COMPLIANCE ACROSS INDUSTRY: CYBERSECURITY COMPLIANCE REQUIREMENTS BY INDUSTRY SERIES

In the previous six articles, we’ve looked at how cyber security is impacting different industry sectors. The sectors analyzed have been, healthcare, financial services, manufacturing, automotive, energy, and retail. Each sector has its own cyber security pain points, and there is, of course, much overlap as well. Phishing is especially an issue across all industry sectors, likely because it taps into our behavior, and because of that it is very successful as an attack vector. To attempt to counter the onslaught of cyber threats against our nation’s industries, each sector has in place measures of compliance and regulations, with elements of security and privacy requirements specifically dealt with. In this final, round-up article, we’ll be looking at the compliance expectations of each sector, and how those guidelines should fit in with any industry sector security strategy.

Healthcare Compliance and Regulations

Healthcare is a data-rich industry sector and as such has some extensive security regulations to adhere to. The main body of regulations used within this sector are the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health ACT (HITECH).

HIPPA was introduced in 1996 and the HIPPA Privacy Rule covers the security of Personal Health Information (PHI). PHI is has a very wide scope. It includes all personal information, such as name address and so on, but it also includes medical records and even DNA. HIPPA specifically regulates how PHI is handled, i.e. used and disclosed. It is meant, however, to get the balance between security and usability of PHI right; it is important to keep health data flowing and available for improved health care. The Privacy Rule covers health plans, healthcare providers, and health care clearing houses. Importantly, it also covers ‘business associates’. This means that the extended ecosystem of third-party vendors used by health care, also needs to be HIPPA compliant. Essentially any healthcare CIO is responsible for ensuring that third-party vendors take due care of any PHI that comes under their remit.

HITECH was introduced in 2009 as a way of encouraging the use of Electronic Health Records (EHR). HITECH is a separate law to HIPPA but they work in symbiosis. HITECH, for example, has set fines for non-compliance of HIPPA security regulations.

The HIPPA Omnibus rule, introduced in 2013, strengthens the main security requirements of HIPPA and sets the expectations of the breach notification rule to cover any breach of over 500 individuals. The breach must be reported to the U.S. Department of Health and Social Services, and the details made publically accessible.

Financial Services Compliance and Regulations

The financial services industry has a focus on the protection of financial data, including payment card information. Compliance requirements across the industry are complex and can be country specific. The Payment Card Industry Data Security Standards (PCI-DSS) specifically covers the handling and management of payment card data. This act covers all aspects of payment card data handling, from acquiring, transmitting, storing and processing these data. PCI-DSS is based on a process of, “access, report, remediate. It is about understanding your IT assets and processes around payment card handling, sorting out any vulnerabilities, and keeping records, as well as submitting compliance reports to the banks and card brands a company is associate with. Financial services companies need to ensure that their services can be PCI-DSS compliant.

The Sarbanes Oxley Act was brought in to protect the public from fraudulent financial transactions by corporations in general. However, it also impacts the financial sector. Its main thrust is around what records to store and for how long. The act specifies security measures that need to be undertaken to protect the stored records.

Payment protection is one area of compliance, but this doesn’t mean there isn’t a requirement to also protect Personally Identifying Information (PII) – see ISO27001 below.

Manufacturing Compliance and Regulations

There are a plethora of regulations covering the manufacturing industry, some being specific to the industry type, e.g. toy manufacture. However, in terms of security, the industry has to cover areas as diverse as data protection, IT safety and security, to health, safety and environmental impact. One of the most prevalent security based regulatory standards in this industry sector is the ISO27001 series. ISO/IEC 27001:2013 is a generic version of the regulation applied across all industry sectors. It is a regulation designed to establish an information security management system within an organization. The regulation looks at risks across the IT systems of a company, including how IT security is managed, access controls, operations security, and even human resource security. Meeting ISO/IEC 27001:2013 is an intensive process where the company must meet all of the requirements.

Automotive Compliance and Regulations

The automotive industry as a sub-sector of the manufacturing industry has to meet the compliance requirements of that industry. However, areas of automotive also offer financial packages for car purchases, and as such also need to meet various financial regulations, like PCI-DSS.

Transportation has to look to ISO27001 to ensure that customer and supplier information is kept safe, and to make sure their vendor ecosystem is also conforming to the remit of the standard.

The automotive industry has a specific requirement in terms of car safety too. As the automotive industry embraces the IoT and driverless cars, regulations covering those specifics will likely be covered by extensions to existing regulations.

Energy Compliance and Regulations

The North American Electric Reliability Council (NERC) controls the compliance requirements of the utility companies under the banner of energy. NERC specifically looks after the cyber security expectations of the sector, and more recently the impact of cybersecurity on the Smart Grid.

This sector is also covered by the Critical Infrastructure Protection (CIP) standard. Versions run from CIP-002 to CIP-009. A BES Cyber System is the term used in the sector to describe cyber assets that require protection. This includes control units such as SCADA and ICS.

Retail Compliance and Regulations

One of the main regulations overseeing security in the retail sector is PCI-DSS in controlling the handling and management of payment cards. PCI-DSS also covers Point of Sale (POS) transactions. This sector, as a major target for data theft, so is also under pressure to protect PII. Retail outlets build online stores requiring accounts to be created that store Personally Identifying Information, such as your name, address and email address. These data need to be protected using standards such as ISO27001.

Many of the standards and regulations have cross industry application. This makes sense in light of the cross industry attack vectors, many of which we have explored in each of the six industry sector articles looking at cyber security. Although some of the sectors have specific needs, such as the healthcare industry, all require a strategic approach to ensuring that the often complex compliance requirements can be met. It can take many months to get through the onerous requirements of compliance standards such as ISO27001, but the protection that a well thought through and regulated cyber security strategy can offer, is worth it in the long run, especially in light of the enormous efforts made by today’s cyber criminals.


When Digital Identity and Access Management Meets Physical Security

Where does digital security end and tangible, or physical, security begin? In today’s cybersecurity ecosystem, I’d argue that it’s all just security. In fact, if you are handling these domains in discrete silos, your cyber resilience is already taking a hit.

If your identity and access management (IAM) and physical security initiatives are not working as one, your organization may be suffering from unnecessary grief — and increasing risk.

When Physical and Digital Security Became One

Pinpointing exactly when these two previously discrete functions became one is up for discussion, and some may not even agree that they have become one at all. Regardless, it will be hard to envision them as discrete issues for much longer, particularly as the industry pushes the digital transformation envelope.

At the most basic level, IAM is a username/password credentialing system that gives one layer of authentication. Best practices say to have some second or multifactor authentication (MFA) procedure as part of the process. But this is a more basic question: Even if you’re using MFA, ask yourself, with today’s deceptions, has an identity truly been authenticated?

Not exactly, because in the scenario described, we are only authenticating credentials, not identity. Similar to physical identity and access management (PIAM), which unifies your physical and IT security systems, there is something called dynamic identity management, a next-gen solution gaining some support from major industry players that makes an effort to address the identity issue.

To best explain dynamic identity management, think of a mishmash of facial recognition, internet of things (IoT) sensors and monitors, and risk profiling. You walk into your workplace, a facial recognition system verifies your identity and, based on the risk profile assigned to you, you are allowed access to certain areas, both physical and digital, of the enterprise’s assets.

This certainly sounds like a combined solution that addresses both IAM issues and physical security challenges. From a security perspective, this approach looks fantastic.

But it’s also a brewing privacy nightmare.

Where Security Meets Privacy at the Workplace

Employers and employees generally expect some oversight and monitoring of behavior to occur in the workplace. But when the combination of identity and access management and physical security turns into a form of continuous monitoring that captures what time you get up from your desk and which bathroom in the office you’re using, it’s only a matter of time before privacy is violated.

Furthermore, if the security restrictions become too strict, you end up impacting workflow. Can you imagine what hospital operations would look like in the ER if a doctor or nurse were slowed down due to some IoT sensor failing?

With all the new technological innovations happening right now, it’s a short hop, skip and jump from robust security to behavior control in the workplace — something that, paradoxically, can kill the innovation of organizations. Building out your combined solution will always go back to your risk tolerance. The IBM Institute for Business Value (IBV)’s executive report, “Digital Transformation: Creating New Business Models Where Digital Meets Physical,” captures the essence of this security challenge: “The challenge for business is how fast and how far to go on the path to digital transformation.”

Put differently, before an enterprise makes a decision about which digital transformation path it will take, it should have a relatively good sense of what its security posture should look like post-transformation. Not defining the expected end state can create a huge blind spot that will not only impact security posture, but will also impact business operations as a whole. What’s more, you need to ensure your transformation is trusted by your users, otherwise you’re increasing the likelihood of legal challenges and ethical dilemmas coming toward your enterprise.

Don’t Be Afraid of Low Tech

For the reasons outlined above, there’s a case to be made for some more “archaic” solutions. These include sound human intelligence, situational awareness, and good old-fashioned holistic assessments and education campaigns. For all the gadgetry you integrate into your enterprise, at least in 2019, there is no replacing the gut instinct and human innovation. After all, it is human innovation — albeit sometimes with technical assistance — that circumvents security measures.

The “human touch” needs to be a critical part of identity and access management and physical security systems. The human is where these two issues meet, and trying to move all human security interaction to something more passive will ultimately raise your risk profile, not lower it.

Which is better positioned to see if something is amiss: an IoT sensor, or an employee who knows Johnny shouldn’t be in that part of the building? These are the small vulnerabilities we need to be sensitive to, because for all the wonder and benefit that things like artificial intelligence bring to cybersecurity, we still want to ensure that we are using this great technology as a tool and not a crutch.

Looking further into the future, as you consider which digital transformation strategy will best meet your security needs, remember that there is a technological wildcard waiting to play in the big leagues: quantum computing. Quantum computing has the capability to obliterate credentialing systems as we know them today. We’re not dealing with apples-to-oranges comparisons here — it’s more like apples to locomotives. When quantum computing takes hold, we will not be talking about digital transformation anymore, but instead, quantum transformation.

Key Digital Transformation Takeaways

Because there is so much going on in this space today, it’s worth summarizing some key takeaways.

First, identity and access management and physical security tasks need to be dealt with as one joint task, not two separate ones. Treating them as separate may be a sign that your teams are not aligned internally.

Second, next-gen identity and access management systems, such as those that integrate biometrics and IoT sensors, have incredible potential, but also come with intangible concerns, such as privacy issues. These issues need to be addressed concurrently as part of any digital transformation effort.

Third, before any digital transformation undertaking, make sure you know what the end state is supposed to look like. Not only might you be building more risk and fragility into your system than you bargained for, but new technologies on the horizon may completely alter the expected return on your investment.

Lastly, don’t overlook the human component when facing the digital/physical security challenge. Humans are the glue that connect these two realms — and a critical part of successful digital transformation.

Original post is from Security Intelligence


Businesses have never been more at risk of data breaches

A recent report by DLA Piper found that European companies suffered 60,000 data breaches in the 8 months following the GDPR laws coming into force, equating to one every 5 minutes. Ransomware attacks are also growing by more than 350% annually, while 70% of businesses felt that their security risk increased significantly as recently as 2017. According to the report from PrivacyAffairs, cyber warfare has flared as well, which means that not only businesses have to think twice about their data, but also governments and their citizens.

The reports certainly seem to be reflected in the media, with Microsoft, Facebook, and even home improvement retailer B&Q reporting data breaches in recent months. Both Microsoft and Facebook suffered sophisticated hacks, yet B&Q’s records of store thieves were made public simply because the information was stored on open source search engine technology that had not been set up to require user-ID authentication.

This reflects an often overlooked truth about data breaches; although cyber attacks receive more attention in the press, it is more often human error or simple negligence that results in data breaches.

The Information Commissioner’s Office revealed in their yearly financial report for 2017/18 that 4 of the 5 leading causes of data breaches could be attributed to human error.

  1. Data sent by email to inc rep
  2. Data posted/faxed to inc rec
  3. Loss/theft of paperwork
  4. Failure to redact data

Human beings are inherently flawed, and the mistakes of an individual can jeopardise the entire business. Indeed, the notorious Equifax breach of 2017, which leaked the personal data of nearly 146 million Americans, was reportedly due to one employee repeatedly failing to implement software updates that would have prevented the breach.

Given the fact that a company’s employees can often be the weak link in its data security strategy, it is imperative that company directors understand which areas of the business are the most liable to cause a data breach.

1.    Remote Workers

One type of employee that risks putting the wider business at risk is the remote worker. Telecommuting is an increasingly common working arrangement whereby employees are occasionally permitted to work from home, which has led to around 70% of people globally working remotely at least one day a week.

However, remote work carries additional security risks. An employee working with a company laptop in a coffee shop might be using a Wifi network that is not secure, allowing even basic hackers to gain access to private company data. Additionally, few employees can avoid using paper files and these confidential documents can quickly become lost or stolen in public places.

Employers should therefore clearly outline their remote employees’ responsibilities regarding confidentiality and data protection. They must also establish device security policies that remove the scope for costly mistakes, such as by specifying that all file downloads should be work-related. Other advisable policies include implementing device monitoring, rigorous password protection and asking that devices and files are only used in specific locations with secure Wifi networks.

2.    Administration department

Another vulnerable area of any business is the administration department. Responsible for a business’ financial planning, record keeping and logistics, an administrator is often the backbone of an organisation. An administrator’s role is therefore crucial for avoiding a data breach, as if any of their responsibilities are performed incorrectly sensitive data could quickly be obtained by malicious third parties.

With so many documents moving through the admin department every day, sensitive information found on meeting notes, tax forms and financial reports can become lost or stolen if an effective process is not in place. A prerequisite should therefore be establishing a clean desk policy in the office, whereby all employees are required to declutter their workspaces at the end of each day.

By implementing this rule, administrators will find it far easier to store and destroy sensitive documents. Any data that is still used and found in hard copy should be locked in storage cabinets overnight, with the most important files being stored off-site at a secure information management facility. Furthermore, documents that are no longer needed should be shredded immediately rather than thrown in waste bins, where they can be found and potentially used as blackmail or for fraudulent purposes.

3.    Complacent managers

Complacency is perhaps the most common reason for a data breach, and higher-level managers who fail to promote data security best practices pose the greatest risk. Managers are responsible for setting the standard in cybersecurity, but if they become complacent in implementing security awareness programmes their employees may begin to also forget their training.

Poor password management, opening suspect emails and leaving computers unlocked are all practices that creep into a business’ culture if an example is not set at the top. Not only should managers regularly encourage their staff to change their passwords and lock their devices, but they should also arrange for external training to be made available for all staff.

For example, managers should invest in up-to-date e-learning training sessions for both online and offline security, as well as invite IT experts to teach employees about common hacking risks and how they should respond to a successful data breach.

Key Takeaways

The rising threat of cyber attacks is undeniable, and companies of all shapes and sizes should ensure preparations are made to deal with direct attacks. However, businesses cannot afford to neglect the cost of mistakes made by staff and any budget set aside for cybersecurity should include resources for comprehensive training and secure document storage and disposal. Only then can the risk of human error be minimised.

This post originates from technative.io.


Top Privileged Access Management Use Cases

Privileged Access is everywhere. Privileged accounts can be found in every networked device, database, application, and server on-premises and in the cloud. Privileged users have the “keys to the kingdom” and, in the case of a cyberattack or data breach, privileged credentials can be used to cause catastrophic damage to a business. Begin by securing these 6 critical areas with a Privileged Access Management solution. View this infographic to discover where to start.

Download “Top Privileged Access Management Use Cases” Infographic-Privileged-Access-Fundamentals.pdf – Downloaded 279 times – 1 MB


CYBERCRIME AND INDUSTRY #6: HOW CYBERCRIME IS AFFECTING THE RETAIL INDUSTRY

It is an arguable point, but the retail sector has probably changed more than any other industry area in the last 20 years. This is mostly down to the globalization of retail through online sales, but it also because of innovation in the area of marketing and consumer loyalty. For example, in 2106 so far, $300 million has been invested into retail technology start-ups. And we love to shop. In 2016, the expected online spend in retail will be $1.67 trillion and this figure just going to grow and grow through 2020 at least.

The issue that retail has as it expands its business by embracing the Internet as a sales platform, is the same as other industry sectors, it is opening itself to cyber criminals as well as shoppers.

Retail, like many other sectors, is feeling the pinch in terms of costs of cyber attacks. 

Some of the largest breaches to date have occurred in the retail sector including 145 million customer passwords stolen from eBay, 40 million payment cards and 70 million personal account details stolen from Target Corp, and a breach at Home Depot affecting 56 million customer payment cards.

What sorts of cyber crimes affect the retail sector?

According to the Verizon Data Breach Investigations Report 2016, retail saw the greatest cyber threats in the following three main areas:

●      Web app attacks: This is where a web application is targeted. Usually the vectors used are phishing of administration credentials, or exploiting software vulnerabilities then installing backdoor malware to slowly exfiltrate data. DDOS is also included in web app attacks.

●      Point of Sale (POS) attacks: These are remote attacks of POS services. Key logging malware seems to be the main vector of this attack. This type of cyber threat is being targeted against all size retailers because of the Internet enablement of POS assets.

●      Payment card skimmers: In this type of attack, the POS device has to be physically compromised. Often, organized gangs carry out this type of crime. It mainly affects bank ATM’s, but merchants are still at risk from this.

A particularly interesting finding by Verizon was that “97% of breaches featuring stolen credentials leveraged legitimate partner access”. This implies that retail has a major issue with securing the supply chain and managing the risk of third parties.

What are the specific pain points of retail?

The Retail Cyber Intelligence Sharing Center (R-CISC) has identified a number of areas that makes retail stand out in the cyber security risk mitigation stakes. These areas make retail a particular type of target for cybercriminals and include:

●      High turnover of staff. This means that insider threats are more likely.

●      Holding of payment card data which needs to be PCI compliant. This presents issues in dealing with third parties in the supply chain, who have also to be PCI compliant if they in any way manage financial data.

●      Customers are also potential threats. This may be unique in the retail industry where the customer has the potential to commit fraud.

●      Having a widely dispersed attack surface. Many retail outlets have a wide geographic reach in terms of outlets as well as having an online presence.

Retailers have other pressures too, that although not unique to this sector, are a focus of attention. For example, retailers have a number of peak seasons, such as Black Friday, Cyber Monday and Christmas which are known to be extremely busy times and so a target for fraud and sabotage. Cyber Monday 2105 saw the highest ever sales with $3.19 billion being spent in a single day. Cybercriminals have been targeting websites specifically to cause chaos on very busy days like Cyber Monday, using Distributed Denial of Service attacks (DDoS) which make websites and apps fall over. In 2014 the WordPress shopping cart, Cart66, used by large numbers of retailers to add shopping cart functionality to their site, had a massive DDOS attack. Akamai, have found that DDOS attacks have increased by around 22.5% between 2014-2015, with retail being the most popular attack focus for DDOS.

Can retail stop the tidal wave of cybercrime?

Retail analysts, eMarketer, have predicted that by 2017, over 51% of Americans will make at least one online purchase using a smartphone, accounting for over $75 billion in sales. As retail embraces online purchases, and mobile buying starts to become the normal purchase medium, we can expect to see more mobile-based threats emerge. But mobile threats are now becoming a well-known vector, and e-commerce has an opportunity to nip this one in the bud. One of the key areas that need to be dealt with to mitigate web based and ultimately app based security threats, is to harden the software behind the scenes. This means ensuring that mobile and web app development has to be done as a secure coding exercise, following the advice of the Open Web Application Security Project (OWASP). Many smaller retailers use third party apps such as WordPress and associated plug-ins to build their retail sites. Using third parties to build your retail site means that you have to be ultra vigilant, choosing security aware plugins and apps, and maintaining updates. One of the weak points of web and mobile app security is authentication. As mentioned earlier, 97% of breaches are from stolen passwords. It’s important that retail put the hardening of authentication as a priority, especially for administrator and privileged access via supply chain vendors. Putting security measures in place for known threats, using security intelligence from the likes of the National Institute of Standards and Technology (NIST), and R-CISC, will change the future retail threat landscape from one of major breaches, to a much more controlled environment, making it safe for all of us to shop online.


BYOD Adoption and Mobile Threats Increases, Can Enterprise Data Security Keep Up?

By Sue Poremba | 4 min read | Original post from Securityintelligence.com

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets, and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

Growing Acceptance of Personal Devices in the Enterprise

It wasn’t long ago that corporate leadership balked at the idea of their employees using personal devices for work. While workers had been using their personal computers and laptops to access company networks, it wasn’t until smartphones and digital tablets were introduced that the concept of BYOD caught on. Security for these devices wasn’t very mature back then, and IT and security decision-makers had well-founded concerns.

Over the past decade, of course, phones have evolved into personal hand-held computers. According to Comscore, only 17 percent of consumers were using smartphones in 2009, compared to 81 percent in 2016. That irreversible trend, along with the rise of the internet of things (IoT) and wearable devices, linked personal technology inextricably with enterprise networks.

Employees believe they are more productive and efficient when using not only their device of choice but also their preferred software and apps. Apparently, leadership agrees: The same Bitglass study found that 85 percent of companies now allow not only employees, but even contractors, customers and suppliers to access enterprise data from their personal devices. Despite this shift, more than half of those surveyed believe mobile threats have gotten worse.

Mobile Threats Are Rising, but Security Hasn’t Changed Much

Given the ubiquity and relative insecurity of mobile devices in the workplace, it’s no surprise that criminals are targeting them. Threat actors can gain access to both corporate data and personal data from one easy-to-breach device. Basic mobile security protections, such as remote wiping and mobile device management tools, are deployed in just over half of the organizations surveyed by Bitglass. In addition, many security teams lack visibility into apps used on personal devices.

Most threat actors who attack mobile devices are after passwords, according to mobile security expert Karen Scarfone, as quoted by Wired.

“A lot of email passwords still go back and forth in the clear,” she said. “That’s a big problem.”

Passwords remain the keys to the data castle, and they are largely unencrypted and unprotected on mobile devices. This, coupled with the password reuse epidemic, means that threat actors can gain virtually unlimited access to corporate networks through personal devices.

Clearly, there’s plenty of room for improvement when it comes to mobile security. A U.S. Department of Homeland Security (DHS) study mandated by the Cybersecurity Act of 2015 found that while the federal government’s use of mobile technology is improving, “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

Similar security holes exist in the private sector. According to SyncDog, mobile devices are the most dangerous point of intrusion to corporate networks. In large enterprises in particular, “mobile devices are looked at as toys with games on them, and protecting them comes last in line to application management, network security, mainframes and other larger IT concerns.”

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets, and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

BYOD Security Starts With Smart Policies

How can chief information security officers (CISOs) and IT leaders ensure that employees use their personal devices in a smart, secure way? First, determine whether the employee needs to use personal devices for work at all. If there are jobs within the organization that doesn’t require regular access to networks, or if employees are working remotely, these users should not be allowed to participate in a BYOD program because their devices are neither authorized nor consistently monitored.

Second, employees should be required — or, at least, highly encouraged — to update their device software, especially operating systems and any security software. Consider requiring all employees who use personal devices to install corporate security software and use the company’s security protocols if they are connecting to enterprise networks.

Third, communicate BYOD policies to employees and implement effective measures to enforce them. Policies should include the most basic data security best practices, such as implementing multifactor authentication (MFA), creating strong and unique passwords, using virtual private networks (VPNs) over public WiFi, and locking devices with biometric controls. In addition to protecting enterprise networks, these steps will help secure employees’ personal data on devices. But remember, a policy is useless if you don’t enforce it. People will break the rules if they know there are no consequences to pay.

When it comes to worker productivity, the embrace of BYOD has been a good thing for businesses. But in a world where cyberthreats loom large and data loss could result in huge fines and reputational damage, enterprises need to prioritize the security of their critical assets — and that of the thousands of endpoints that access them.

To learn more, read the IBM white paper, “The Ten Rules of Bring Your Own Device (BYOD).”


Busting Top Myths About Privileged Access Management

January 14, 2020 | Security and Risk | Sam Flaster | Read original article here

Today, businesses everywhere are investing in infrastructure to support growth – whether that’s moving to the cloud or automating tasks and processes.  However, the newly introduced devices, application stacks and accounts that come with this modernization all present additional opportunities for attacker exploitation. For any organization – big or small – identifying and addressing security risks across this expanding attack surface can be a formidable challenge.

Privileged access management (PAM) programs that secure pathways to critical business information are foundational to an effective corporate cybersecurity program. Why?  Attackers view privileged accounts as one of the best ways to gain a foothold within an organization’s infrastructure. In fact, the vast majority of cyber attacks involve compromised privileged credentials and PAM solutions provide a critical layer of defense.

But, while securing privileged access consistently tops the lists of projects that can reduce risk and improve operational efficiency, some misconceptions surrounding PAM persist. Today, we’re going to bust five of the most prevalent PAM myths.

Myth #1: Because privileged access exists everywhere, it is impossible to secure.

While the scope of privileged access can be intimidating based on the complexity of your environment, dedicated PAM solutions and related policies can actually shrink the attack surface by shutting down pathways to critical resources.

Leading PAM solutions can automatically map privileged credentials across cloud and hybrid environments, saving security teams significant time and effort. And for those unsure of where privileged accounts exists, there are free tools like CyberArk Discovery & Audit to help organizations gain visibility into their privileged account landscape.

Additionally, modern PAM tools also incorporate automatic rotation of SSH keys and other privileged credentials at regular intervals to eliminate the time-consuming and error-prone manual tasks required for regulatory compliance. Meanwhile, automatic session monitoring capabilities systematically record all privileged account sessions and identify which users are operating privileged accounts.

Finally, the best PAM tools also provide detailed session monitoring recordings that can be sorted into searchable metadata for compliance and incident response teams and leverage user behavior analytics to automatically detect and suspend risky privileged sessions.

The impossible just became achievable.  Between account mapping, automatic credential rotation and detailed session monitoring, privileged access can be uncovered, managed and secured.

Myth #2: Privileged access management tools are challenging for administrators to manage.

That may have been true in the past, but today’s PAM solutions greatly ease and simplify administrator workloads. Collecting all privileged accounts in a centralized vault eliminates the need to manually search for and manage privileged credentials. In increasingly dynamic network environments, centrally locating the necessary tools to appropriately manage users’ privileged access can improve the efficiency and efficacy of IT projects. Automation tools also enable administrators to eliminate time-intensive tasks in favor of more strategic initiatives.

Especially as organizations move to the cloud, PAM tools can be particularly useful to address emerging risks of cloud migration. When adopting a hybrid or public cloud infrastructure, even slight misconfigurations can create new vulnerabilities.  Having holistic tools in place to discover risks associated with privileged access can improve an organization’s security posture.

Myth #3: Identity and Access Management (IAM) solutions are sufficient to protect privileged access.

It’s true that IAM tools and Multi-Factor Authentication (MFA) methods are strategic investments – but they do not replace the value of a PAM solution.  PAM solutions can independently protect privileged accounts with human and non-human identities like application accounts used in robotic process automation (RPA) or DevOps – something IAM solutions simply aren’t designed to do.

Focused on risk reduction, PAM tools can also protect privileged business users from sophisticated social engineering attacks capable of bypassing MFA. Most importantly, IAM tools require direct connection to user databases like Active Directory (AD). These connections are often hosted on-premises. If any on-premises server is compromised, attackers can gain control over AD to implement Kerberos attacks, such as Golden Ticket, and exist undetected in a company’s network. PAM can provide a vital security layer for servers hosting IAM’s direct connection to user databases like AD.

To create a strong enterprise security fabric, IAM systems and PAM solutions should be deployed as collaborative tools.

Myth #4: Privileged Access Management solutions interfere with operational efficiency.

The truth is that the daily tasks of most workers don’t require elevated privileges – and therefore PAM solutions won’t impact them at all.  For those who do require elevated privileges, leading PAM tools offer a variety of user-friendly formats, including RDP, SSH and web-native access, to provide credential vaulting and session management in the background of their daily workflows. Native and transparent access provides organizations with comprehensive privileged session recordings while minimizing disruption for end users.

In fact, using PAM tools to automate time-consuming tasks for IT and security employees can improve productivity by freeing up time for higher-value projects. Audit teams can achieve the same benefits by automating compliance tasks — especially in highly regulated industries like healthcare and banking.  Manually sorting through all sessions that involve privileged credentials to find high-risk activity can be extremely time consuming. PAM solutions can automate these tasks and identify risky behavior for audit teams, freeing them up to spend their time on other critical tasks.

Modern PAM solutions can actually be a boon to operational efficiency – not an impairment.

Myth #5: It’s Difficult to Calculate ROI for Privileged Access Management solutions. 

The average cost of a data breach in 2019 came in at nearly $4 million dollars. Notably, this figure does not include the additional costs of lost business from reputation damage and theft of intellectual property. Privileged access is a focal point for organizations to demonstrate where security solutions can have a high impact.

In any security program, cost-efficiency is key. Organizations must take a risk-based approach, applying finite resources where they can achieve quick wins and long-lasting impact. And it’s in this area where PAM solutions can really shine. PAM is a high-leverage point where modest investments can achieve outsized ROI and risk reduction.

After deploying a PAM solution, organizations can scan their systems to see the decrease in the number of unsecured and unprotected systems. Since any unmanaged privileged account is a potential attack vector, each privileged account that has been discovered, secured and protected by a PAM solution is a direct reduction in the exposed attack surface and proof of ROI.

Effective security starts with protecting an organization’s most valuable information, and as a common target in most cyber attacks, unmanaged and unprotected privileged access represents a significant threat. By locking down privileged credentials, organizations deprive attackers of their preferred routes to critical data and assets. Simultaneously, session monitoring and threat detection capabilities can help teams detect and investigate misuse of privileged credentials — improving an organization’s response time to in-progress attacks.

Furthermore, many PAM solutions can PAM solutions can integrate with other enterprise software  solutions – from IoT device gateways  DevOps tools and network devices to vulnerability management systems – enhancing their value and streamlining security operations on the whole.

Want to learn more?  Read more about PAM and our solutions here


CYBERCRIME AND INDUSTRY #5: HOW CYBERCRIME IS AFFECTING THE ENERGY INDUSTRY

The USA is a major consumer of energy; a North American household uses, on average, 11,698 kilowatts per hour compared to the average Indian household, which uses 900 kilowatts per hour. According to the World Energy Council, North America is also one of the biggest energy producers in the world, as one of the top three producers of all types of energy, except hydropower. 

Critical Infrastructure Security and Cyber Terrorism

Cyber espionage and cyber terrorism / sabotage, are the main cyber threats targeting our energy sector. This sector holds much intellectual property and, as a critical infrastructure, is a seductive prime candidate for terrorism and sabotage, especially by state actors. 

One of the keys to the vulnerabilities within the energy sector is that our energy systems are becoming digitized to ensure improved efficiencies, and to keep up with the changing needs of the industry. This includes the connectivity requirements of the extended supply chains used within the sector. Industrial Control Systems (ICS) are part of this digitization program and are being connected up to the Cloud to allow distributed data capture and sharing. This has resulted in increasing their attack surface, making them increasingly vulnerable to cyber attack.  In a review by IBM X-Force, entitled, “Security Attacks on Industrial Control Systems”, IBM found a massive increase in ICS attacks in the three years prior to August 2015. Hacktivists and malicious insiders are carrying out these types of attacks, and the USA has had, by far, the greatest number of attacks at around 70% of the total. The attacks are increasing because of the change from closed systems to an Internet facing ICS.

Like many cyber security attacks, the vectors used are the usual suspects. Phishing, specifically spear phishing, is a key method being used to gain access to network resources and infect systems with malware.

A recent high profile attack that specifically targeted ICS’s was carried out by the group of cyber criminals known as ‘Dragonfly’ or ‘Energetic Bear’. The group used three types of attack vectors:

1.     Spear phishing emails targeting employees and supply chain members.

2.     Watering holes, i.e. malware infected sites that were commonly used by the targeted companies.

3.     Installation of Trojan malware into software code developed by third parties that was used to update ICS units.

The group attacked mainly U.S. and European based energy sector companies in the petroleum and electricity-generating sector. However, they went after suppliers to the sector as well. Energetic Bear is a perfect example of an attack capitalizing on Internet facing systems and a supply chain infection.

The Department of Energy in collaboration with the National Institute of Standards and technology (NIST) have developed a set of guidelines to use in the energy industry to help inform the Risk Management Process within a security strategy plan, “Cybersecurity Risk Management Process (RMP) Guideline”. Using sound advice such as this helps in informing a robust security strategy to manage energy sector targeted attacks.

Personal Energy, the Internet of Things and Cyber Security

A report by MarketsandMarkets has predicted that the Internet of Things (IoT) device market within the energy sector will be worth over $22 billion by 2020. This isn’t surprising, as the IoT has become very popular as a method of controlling energy supplies on a personal and business basis. Smart Grids and IoT devices, like Nest, give us the opportunity to generate data, which can then be used to ensure we have the right energy tariff. They can also be used to make sure we use our energy in the most efficient way, turning off lights remotely being one, small example, of the control features the IoT gives us. The Nest thermostat is one such device that helps consumers and offices make the most of their energy requirements.  However, as we’ve seen in previous posts, the IoT is a cyber criminal’s dream. An IoT device offers a way into our homes and offices. Connected up to Cloud platforms to collect and analyze data, they are open to the same sorts of web-based threats as any other Internet facing system. You can envision the scenario whereby a hacker has control of thermostats across the nation, exploiting them as methods of data extraction, energy control, and doors into other devices and accounts. It is even possible that the information gleaned from such devices would allow burglars to know when you’re away from home. Fortunately, white hat hackers are on the case and finding holes in IoT devices, like Nest, and offering fixes before the true hackers find them.

To help stem the potential tidal wave of IOT generated crime, the Online Trust Alliance (OTA) has built a framework of guidelines for ensuring IoT devices, in the energy sector and beyond, taking security and data privacy into account. It is up to the industry to follow this advice to protect consumers from IoT based cybercrime.

Switching Off Cybercrime Not the Lights

The Stuxnet virus that shut down the Iranian nuclear power industry, and that allegedly originated from state sponsors in the USA and Israel, is the most infamous energy sector attack in known history. We should expect that Stuxnet will be ‘out famed’ soon by a similar critical infrastructure based cyber attack, as our energy sector reaches out into the connected world and opens up our industrial systems to the world of cybercrime. Our energy infrastructures are too much of an interesting prospect to a cyber criminal group for them to not already be planning attacks. If we work in this sector, we are facing the challenges of new ways of working, but with those challenges we also need to face cybersecurity head on. Guidelines and frameworks can help us build robust and achievable security plans, that work across the entire energy ecosystem.


Threats and opportunities in 2020

Original Dutch article: http://my.socialtoaster.com/splash/cjbRT/ written by Annelies Heuvelmans

The year 2020 has just begun, and Security Management already spoke with several cybersecurity experts about the threats, but also the innovations that will turn the tide, that we must take into account in 2020. One of the essential points you have to keep in mind is the employee, as they have a crucial role. If it does not recognize the importance of proper security, then even the best security policy will fall like a house of cards.

Malware is sent en masse

“In recent years, cybercriminals have discovered the world of operational technology (OT),” says Bastiaan Bakker, director of Business Development at Motiv. For example, the Operational Security Trends Report from Fortinet shows that as many as 77 per cents of all OT managers have been dealing with malware in the past 12 months.

Protecting vital infrastructures

Bakker explains: “One of the reasons for this is the far-reaching professionalization of the criminal circuit. Cybercriminals are forming teams with specialists who make clever use of vulnerabilities within companies. Government-driven hacking groups are also active in carrying out attack and damage techniques within OT. We, therefore, see that the demand for specialist security of operational technology is quickly increasing. Given the high degree of dependence on operational systems, which, for example, regulate our electricity and drinking water supply, security plays a crucial role. However, the environments differ significantly from traditional IT environments. OT environments are often less easy to replace because of usually old legacy and the high complexity of the domain.

“Employee awareness is an important part.”

Bastiaan Bakker, Director of Business Development at Motive

The first step is to map your OT environment. Where do you see links between your IT and OT environments? And who has access to what? The management, as well as the authorization, must be set up well and mature. Employee awareness is an essential part of this. You can equip your environment with the best security solutions. Still, if your staff is insufficiently aware of the crucial role they play as gatekeepers of the company, this investment is of little use.”

Gamification

Mats Ros, managing security and privacy consultant at IT service provider Ilionx, agrees with this statement. “Apart from the technical enforcement of good security, we always come back to one point in the IT world: people are the weakest link. After all, people make mistakes. Of course, there are already enough solutions and tooling to instruct people and lift them to a higher level of consciousness, but taking your employees with them is more complicated. What I notice is that only fifty percent of employees get started with this tooling. That is, of course, way too low. The other half does not see the importance of it and is therefore much quicker susceptible to a phishing email.

“By using gamification, the support base will grow, and it makes the tooling more fun.”

Mats Ros, Managing security and privacy consultant at IT Service Provider Ilionx

By using gamification – a game component that employees challenge to measure up with their colleagues on a scoreboard – the support base will grow, and it makes the tooling more fun. For example, we developed a solution for our own ISO 27001 certification that precisely ensures this.

The SaaS solution, including point counting, looks at how many questions you have answered and how often you give the correct answer. Employees can compare their results with colleagues, but this can also be disabled. Achievements and certificates make this even more fun. For example, someone who completes a quiz at night earns the ‘night owl’ achievement. In this way, you playfully raise the support base and make your employees aware of the much-needed contribution they make to keeping the organization safe.

A world without passwords

Dirk Geeraerts, regional director for cloud protection and licensing activity at Thales, sees a future without passwords: “The time when the use of passwords only offers sufficient protection is far behind us. Seventy percent of employees reuse passwords from work and personal accounts. Unsurprisingly, 81 percent of hack-related data breaches start with a user’s identity, such as a weak or stolen password. In 2020, a world without passwords will become more and more reality. “

Solution for password challenge

Geeraerts continues: “Until now, multi-factor authentication has been the most apparent solution for tackling the password challenge. Access is granted to a user based on his identity, something he owns, and something he knows. Although this method is more secure than the traditional password, it is less user-friendly due to the time-consuming operations. Access Management solutions with password-free security offer a solution.

There is never a one size fits all solution.

Dirk Geeraerts, regional director for cloud protection and licensing activity at Thales

PKI or a one-time password via a token or device that is used to give users access, in combination with biometric data or a PIN. It offers a solution to the vulnerability of traditional passwords. Also, organizations can thereby increase the ease of login and user-friendliness. However, it would be best if you did not forget: even with this form of authentication, there is never one size fits all. It is always important to match the authentication method to the security needs to ensure the highest level of security.”

Managed security services that relieve organizations

Organizations see the necessity and have the financial room to invest in security, but they lack the people to make security solutions profitable. “We also see an increase in the demand for managed security services, with which organizations are entirely relieved. This trend will intensify in the coming years. We also see the rise of automation of security. Simple incidents can be automatically handled so that engineers can focus on complex incidents. This also compensates for the shortage of security engineers, “said Twan van Ravestein, Cyber ​​Security Expert at Telindus.

In 2020, more and more organizations will embrace the zero trust principle and view the network without a perimeter.

Twan van Ravestein, Cyber Security Expert at Telindus

Who or what can you still trust?

“Automation takes place along different axes in 2020. With artificial intelligence and machine learning solutions, you can set up the analysis of network traffic in such a way that deviations and strange behavior can be detected quickly within the business context of the customer.

You are then able to automatically take the right measures to, for example, repair leaks. Systems for User Behavior Analytics (UBA) and Security Orchestration, Automation, and Response (SOAR) are becoming increasingly sophisticated. Finally, in 2020, more and more organizations will embrace the zero trust principle and view the network without a perimeter. In the cloud age, you can certainly no longer speak in terms of a secure internal network and the insecure outside world. This awareness will penetrate many boardrooms,” concludes Van Ravestein.


CYBERCRIME AND INDUSTRY #4: HOW CYBERCRIME IS AFFECTING THE AUTOMOTIVE INDUSTRY

In the 1990 Arnold Schwarzenegger film, Total Recall, there was a futuristic car, called a ‘Johnny Cab’. The Johnny cab was a sort of self-drive automobile, although driven by a robot. In one scene, Arnie was being chased by some baddies. He jumps into a Johnny cab and asks the cab to ‘drive, drive!’ but of course, the robot doesn’t know where to drive. The end result is Arnie, ripping out the robotics of the car and driving it himself. The Johnny cab was a prediction about the near future of the automotive industry, one of robotics, automation and the Internet of Things.

Only 16 years on from the film and we have found ourselves with our own self-driving cars, at least in prototype. BI Intelligence is predicting that by 2020 there will be around 10 million self-drive cars on our roads. Google has its own self-driving car project. Tesla has created the first semi-automated car that is in release, the Model S – although a recent crash by a test pilot has sent some shockwaves through the industry around the safely of the self-drive.

And then there are the changes happening within the industry due to the Internet of Things (IoT). IBM’s Watson, for example, is an IoT platform that is used across the automotive industry. It allows you to connect, collect, and analyze data associated with all aspects of transport. It is being used to manage vehicle fleets, improve car efficiency, and handle data across the extended supply chain of the automotive industry. With Gartner predicting that 250 million connected cars will be on the road by 2020, we can expect an enormous amount of Cloud bound data to be generated by this industry sector.

In terms of cyber security threats, the automotive industry feels the same cyber pain as other industries. They are threatened by phishing, extorted by ransomware, and breached by APT’s. In the 2016 IBM X-Force review of cyber attacks, automotive was one of the most targeted industries seeing 30% of the total attacks across manufacturing, which came in as the second most targeted industry sector.

However, it is the future that may hold the most concern for the automotive industry as it becomes ever more connected.

Future Fears – Cyber Crime and the Automotive Industry 

Platforms, like Watson, which offer a way of creating highly connected networks, are creating greater opportunities by improving collaboration. In an IBM survey, 74% of executives rated collaboration outside of their key industry as being a positive change and bringing growth to their business. However, collaboration and connectivity require you to reach out and share data. The IoT allows the sharing of this data across fast Internet connections. In the automotive industry, this includes information used to keep us safe as we drive, and data that reveals company and product proprietary information to our partner suppliers. Once you begin to store and then transfer data, especially large amounts of sensitive data, the data radar of the cybercriminal begins to twitch.

The problem starting to unfold with the IoT is that in the rush to market to get IoT connectivity into products, and be ‘first to market’, security has taken a back seat. A Hewlett Packard report on the Internet of Things found that at least 70% of IoT devices had security flaws.

We are already seeing IoT focused cyber attacks. For example, the worm, Linux.Darlloz was specifically designed to target IoT devices. Last year a white hat hacker showed how easy it was to hack a self-drive car. The researcher used an off-the-shelf device, like a Raspberry Pi, to trick the car into thinking there was an obstacle in its way – potentially causing it to crash.

This insecurity of things has a greater impact when the ‘things’ are multiplied. One of the issues that the automotive industry has at a larger scale than most other sectors is that of its highly extended supply chain. Vehicles tend to be built from parts created by a myriad of specialist suppliers. As the IoT starts to pervade all aspects of the build, manufacturers will be put under pressure to ensure the security of each part is upheld – it is bad enough having a single point of failure, but multiple points of failure can place manufacturers in a difficult position.

The Supply Chain as a Point of Failure

Keeping the supply chain secure, as our automotive industry embraces the cutting edge of technology, is crucial to not only the protection of sensitive and proprietary data, but also the physical safety of anyone using this new technology. As digitization of the industry takes hold, each individual part that is manufactured is at risk of being compromised by a cyber attack. The software that is created to control engine emissions may end up infected with a worm, that then replicates itself across any digitized part of the vehicle, including IoT sensors. This has already happened to an Internet enabled security camera that had infected software installed during manufacture.  The company ended up being fined for security violations by the FTC.

Vehicle manufacturing is an industry highly dependent on an ecosystem of players, utilizing parts from a variety of companies across the supply chain. This means the automotive industry has to have a clear and effective vendor risk management program. Making sure that each part of the whole is manufactured using security best practices, keeping watch on counterfeit parts entering the chain, and generally managing the changes across the security landscape as new automation enters the industry is more important than ever. It is vital to have a holistic approach to the security of our vehicles to retain consumer safety and trust in the industry.


en_USEnglish
nl_NLNederlands en_USEnglish