Category: All

We look back at a successful Round Table on IAM by SecurIT and IBM

Yesterday on May 3rd we invited some IAM professionals to discuss different IAM issue’s and current trends in the Identity & Access Management landscape. This gave us the opportunity to learn from each other and share some customer stories as knowledge partner at the table. For this round table we selected Kasteel Woerden as location. We look back at a successful day where everyone received plenty food for thought. A short summary below on some of the topics that we discussed.

The first topic we discussed was how we currently deal with the automated life cycle management. This means the whole onboarding/off-boarding process and giving people the right access from begin to end. It became clear that for most it’s currently only partly automated and a lot is still done by hand. Which means there is a lot of time to win and this gets more important everyday with the lack of good security resources.

Another topic was scalability of the IAM services within an organization and how people thought about moving from on premise solutions to the cloud. Many pro’s and con’s regarding the cloud came by. The most important concern was trust. How can you be sure the cloud supplier has the same high security requirements as you do, or where is the data stored? One of the ways you can check this is by looking at their certification. Not just everyone can walk into their datacenters. Most agreed that for the time being there will be many hybrid solutions, with part cloud and part on premise.

We also talked about Identity Management and how you can use context to gain trust and when to force a second authentication, when trust us low. For example, if the same person logs on from a new location a 2-factor-authentication might be required. But it goes even further than that, for example how quickly you type in your password. These can all be triggers to ask for the extra verification.

Resources, specially how to use them productively, was touched during many topics, but very specific during the cloud discussion. If you move your IAM functions to the cloud, would you still need all these security resources on-premise? How much of the responsibility are you willing to give away? It became clear that you will always need your security resources on-premise to manage these new cloud solutions. Knowledge is power and it can be too risky to depend only on third parties for this.

The last topic we discussed was how to handle privileged accounts and how to make sure they are secured. Many different solutions can help with this, but it became clear most of the professionals prefer to store the credentials in a vault. From there you can secure the way the organization works with the most sensible credentials. If a change has to be made this can be requested by sending a change request. This way you will always know who and why is inside your system. You can even shield some of the privileged functions and only give access to the ones that are required and for a limited period.

We are looking forward to the next one. Didn’t get invited or where you unable to attend this one? Let us know and we will keep you updated on when the next one takes place. Got urgent questions? Give us a call.


Less than 30% can prevent ransomware attacks

Less than 30 percent of IT security executives who responded to a recent survey reported that they would be able to prevent large-scale ransomware attacks.

Despite this, SolarWinds MSP’s new report, “The 2017 Cyberattack Storm Aftermath,” found that IT security executives have a high level of knowledge of crypto-malware. More than two-thirds (69 percent) of respondents said they were deeply familiar with ransomware attacks such as WannaCry, which infected hundreds of thousands of endpoints within 48 hours earlier in May 2017, and Petya, which affected systems in dozens of countries in June 2017.

This familiarity led approximately three-quarters of survey participants to rate the risk of both WannaCry and Petya as very high, but it didn’t translate to better protection against this type of incident. While most respondents indicated that they would be able to detect WannaCry (72 percent) and Petya (67 percent), only 28 percent and 29 percent, respectively, said they would be able to prevent these attacks.

For the full article please visit the following link.

Source: Less Than 30 Percent of IT Security Executives Can Prevent Ransomware Attacks, Survey Reveals


CyberArk acquires Vaultive

CyberArk (NASDAQ: CYBR), the global leader in privileged account security, today announced the acquisition of certain assets of privately-held Vaultive, Inc., a cloud security provider. The deal closed today.

The CyberArk Privileged Account Security Solution is the industry’s most comprehensive solution for protecting against privileged account exploitation anywhere – on-premises, in hybrid cloud environments and across DevOps workflows. Building upon the Vaultive technology, CyberArk will deliver greater visibility and control over privileged business users, and Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) administrators. By delivering a cloud-native and mobile experience, Vaultive will extend the CyberArk solution to these highly privileged users, which are frequent targets for cyber attacks.

“The Vaultive team brings innovative technology and advanced cloud industry experience to CyberArk. We look forward to incorporating the technology to add additional depth and proactive protection for enterprises facing an expanding attack surface in the cloud,” said Udi Mokady, chairman and CEO, CyberArk. “Vaultive provides a strong building block to accelerate CyberArk’s cloud security strategy, making CyberArk the only vendor able to extend privileged account security to administrators and privileged business users in cloud environments with this level of granularity and control.”

For the full article please visit the following link.

Source: CyberArk Press release


CyberArk DNA™

CyberArk Discovery & Audit (DNA) is a powerful tool (available at no charge) that scans systems on your network to uncover accounts, credentials and misconfigurations that can create risk. Following a scan, CyberArk DNA generates a detailed report that IT auditors and decision makers can use to evaluate the status of privileged accounts in the organization and identify areas of risk. The tool is an agentless, lightweight executable designed to expose the magnitude of the privileged account security challenge in on-premises and cloud-based environments. CyberArk DNA helps organizations uncover: ƒ

  • Windows accounts and account statuses. Identify privileged and non- privileged Windows accounts, including local administrator, domain administrator, standard user and service accounts. View the password strength, password age and last login date. ƒ
  • Unix accounts, credentials and permissions. Centrally view the status of root and individual user accounts on Unix systems, identify SSH key pairs and trusts, and uncover misconfigured sudoers files that can increase the risk of unauthorized privileged escalation. ƒ
  • Privileged domain accounts. Discover dormant or unprotected privileged domain service accounts that have access to critical assets or services. ƒ
  • Pass-the-Hash vulnerabilities. Locate password hashes vulnerable to theft, and gain a visual map of Pass-the-Hash vulnerabilities and potential pathways to sensitive data and critical assets. ƒ
  • Hard-coded application credentials. Identify systems that have embedded, hard-coded or exposed credentials in plain-text, which can be captured by malicious attackers inside the network.

Download the CyberArk DNA whitepaper.

Or fill out the form to receive your free assessment.


2017 Cost of Data Breach Study

Last year IBM and Ponemon Institute researched the average total cost of a data breach. It became clear that the average total cost of a data breach is $3.63 million. Are you interested in reading more about this research? Fill in the form to receive the full study.The average cost per stolen record went down this year by 10%, from $158 in 2016 to $141 in 2017. This sounds like good news, but the amount of breaches that took place went up by 1.8%. On average the amount of stolen records per data breach was 24.000. 

$141 is the average cost per lost or stolen records


Get your whitepaper here


About SecurIT

Founded in 1999, SecurIT has over 18 years of extensive experience of designing, implementing, maintaining large Identity Management/Governance infrastructures. With more than 30 specialists permanently employed in the Netherlands SecurIT offers its customers high quality consultancy, implementation, management and support services (24*7). 


GDPR and PSD2

For professionals in security, identity management and access management (IAM) 2018 will be a very important year. As of May 25th all companies and other organizations must comply with the new GDPR regulations and as of Saturday January 13th PDS2 will be a fact of lite for the entire EU. When thinking of customer privacy and processing consumer data, obligations pile up. The question is: are these opportunities or barriers for business development?

In co-operation with partner IBM, SecurIT invited professionals for a ‘round table event’ end of last year in the Boardroom of the Rembrandt Tower in Amsterdam. Those attending discussed the impact of the new legislation on IAM.

The event was kicked-off by Angélique van Oortmarssen (KPMG) and Sonny Duijn (ABN AMRO). Ms. Van Oortmarssen spoke on GDPR and mr. Duijn shared his views on how PSD2 will impact retail business.

After these two short briefings the conversation concentrated on how companies need to adapt their own IT-infrastructure and open access digital platforms to benefit from the new opportunities GDPR and PSD2 will offer. Especially the impact on the financial services sector and retail was discussed.

An article by Sonny Duijn on the impact of PSD2 on retail is available here. A publication by Angélique van Oortmarssen can be downloaded here.

Download the full Round Table article


SecurIT Belgium has been renamed to TrustBuilder Corporation

Our Belgium sister company SecurIT b.v.b.a. has some exciting news to share with you. Just before 2018 they announced that SecurIT b.v.b.a will be renamed to TrustBuilder Corporation N.V.
Which means that their main focus will be further developing and selling the product. TrustBuilder Corporation in Gent and SecurIT in Amsterdam will remain sister companies.

The name and type of the company have but changed but it’s not a new company. This means all existing contracts will remain unchanged. All customers and suppliers will be notified about this change.

To achieve the short term goals for 2018 a new board of directors has been formed for TrustBuilder Corporation in Gent:

Walter Beyen                   President of the Board

Marc Vanmaele               Board member and CEO

Nils Meulemans               Board member

Rob Bus                           Board member

Jan Valcke                        Board member (independent, non-shareholder)

The mission of SecurIT in Amsterdam will remain unchanged: Selling, implementing and supporting the best Identity & Access Management software of third parties such as: IBM, CyberArk and TrustBuilder.

For more information regarding this change and TrustBuilder, please visit: https://trustbuilder.com/

For the full press release, please download the following PDF: https://goo.gl/oUkMPu


The Staggering Numbers Behind Breaches of PII and PHI

September 19, 2016|Michael Janeiro

Experts in the field of cybersecurity insist the world is in the midst of a cybercrime era. Nobody knows when or even if this era will diminish to the point where it’s not a challenge to the day-to-day operations of every business, government agency, nonprofit organization, and institution.

What is generally agreed upon is that trying to prevent and ultimately dealing with the aftermath of data breaches are now standard costs of doing business.

No matter whose study you review on the risks to your organization’s Personally Identifiable Information (PII) and Protected Health Information (PHI), the results show an increased risk of breaches related to hacking and an increased cost to remedy the consequences of data breaches.

A $4 million problem

The recently released 2016 Cost of Data Breach study found that the average consolidated total cost of a data breach is $4 million. The 11th annual edition of the study sponsored by IBM Security and conducted by Ponemon Institute also found that the average cost incurred on each lost or stolen record containing sensitive and confidential information is $158.

In addition, there is a 26 percent likelihood of a company or organization experiencing a data breach involving at least 10,000 records in the next 24 months.

In healthcare, a $6 million problem

The statistics are even more alarming when it comes to healthcare-specific data.

According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, about 90 percent of healthcare organizations represented in the study experienced a data breach in the past two years. About 45 percent suffered more than five breaches in the same period.

The study also estimated that the healthcare industry is shelling out $6.2 billion a year to pay the various costs related to data breaches. On average, covered entities are paying $2.2 million as the result of breaches, while their business associates and third parties have to pay $1 million on average for their role in healthcare-related breaches.

Those costs include lost business, fines from regulators, investigating the cause of the breach, and restitution to affected consumers.

Criminal attacks — most notably ransomware, malware, and denial-of-service (DOS) attacks — account for about half of healthcare data breaches.

It’s not just large regional hospital organizations and health insurance companies that are falling victim.

Go to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) so-called “Wall of Shame” website, and you’ll find plenty of local dentist practices, chiropractic centers, and independently owned pharmacies that suffered data breaches potentially affecting a few hundred or few thousand patient records.

The HHS’s Breach Notification Rule requires healthcare providers to promptly notify the agency, affected individuals, and in some cases the media if there is loss, theft, or breach of PHI of at least 500 individuals. All such reports are then listed on the OCR’s Breach Portal.

One analysis of the OCR website found 253 such breaches in 2015 that compromised a total of 112 million records. In addition, about one in five of last year’s healthcare breaches fell into the category of “hacking/IT incident,” including 9 of the top 10 breaches reported.

Why is healthcare data so sought after by hackers? According to some reports, each individual healthcare record is worth $10 in the criminal market, or up to 20 times more than a stolen credit card number. Other estimates place the value between $20 and $70.

While that may not seem like much to commit a crime for, consider how much 5,000 healthcare records are worth at say, $15 a record: $75,000. Target an easy-to-breach entity and that’s $75,000 with minimal effort.

How to minimize risk and cost of breaches

Among the lessons the Ponemon Institute shared in its recent report were ways companies can both minimize the risk and cost of suffering a data breach.

Data loss prevention controls and activities cited in the study include encryption, endpoint security solutions, and participating in a threat intelligence sharing platform to research security threats, aggregate intelligence, collaborate with peers.

Data governance initiatives that can potentially reduce the cost of data breach include incident response plans, employment of a Chief Information Security Officer, employee training and awareness programs, and a business continuity management strategy.


CYBERSECURITY MID-YEAR ROUNDUP

By the time we sang “Auld Lang Syne” in 2015 we had experienced a year of unparalleled cybercrime. In this article today I’ll look at the current cyber security landscape, to see if there has been any improvement in the year to date. Or if we are likely to see continued cyber attacks of the levels seen in the breaches of the Office of Personnel Management (22 million records stolen) and Ashley Madison (37 million records lost). As our mid-year approaches, we can glimpse back at the last 5 months and perhaps use this to predict where we will be by the end of 2016, hopefully in a better place.

Cyber Threat Landscape to June 2016

I am about to make a statement which is slightly at odds with the view of cyber security to date. I believe that cybercriminals may have become more predictable. This predictability is coming out of their use of successful strategies and is an expected pattern of behavior – “if it works, why fix it”. If you think about it, cybercrime is a business; it makes money… lots of money. If you hit on a successful business model, you use it. Cybercriminals seem to have found a very successful model in the guise of ransomware and they are milking this technique in 2016 for all they can get. Phishing too continues to make the grade as a first class hacking tool, being heavily used in the more targeted version, spear phishing. 

Ransomware: In 2016, so far, we have seen ransomware become the cybercriminal weapon of choice. McAfee in their 2016 Threat Predictions report, predicted ransomware would be a major threat in 2016, and so far they have been proven right. In the last 5 months new ransomware families, such as ‘Locky’ have appeared, causing mayhem. Locky was the ransomware behind the recent Kentucky based Methodist Hospital cyber attack and you can see from Ransomware Tracker that Locky has been the main type of ransomware used this year.

Perhaps proof of the movement to a ransomware based malware model can be seen in two major modifications to its use case:

1.     The changing profile of ransomware to include mobile infection. An example of this in action is the update of a previously very successful Android based Trojan known as Android.SmsSpy.88. This malware was previously used to steal credentials by spying on SMS texts and calls. The malware has now morphed into a type of mobile ransomware, which locks your phone and request payment to unlock it.

2.     The addition to the hackers toolset of ‘Malware as a Service’, making it easy for even novice hackers to use as a money making service.

Phishing and email borne malware: Ransomware and other malware need a mode of transmission and phishing is as popular with the cybercriminal this year, as it was in 2015.  Kaspersky Labs who keep a watch on cybersecurity trends have seen an increase in emails containing malicious attachments in the first quarter of 2016. 

Business email compromise (BEC) attacks are also increasing this year. This is where specific business users, usually financial executives and HR, are targeted with phishing emails – BEC being a variant on spear phishing. The emails look like they’ve come from high-ranking executives in the company asking the recipient (often a company accountant) to urgently transfer monies to a bank account (owned by the cybercriminal). The FBI’s Internet Crime Complaint Center report 2015, have placed BEC as one of their ‘hot topics’, with losses, due to BEC attacks, of over $263 million last year.

Again, cybercriminals know when they are onto a good thing and will continue to use phishing as a means to get into your systems. However, they will also morph into new ways of using social engineering to extract your login credentials. We’ve recently seen phishing become SMiShing. This method uses a mobile text to send links to a spoof site that, once clicked on, harvests your login credentials.

DDoS: In the first quarter of 2016 the USA was one of the three largest attack victims of DDoS attacks, China and South Korea being the other two. Many of the attacks are politically motivated, such as the one against Donald Trump’s website, carried out by the group ‘New World Hackers’, earlier this year.  But it isn’t just political motivation driving DDoS attacks. These types of attacks are a distraction method, to take security personnel’s eye off the ball, fixing the DDoS attack, whilst hackers then use this opportunity to insert malware. One of the most recent victims of a DDoS attack is the American Registry for Internet Numbers (ARIN) who had a DDoS attack on May 26.

The Insider Threat: Insider threats are as much a social issue as a security one and we can only expect these types of threats to remain consistent throughout 2016.  The U.S. Department of Homeland Security is even predicting that we will see an increase in cyber security breaches caused by insiders with political motivation – these threats being targeted against critical infrastructures and utilities. Vulnerable focus areas such as privilege misuse are one of the mainstays of the insider threat – the 2016 Data Breach Investigation Report (DBIR) defining it as the second most common incident type.

Which Industries Are Being Targeted?

In a nutshell, everyone is being targeted: Individuals, independents, SMB’s, not-for-profits, right up to the largest corporates; if money, data and credentials are there for the taking, you will be a target. The cybercriminal has settled into their international role as chief rogue and are expected to cost global business a staggering $2.1 trillion by 2019 – that’s 4X the 2015 costs, according to Juniper Research. Juniper also stated that that 60% of all data breaches in 2015 occurred in North America. Cybercrime has become the next big industry sector, tax-free, admittedly. 

In terms of who will be next on the cybercriminals ‘to do’ list, we should expect ransomware to up its game in terms of target reach. Until recently, the types of monies exchanged were relatively small, the bitcoin equivalent of a few hundred dollars. The recent attack at the Hollywood Presbyterian Hospital in LA resulted in $17,000 being extorted. However, it’s likely that this is the tip of the iceberg and larger enterprises will start to feel the force of ransomware. Larger organizations will be asked for ransoms that are much higher than what we have been used to so far. I’m watching for the million-dollar ransom to hit the news.

As for which sectors are in the cybercriminals sights, IBM’s X-Force recently stated that healthcare was the most targeted of all industries. However, any industry that has personally identifying information (PII) is at a high risk. We can expect industry sectors such as retail to continue to be hit, following on from the success of the Target Corp. breach. This is especially the case if the extended and complex supply chain used by retail is not risk managed – the perfect storm of phishing and poor authentication making poorly managed partner eco-systems easy prey. To back this claim up, the NTT Group 2016 Global Threat Intelligence Report, found that the retail industry had 2.7X the number of attacks as financial clients did in 2015.

 As cyber security becomes big business in its own right and the cybercriminal becomes the cybercrime entrepreneur, we can expect the next half of 2016 to bring even more of the same issues we have seen over the last few months. Ransomware, spyware and Advanced Persistent Threats are already brewing and ready to siphon off money and data. The way forward is to be knowledgeable about the problem. If we prepare ourselves and put in place, strategies to identify, detect and respond to cyber security threats, not just in our own organization, but with anyone we do business with, then by the end of 2016 we may well have put a dent in the cybercriminals armor.


THIRD PARTY RISK STUDY RESULTS BY PONEMON INSTITUTE

Culture is something that seems to be a very human thing. We love to build tribes and around those groups; we add layers of knowledge and characteristics that describe the beliefs and traditions of a particular set of people. This is no less true in business. In fact, the culture of a business can influence everything about an organization, from its decisions, to its strategies, the way it operates, and how its people interact with each other, third parties and customers. It is with this in mind that the Ponemon Institute has created a new study focusing on third party risk management. The study looks at how risk management is impacted by a ‘top down’ C-level, culture driving important strategies and practices in this area. The study is called; “Tone at the Top and Third Party Risk” and this post will take a look at the report, its results and recommendations in third party risk management.

Setting Out The Landscape

Ponemon interviewed 617 respondents for the report. Their collective view was that cyber security, coupled with disruptive technologies is a major game changer in vendor risk management.  Cyber threats are increasing and 2015 has left everyone with a cyber headache – PWC concurring, finding 76% of executives are concerned about the effects of cybercrime on their organization. This is likely due to the massive increase in cyber threats that came out of 2015, an example being the Anthem breach, which resulted in 80 million records being exposed.  The report goes on to say that the introduction of new and disruptive technologies such as the Internet of Things (IoT) is compounding the issues by adding a new layer of threat to the already worrying cyber threat landscape – in the Ponemon study, 78% stated that their vendor risk profile is significantly impacted by these changes.

Why Are C-Level executives Not Engaged in Risk Management?

With the kind of press that cyber attacks are getting, and understanding the impact across the supply chain that a breach can have, you would expect full engagement from all levels in an organization. However, the report found a lack of interest in vendor risk management by top management. The reason for this lack of concern is thought to be because 63% of executives don’t believe they have ultimate accountability or responsibility for this area. In a related vein, board members were also disengaged from the vendor risk management process – communication was decoupled resulting in a lack of understanding or engagement.

It’s About Good Communication

One of the pre-requisites of cultural exchange of ideas is good communication.

The Ponemon report shows that poor communication is an issue in the majority of the respondents, with only 11% feeling they had effective communications with both internal groups and third party vendors. Seamless and effective communication is the ground stone of any organization – we may live in a digital age, but you still need to communicate to make things happen. The idea of ‘tone at the top’ is to have a top down approach to communicating the core values of an organization across the extended eco-system, drawing in third party vendors. In the study, 41% of respondents said that they expected this communication to start at the door of the CEO. Positive tone at the top, which incorporates ethics and values of the organization, will then filter down into the relationships with third party vendors resulting in better all-round trust and reduced risks.

But Its Also About Good Assessment

Two thirds of the respondents in the study admitted that their internal controls over the suppler eco-system were lax. Many of the respondents said that their third party management processes were undefined and ad hoc, with only 26% having effective controls in place. This lack of control extends out to the third parties themselves, with 33% of respondents saying that they wouldn’t terminate the contract of a third party who didn’t meet their expected levels of control. The areas that came up short were in the process of assessment and metrics. Over half of the respondents couldn’t identify what intellectual property was in the hands of third parties. Worryingly, less than half of those asked did any cyber security risk assessment of their third party partners. This ultimately leaves all open to increased risks.

A recent advisory put out by the U.S. and Canada to warn of ransomware attacks across the supply chain, is a stark warning to all that we need to get our houses in order.

Some of the Statistics From the Report

Section 2 of the report looks at some of the key findings. Here is a round up of some of the most interesting:

·      75% believe that third party risk levels are increasing and serious.

·      The IoT and cyber attacks are the most significant in terms of increased third party risk

·      Minimizing downtime and business disruption is the main objectives in managing risk

·      There is a serious lack of formal programs for third party risk management

·      50% of respondents didn’t believe that their risk management was aligned with business gals and that C-level management and board directors were not engaged in the process

·      41% expected their CEO to set a positive tone for the entire organization which in turn results in more trustworthy relationships across the supply chain

·      Third party risk assessment is ineffective in 74% of respondent organizations and that checks are generally informal

·      Even if lack of controls were found in the third party vendor, their contract would not be terminated by most

·      49% did no cyber security risk assessment at all

Having a Positive Tone at the Top

The report conclusion has a list of ten recommendations to improve the culture of vendor risk management. It also points out that ignoring the issues can cause ‘severe’ consequences citing an average of $10 million spent annually by the respondents on problems created by malicious or negligent third parties. The ten recommendations focus on positivity, communication and assessment to reduce risk. The conclusion is that the tone coming from top level executives will filter down through the company and across to partners and other third parties, imparting the vision and strategy of the organization. Communication of values and vision, especially around risk appetite will be part of this dissemination of the risk culture. The recommendations also focus on assessment, such as understanding the impact of disruptive technologies like Cloud and IoT and the threat of cyber security attacks.

The consensus of the study is that the engagement of C-level and board executives, is a vital part of the equation in managing third party vendor risk. By having a positive tone at the top, the message around company ethos, vision and strategy are disseminated across the third party vendor eco-system. This will result in a more coherent and tightly controlled extended organization that can better manage risk in a changing and disruptive environment.