders, including the board, that cybersecurity is a company wide issue, not just a problem for IT. This is a general problem for any sector, but financial services are feeling the impact in a massive way, and right across the ecosystem, from direct attacks, to supply chain breaches as well as business and personal account compromise.

Because the financial sector, more than most, has very close touch points with its customer base, and has an extended supply chain with direct ties into the main company, it is a sweet target. Even with a broad thinking and strategic security plan, and state of the art security tools in place, with such a wide ecosystem, the sector is at risk. PWC in their ‘Global State of Information Security Survey: Financial Services 2016’ stated that third party vendor security assessment and management, is the single biggest challenge of the industry in controlling security threats. PWC points out that industry organizations that use risk based security frameworks to communicate with third party vendors were more successful in controlling security risks within the vendor ecosystem.

Going forward, the increased awareness of threats to the financial sector, brought about to a large degree by the major attacks perpetrated against the industry, will mean that we should all become more vigilant. This should include a generalized education program, not just for those employed within the sector but also the supply chain and customers. The push for a more secure financial services sector needs to be a top down approach. The board must engage in a program of security, which includes frameworks for communicating security information across the supply chain and beyond. As cybercriminals continue to up their game, the financial sector can win the cybersecurity war by upping their game too.


SecurIT awarded as one of the best Security service providers in MT1000

Management Team 1000 has announced the best Dutch B2B Service providers of 2019 based on a study by the Erasmus University, and SecurIT has landed a spot in the top 1000 best service providers of The Netherlands! SecurIT has been awarded the highest Net Promoter Score and the best customer service in the category ‘IT-security’. We are very proud to announce that this also resulted in a second-place overall in IT-security. 

Best business service providers in the Netherlands

In this 3rd edition of the study, more than four thousand business decision-makers were asked about their experiences with service providers. Who has the best products (product leadership), who is the most customer-service and who has the most Operational Excellence? That, combined with NPS, which measures whether people recommend the service to others, provides a fascinating overview. The list is objective to come to Erasmus University and Management Team; it is not about the size of the marketing budget, the turnover, the workforce, but the opinion of the customer. SecurIT scored 5 out of 5 in customer service, 5 out of 5 in NPS, 4 out of 5 in product leadership, and 4 out of 5 in Operational Excellence.

An overview of the different categories

A boost for 2020

With our many years of experience in Identity and Access Management, this national recognition is, of course, the cherry on the cake. We are very thankful for the hard work of our colleagues and the attention of our customers. It gives SecurIT an interesting perspective for 2020!

See the full list of MT1000’s category Security


CYBERCRIME AND INDUSTRY #1: HOW CYBERCRIME IS AFFECTING OUR HEALTHCARE INDUSTRY

This is the first in a series of articles looking at how the cybercrime wave is affecting different industry sectors. This first article will look at our healthcare industry. Healthcare is arguably one of the most information intensive sectors. During any individual interaction with a healthcare service, a multitude of data is created, shared and stored. Electronic health records (EHR) contain enormous amounts of information about us: from personal details, such as name, address and our age, to medical data for past, present and potentially future physical or mental health issues, to financial details. It is a very rich source of information making the healthcare industry a prime target for cybercriminals.

Cybercrime and Healthcare – Levels, Costs and Attack Types

IBM’s X-Force in their 2016 Cyber Security Intelligence Report stated that healthcare is the “most frequently attacked industry”. 2015 it seems has been the year of the healthcare breach. Most of the serious healthcare breaches since 2010, took place in 2015. This included:

·      Anthem: Almost 80 million records breached

·      Premera Blue Cross: 11 million records breached

·      Excellus: 10 million

·      University of California, Los Angeles Health: 4.5 million

·      Medical Informatics Engineering: 3.9 million

Any organization that has a breach that involves 500 or more records has a legislative obligation to inform the Office of Civil Rights under Health and Human Services (OCR). The breach is then posted to a website, jokingly called the ‘wall of shame’ for the world to see. According to the information found at the OCR website, in 2015 over 112 million healthcare records were breached.

All of the above incidents were, according to the OCR site, caused by a “hacking/IT incident” on a “network server”. The likely reason behind the breach was to steal medical records and this is because medial information is valuable. According to a Ponemon study, 2015 Costs of Data Breach, a U.S. medical record is worth, on average, $368 compared to a mean of $217 for other record types. This makes the healthcare industry a very lucrative target for a cybercriminal, who can sell these data on the dark web.  And the data theft doesn’t stop there. Once stolen, personal data is used for social engineering attacks against individuals. It is also used for secondary attacks, like the IRS breach where personal data is used for verification purposes; in the IRS case, to make fraudulent tax claims. Stolen PHI is the gift that keeps on giving.

In 2016 we are seeing a possible change in the tactics used by cybercriminals against healthcare, away from pure data theft, to cyber extortion. There has been a spate of ransomware attacks against healthcare organizations in the U.S.

A recent report by the Health Information Trust Alliance, found that 52% of the healthcare organizations interviewed in the U.S. has been a victim of ransomware.

Healthcare and Legislation

Healthcare is one of the industries that have specific legislation protecting individual data. In the healthcare industry this is known as Protected Health Information or PHI. PHI covers a gamut of data, including personal identifying information (PII) such as name, address, age and so on. It also includes medical data that relates to physical or mental health issues in the past, present or future. It also includes details such as biometrics, device identifiers and DNA. PHI is protected under the Health Insurance Portability and Accountability Act (HIPAA), brought in to protect the security and privacy of health data.

The Health Information Technology for Economic and Clinical Health Act or HITECH, was an act originally introduced to set the framework for electronic health records (EHR). It helps to extend the reach of HIPPA in term of protection of health data. An extension to HITECH, section 13407, which is enforced by the Federal Trade Commission (FTC), has brought the supply chain into focus. This clause specifies that the rules of data protection and privacy covered by HIPPA covered entities, now extend to all third party business associates, including contractors and sub-contractors, that have anything to do with health data handling. This creates a chain of organizations that have strict rules applied to how they must manage the security and privacy of the health data under their remit.

Healthcare Information and Futures

Healthcare is always going to be a prime target for cybercrime because the industry is a data innovator. Data is used as part of its prime objective, to care for us, but also to build better procedures and healthcare outcomes. The healthcare industry is one of the early adopters of Cloud based big data sharing. The Google Genomics project, for example, allows medics and researchers from across the globe to share genetic information.

Healthcare is also embracing disruptive technologies such as mobile and the Internet of Things (IoT). Analysts MarketsandMarkets are predicting the healthcare IoT market to be worth around $163 billion by 2020. IoT devices are being used across the healthcare ecosystem from individual wearable’s relating health data to the Cloud, to medical devices used within a hospital context – the FDA now being fully on-board with the use of IoT devices in a medical context. As for mobile, a study has shown that at least 87% of physicians use a mobile device for work related tasks.

With all of this data being generated across an increasingly diverse and interconnected playing field of devices and Cloud platforms, healthcare is a cybercriminals dream. With HIPPA and now the extended HITECH ruling on third party ownership of data security, it has never been a more important time for the healthcare industry, and its extended supply chain and partners, to step up to the plate and create a healthy cyber security strategy. 


TOP 6 TIPS FOR MANAGING VENDOR RISK

This year has gotten off to a great start… if you’re a cybercriminal. Already threats like ransomware are on the rise, with the FBI’s April blog post on the issue showing the prevalence and success of this type of malware. Of course, if you’re not a cybercriminal then this isn’t such a great start. Cyber security, which was once almost an afterthought, is now a critical part of a business strategy and a board level consideration. As our business and vendor eco-systems become ever more connected, through Internet communications and the ensuing Internet of Things, cybercrime considerations can only become even more of a focus for our businesses. This is why it is of paramount importance to extend your security thinking and strategy out into the reach of your vendor eco-system, as you can guarantee that cybercriminals will take advantage of any chink in your armor. 

With this in mind, let’s look at some approaches to keeping your vendor relationships optimized for security.

Top Tips to Keep Your Vendor Eco-System Secure

Controlling vendor risk management is the key to creating secure vendor eco-systems. It results in an all-round better way to do business as it increases trust and decreases risk. If done well, it can also bring about more collaborative and productive partnerships that can be used as best practices for other relationships. The following tips are a good place to start on the road to a more secure vendor relationship management program. But the main thing to remember is that this is a process and all good processes need feedback from which to improve.

Tip 1:  Don’t reinvent the wheel: Use NIST advice.

Before you set out on creating your own vendor relationship security strategy, you should get to grips with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The framework outlines a set of guidelines that give you the starting points for creating a robust security strategy. The five main areas it looks at are: Identify, Protect, Detect, Respond, and Recover. You can read more about this on the Atlas blog.

Having a well thought out security strategy in place is the starting point for creating an extended strategy for your vendor eco-system. Your security strategy must reach out to encompass all of your assets, which includes those shared across that eco-system. Setting out your stall in this way lets you have a clear view of your security needs and allows you to move onto the next part of the process of securing your vendor relationships.

Tip 2: Make wise choices. 

Choosing which vendors can become part of your wider eco-system is part of the process of risk management. This process can also encompass security, by adding in security requirements to your vendor due diligence.  Knowing how a vendor handles, for example, the sharing of sensitive documents, can give you a heads up of any issues that may occur down the line. Attending to potential vulnerabilities at the point of entry to a partner program can alleviate future breaches. Having a partner program and vendor enrolment process, which emphasizes security aspects of the relationship, creates an ethos of secure thinking. If a vendor has an issue with this at the start, then they may not be right for your organization going forward.

Tip 3: Communication is king.

One of the driving forces in modern cyber security is collaboration. The U.S. government has brought in the Cyber Intelligence Sharing and Protection Act (CISPA), for the purposes of sharing information between commercial and government organizations around security threats; the idea being that a “problem shared is a problem halved”. Not everyone agrees with the tenets of the act, but the concept of collaboration around security issues is a sound one. Having inter-vendor security collaboration will help you to mitigate risks though a program of education and shared knowledge. Even setting up partner program awareness sessions, covering general security training and compliance requirements can be an important step in ensuring everyone is at the same level of security thinking.

Tip 4: Get authentication right.

We’ve seen from a number of high profile cyber attacks that the root cause has been poor authentication measures. For example, the Target Corp. attack was due to a third party (HVAC) vendor being phished; their username and password used for privileged access to Target’s systems being stolen. If there had been better authentication measures in place this could have been prevented, even if the original vendor had been successfully phished. There are ways authentication can be hardened against phishing attempts. Second factor authentication can be applied to many applications. This can be in the form of an SMS text code, mobile app code, or hardware token code. If user experience is a concern, then you can use adaptive authentication to ‘up the ante’ in terms of authentication requirements. For example, if you detect a login request is coming in from an internal IP address, then you can apply single sign on (SSO), but if it’s from a third-party vendor’s IP address, or other, then you can force the use of second factor, or even further login credentials, like requesting an answer to a personal question.  In any extended system where you have an arms length control, strong authentication should be a serious consideration.

Tip 5: Automation equals  

Don’t go it alone.  Most modern enterprise organizations are dealing with tens of thousands of vendors in their supply chains.  Manual spreadsheet assessments and required documentation sent and received via email worked just fine when there were only a couple of hundred outside vendors to deal with.  As mentioned earlier, supply chains are only getting larger and we are growing more connected over time.  To truly pinpoint risks in the supply chain, you must have an automated system on which to conduct vendor assessments and collect supporting documentation.

Tip 6: Assume there is no perimeter and always innovate around security. 

The world has never been smaller because of the interconnectedness of almost everything. This is being embraced by vendor platforms too, with Cloud delivery being seen as a way of increasing productivity. This takes your security thinking into a new arena of web-based threats.  If you encompass the previous 1-5 tips to begin the process of securing your vendor relationships, and you use the advice from OWASP on the top ten web threats, then you will be well on your way to having a robust overall security strategy for your eco-system, protecting your own organization as well as all of those in your vendor programs.


The Bad ads effecting cybersecurity

One of the most worrying vectors ever in the history of cybersecurity is starting to become the weapon of choice of the cybercriminal. With a 325% increase in attacks according to Cyphort, Malvertising, or malicious ads, is a force to be reckoned with.

What is Malvertising?

Malvertising isn’t new. Using malicious ads as a vector to push out malware has been around as a technique since around 2007.  However, it is becoming even more sinister and successful because of some hacker innovations in the area. The original version of a malvertising campaign relied on user intervention. However, in recent attacks, no user intervention was needed to end up infected with malware. This is the sinister twist in the malicious ad tale that is leaving consumers and businesses alike reeling.

The reason that malvertising is so successful is down to how the cybercriminal plays the system. Ads are served up across Internet sites from centralized ad networks, such as Google AdSense and Media.net. There are many of these types of networks, serving up ads that reach hundreds of millions of users across the Internet. Cybercriminals use these networks to push their malicious ads out across legitimate websites. It is this use of a legitimate and trusted process and website that makes malvertising so difficult to control and spot. As the networks become savvier about spotting infected ads, the cybercriminals are one step ahead. They are known to place clean ads (paying themselves for the service) and once accepted and pushed out across the network, they are then able to use command and control services to infect the ad with malware.

Malicious ads do still occasionally use the click to install method of malware infection. In this case, the malware is activated on clicking the ad. If a vulnerability is present in the user’s browser, or software add-ins like Flash or Java, then the malware runs using that exploit. However, there is an increase in the use of independent exploit kits to perform the infection, as these require no user intervention. In this scenario you have an infection method known as a ‘drive-by-download’ taking place. Drive-by-downloads work by performing a silent redirection from the site hosting the ad, to a spoof site hosting the exploit kit. This redirection is often very fast and hardly noticeable. On the spoof site sits an exploit kit; the Angler exploit kit seems to be a popular choice. In fact, in Cisco’s Midyear Security Report for 2015 they found that 40% of user penetration was caused by the Angler exploit kit. An exploit kit works by finding vulnerabilities in software on your computer, usually browser and browser add-in software; if found, it uses these to install the malware.

The types of malware installed by malvertising attacks are varied, but a spate of ransomware attacks have taken place recently. Other types of malware popular with malvertising cybercriminals are those that steal login credentials.

Examples of the Success of Malvertising

Using legitimate networks to push ads out means that attacks are prevalent on well-known and trusted websites. Here are some examples of recent malvertising attacks:

In an attack, in early 2015, which infected major sites like Huffington Post, a Hugo Boss ad was used as the conduit for malware. This attack didn’t use a redirect to an exploit kit (EK). Instead the kit was packaged up into the ad, which got through the ad network security and out into the wider Internet. The ad based EK utilized Flash vulnerabilities to do its work. Anyone infected ended up with the notorious, ‘ransomware’, on their system, which encrypted all of their files and attempted to extort money to decrypt them.

Also in 2015, Yahoo’s ad network suffered a major malvertising breach. The attack was based on the Angler exploit kit, which used a drive-by-download to infect user’s machines. The Yahoo network receives 6.9 billion monthly visits so had the potential to impact a massive number of end users: a perfect conduit for malware.

In a most recent attack, earlier this year, a major malvertising campaign affected major news sites like the New York Times and again used a redirect to an exploit kit. This time the EK took advantage of vulnerabilities in Microsoft Silverlight. Again ransomware infection was the end result.

Mobiles aren’t immune to malvertising either. According to the Bluecoat’s 2014 Mobile Malware Report, malvertising is the top threat to mobile users. Mobile as a platform for malvertising makes sense in the light of a BI Intelligence report, which shows that mobile advertising is growing faster than other forms of advertising – why would a cybercriminal not take advantage of that?

It is hard to find out accurate figures on just how many successful infections have been made with a malvertising campaign. However, the fact that this mechanism is increasingly being used, and that ransomware is bringing in as much as $325 million per strain, means that cybercriminals will be willing to spend money to make money by placing ads across legitimate networks that people trust.

What Can be Done?

If ad networks are unable to manage the problem and the number of successful attacks seems to point to this, then we need to take steps to protect our computers directly.

All malvertising based exploits are based on finding vulnerabilities in your browser or browser plug-ins. This means there are some things you can do immediately to help reduce the risk:

1.     Make sure all of your browsers and associated software, such as Adobe Flash and Java are up to date.

2.     Instead of patching, remove: Flash and Java have known vulnerabilities, which cybercriminals can exploit. If possible remove software such as Adobe Flash and Java. However this can impact the functionality of some websites so may not be possible. It is also likely that HTML 5, at some point in the future, will be used as a method of inserting malware, so removal of Flash and Java may become a mute point.

3.     Don’t use deprecated software plug-ins such as Microsoft Silverlight as they won’t be supported going forward. Some browsers, such as Chrome have already stopped supporting Silverlight.

4.     Make sure you have a company wide strategy for dealing with this threat, both to prevent infection and to handle the results if you do get infected.


en_USEnglish
nl_NLNederlands en_USEnglish