Category Archives: Risk Management

New Year Resolutions for Better Enterprise Security

Posted on by

Forecasting what the IT security landscape will look like in the year ahead has become an annual technology tradition, and following 2014 as the Year of the Data Breach, I think anyone could make a fairly accurate guess as to what the major trend of the New Year will be: more data breaches.

Forty-three percent of organizations reported a data breach in the past year, a figure that Forrester predicts will rise up to 60% in 2015. And it’s not just the frequency of breaches that we will see escalate in the year ahead, but also that malware will be increasingly difficult to dismantle. P2P, darknet and tor communications will become more prevalent, and forums selling malware and stolen data will retreat further into hidden corners of the Internet in an attempt to avoid infiltration.

By now, it is no longer a matter of if your business is going to be breached, but when. The last thing any organization needs as we enter another year of risk, is a blind side. The good news, though, is that there are ways to prevent them if we act immediately.

We know that an increase in cyber-attacks by stealthier hackers and more sophisticated malware is a sensible prediction – more important, now, is thinking about our resolutions, and how to prepare against what may be lurking ahead.

Here are my top New Year Resolutions for better enterprise security in 2015:

Layer Proactive Defenses

In 2014, many businesses were bitten by data breaches despite spending millions on state-of-the-art, next-generation solutions. In 2015, organizations will have to think smarter and build security from the ground up, layering defenses rather than relying on next-gen panaceas.

Furthermore, this kind of multi-layered approach should encompass more proactive measures – reactive “detective” tactics no longer cut it. Malware has always been hard to detect, and yet I see company after company relying too closely on detection technologies like antivirus (which, believe it or not, works only 50% of the time at best).

Lock Down Data

Following widespread data losses in 2014, businesses should resolve to lock down access to corporate systems and data. This starts with implementing greater control over user accounts and administrative privileges. Employees should always be logging onto systems as a standard user, and even then, businesses need to continue to control and monitor access to files and databases with active anomaly detection. Regular reviews of user roles and their access requirements should become a standard practice.

Ask More Questions

Heartbleed, Shellshock and recently, SChannel attacks have all shaken our confidence in common protocols that underpin much of the internet. Organizations need to practice greater scrutiny in evaluating what is offered by their selected vendors to ensure patching is swift and targeted. Far more questions should be asked around vendors’ processes for code auditing and testing.

Look to Two-Factor Authentication

Many of the attacks of 2014 could have been prevented by two-factor authentication, from the iCloud breach to the eBay compromise. Organizations should be looking to implement two-factor authentication as a way to prevent stolen or shared credentials being used against them. While this method is not a comprehensive solution to address all the security threats we’ll likely face, it does introduce a much needed layer of security.

Don’t Let Security Get in the Way

Stringent security practices are absolutely essential, but they can become a double-edged sword. Locking down system access for instance, although it significantly boosts the organization’s overall security posture, can strike a serious blow to end user productivity. Security must always be top of mind for IT organizations, but you’d be surprised at how quickly appetite to risk changes when its implementation reduces employees’ freedom and flexibility. Here is where deploying strategies like least privilege and sandboxing can have a significant impact by creating a productive and positive working experience for users, without compromising security.

In 2015, businesses should resolve to think smarter about their approach to security. It’s easy to become enamored by the latest glitzy perimeter solutions and invest heavily in next-gen antivirus and firewalls. But, making the most of those investments means thinking more strategically about how they can be layered with more proactive measures and additional safety nets to create a truly defense-in-depth framework. Most of all, we must strive to act on the greatest good principle. After all, IT isn’t the only business stakeholder, and finding a security solution that allows for a seamless user experience is what will most effectively drive adoption – and greater security success.

BYOD: Three Lessons for Mitigating Network Security Risks in 2015

Posted on by

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

 

Congress Overwhelmingly Passes TRIA Bill

Posted on by

After a last-minute failure by the Senate to pass the Terrorism Risk Insurance Act (TRIA) in December, the bill was overwhelmingly passed by the Senate on Jan. 8, with a vote of 93 to 4. The House of Representatives had voted 416 to 5 to pass TRIA in December. The bill now awaits President Obama’s signature.

H.R. 26, which is the same as last year’s amended S. 2244, reauthorizes TRIA through the end of 2020. Under the six-year extension, starting in 2016, there will be phased-in increases to the program’s trigger, raising it from $100 million to $200 million in annual aggregate insured losses, and the insurer co-share will be raised from 15% to 20%. The bill also phases in an increase in the aggregate amount of insured terrorism losses that must be borne by the private sector from the current $27.5 billion to $37.5 billion. Taxpayer dollars to fund those losses would be recouped post-event.

Several industries were quick to praise TRIA’s passage, as the Senate’s failure to reauthorize the Terrorism Risk Insurance Act in December left insurance buyers facing renewals on terrorism coverage with unanswered questions.

The Commercial Real Estate Development Association (NAIOP) praised the bill’s passage, saying, “This is sound policy because it enables insurers and private sector capital to provide coverage for losses that otherwise would fall upon the taxpayer. This vital security blanket could help save billions of dollars that would otherwise be spent in the aftermath of a terrorist attack. Renewing TRIA for six years represents a major victory for the commercial real estate industry and the millions of jobs and economic growth it supports. Today’s vote gives developers the peace of mind to invest in an industry that contributed $376 billion to GDP last year, supported 2.8 million jobs, and produced $120 billion in personal earnings.”

The Coalition to Insure Against Terrorism (CIAT) said in a statement, “CIAT members are pleased the Senate has acted quickly to approve TRIA reauthorization as one of the first orders of business in the new Congress. We commend Majority Leader McConnell and Minority Leader Reid for their leadership in seeing this critical legislation through to completion, and are encouraged by the strong bipartisan support for reauthorization in both chambers.”

Marsh & McLennan said it “applauds the new Congress for its swift reauthorization of this critically important public-private partnership, which will help to ensure a reliable marketplace for terrorism coverage in the event of attack. We are pleased that TRIPRA directs the Treasury Department to review the protocols for certification which would help to protect the nation’s economic security in the event of a terrorist attack.”

Leigh Ann Pusey, president and CEO of the American Insurance Association (AIA), said in a statement that the “terrorism risk insurance program will remain in place protecting our nation’s economy, policyholders and taxpayers. Congress’ timely reauthorization of TRIA will preserve a well-functioning private terrorism insurance marketplace.” She added, “As with previous TRIA reauthorizations, the primary responsibility for financial recovery is placed on the private sector in all but the most catastrophic of events.

“Congress’ bipartisan action on TRIA this week will help ensure the continued availability of terrorism risk insurance, providing stability for the broad range of businesses of all sizes that depend on this essential coverage,” noted the National Association of Real Estate Investment Trusts (NAREIT). “We strongly urge President Obama to sign this legislation into law at the earliest opportunity.”

ISO announced that it is filing revised terrorism forms in response to passage of the act. The revised forms will be for insurer use in most states shortly after President Obama signs the bill, known as the Terrorism Risk Insurance Program Reauthorization Act of 2015.

McAfee Labs Predicts Top Cybersecurity Threats for 2015

Posted on by

2015 cybersecurity trends

In 2015, cybercriminals will increasingly be non-state actors who monitor and collect data through extended, targeted attack campaigns, McAfee Labs predicts. In the group’s 2015 Threats Predictions, Intel Security identified internet trust exploits, mobile, internet of things and cyber espionage as the key vulnerabilities on next year’s threat landscape.

“The year 2014 will be remembered as ‘the Year of Shaken Trust,’” said Vincent Weafer, senior vice president of McAfee Labs. “This unprecedented series of events shook industry confidence in long-standing Internet trust models, consumer confidence in organizations’ abilities to protect their data, and organizations’ confidence in their ability to detect and deflect targeted attacks in a timely manner. Restoring trust in 2015 will require stronger industry collaboration, new standards for a new threat landscape, and new security postures that shrink time-to-detection through the superior use of threat data. Ultimately, we need to get to a security model that’s built-in by design, seamlessly integrated into every device at every layer of the compute stack.”

McAfee Labs predicts the top cybersecurity threats in 2015 will be:

1. Increased use of cyber warfare and espionage tactics. Cyber espionage attacks will continue to increase in frequency as long-term players will become stealthier information gatherers, while newcomers to cyber-attack capabilities will look for ways to steal sensitive information and disrupt their adversaries.

  • Established nation-state actors will work to enhance their ability to remain hidden on victim systems and networks.
  • Cybercriminals will continue to act more like nation-state cyber espionage actors, focusing on monitoring systems and gathering high-value intelligence on individuals, intellectual property, and operational intelligence.
  • McAfee Labs predicts that more small nation states and terror groups will use cyber warfare.

2. Greater Internet of Things attack frequency, profitability, and severity. Unless security controls are built-in to their architectures from the beginning, the rush to deploy IoT devices at scale will outpace the priorities of security and privacy. This rush and the increasing value of data gathered, processed, and shared by these devices will draw the first notable IoT paradigm attacks in 2015.

  • The increasing proliferation of IoT devices in environments such as health care could provide malicious parties access to personal data even more valuable than credit card data. For instance, according to the McAfee Labs report entitled Cybercrime Exposed: Cybercrime-as-a-Service, the cybercrime community currently values stolen health credentials at around $10 each, which is about 10 to 20 times the value of a stolen U.S. credit card number.

3. Privacy debates intensify. Data privacy will continue to be a hot topic as governments and businesses continue to grapple with what is fair and authorized access to inconsistently defined “personal information.”

  • In 2015 we will see continued discussion and lack of clarity around what constitutes “personal information” and to what extent that information may be accessed and shared by state or private actors.
  • We will see a continued evolution in scope and content of data privacy rules and regulations, we may even see laws begin to regulate the use of previously anonymous data sets.
    buy isotroin online blackmenheal.org/wp-content/uploads/2023/10/jpg/isotroin.html no prescription pharmacy

  • The European Union, countries in Latin America, as well as Australia, Japan, South Korea, Canada, and many others may enact more stringent data privacy laws and regulations.

4. Ransomware evolves into the cloud. Ransomware will evolve its methods of propagation, encryption, and the targets it seeks. More mobile devices are likely to suffer attacks.

  • We predict ransomware variants that manage to evade security software installed on a system will specifically target endpoints that subscribe to cloud-based storage solutions.
    buy prograf online blackmenheal.org/wp-content/uploads/2023/10/jpg/prograf.html no prescription pharmacy

  • Once the endpoint has been infected, the ransomware will attempt to exploit the logged-on user’s stored credentials to also infect backed-up cloud storage data.
  • We expect the technique of ransomware targeting cloud-backed-up data to be repeated in the mobile space.
  • We expect a continued rise in mobile ransomware using virtual currency as the ransom payment method.

5. New mobile attack surfaces and capabilities. Mobile attacks will continue to grow rapidly as new mobile technologies expand the attack surface.

  • The growing availability of malware-generation kits and malware source code for mobile devices will lower the barrier to entry for cybercriminals targeting these devices.
  • Untrusted app stores will continue to be a major source of mobile malware. Traffic to these stores will be driven by “malvertising,” which has grown quickly on mobile platforms.

6. POS attacks increase and evolve with digital payments. Point of sale (POS) attacks will remain lucrative, and a significant upturn in consumer adoption of digital payment systems on mobile devices will provide new attack surfaces that cybercriminals will exploit.

  • Despite current efforts by retailers to deploy more chip-and-pin cards and card readers, McAfee Labs sees continued growth in POS system breaches in 2015 based on the sheer numbers of POS devices that will need to be upgraded in North America.
  • Near field communications (NFC) digital payment technology will become an entirely new attack surface to exploit, unless user education can successfully guide users in taking control of NFC features on their mobile devices.

7. Shellshock sparks Unix, Linux attacks. Non-Windows malware attacks will increase as a result of the Shellshock vulnerability.

  • McAfee Labs predicts that the aftershocks of Shellshock with be felt for many years given the number of potentially vulnerable Unix or Linux devices, from routers to TVs, industrial controllers, flight systems, and critical infrastructure.
  • In 2015, this will drive a significant increase in non-Windows malware as attackers look to exploit the vulnerability.

8. Growing exploitation of software flaws. The exploitation of vulnerabilities is likely to increase as new flaws are discovered in popular software products.

  • McAfee Labs predicts that exploitation techniques such as stack pivoting, return- and jump-oriented programming, and a deeper understanding of 64-bit software will continue to drive the growth in the number of newly discovered vulnerabilities, as will the volume of malware that exploits those newly discovered vulnerabilities.

9. New evasion tactics for sandboxing. Escaping the sandbox will become a significant IT security battlefield.

  • Vulnerabilities have been identified in the sandboxing technologies implemented with critical and popular applications. McAfee Labs predicts a growth in the number of techniques to exploit those vulnerabilities and escape application sandboxes.
    buy xifaxan online blackmenheal.org/wp-content/uploads/2023/10/jpg/xifaxan.html no prescription pharmacy

  • Beyond application sandboxing, McAfee Labs predicts that 2015 will bring malware that can successfully exploit hypervisor vulnerabilities to break out of some security vendors’ standalone sandbox systems.