Tuesday, August 30, 2016

Study Finds Employees’ Security Hygiene Getting Worse Just As Ransomware Exposes Insider Negligence

Varonis-Sponsored Ponemon Institute Report Examines Widening Gap between End Users and IT Professionals as Data Breaches Increase

LONDON, UK -- August 30, 2016 -- At a time when ransomware and other attack techniques that exploit insider negligence become rampant, only 39 percent of end users believe they take all appropriate steps to protect company data accessed and used in the course of their jobs. This is a sharp decline from 56 percent in 2014, according to a new survey of more than 3,000 employees and IT practitioners across the U.S. and Europe. The report was conducted by the Ponemon Institute and sponsored by Varonis Systems, Inc.

Moreover, while 52 percent of IT respondents believe that policies against the misuse or unauthorised access to company data are being enforced and followed, only 35 percent of end user respondents say their organizations strictly enforce those policies.

The new release, "The Widening Gap between End Users and IT," compares end-user practices and beliefs with those of their colleagues in IT security and IT generalist roles. This new analysis draws from the same data released by Varonis and the Ponemon Institute August 9, 2016, in a report entitled "Closing Security Gaps to Protect Corporate Data: A Study of US and European Organisations," which found a sharp rise in the loss or theft of data, an increase in the percentage of employees with access to sensitive data, and the belief among participants that insider negligence is now the #1 concern for organizations trying to prevent these losses.

The survey results are derived from interviews conducted in April and May 2016, with 3,027 employees in the United States, United Kingdom, France, and Germany. Respondents included 1,371 end users and 1,656 IT and IT security professionals, in organizations ranging in size from dozens to tens of thousands of employees from a variety of industries including financial services, public sector, health care and life sciences, retail, industrial, and technology and software.

Among the key findings:
•    Sixty-one percent of respondents who work in IT or security roles view the protection of critical company information as a very high or high priority. In contrast, only 38 percent of respondents who are considered end users of this data believe it is a very high or high priority.
•    Asked about their organization's attitude on productivity vs. security, 38 percent of IT practitioners and 48 percent of end users say their organizations would accept more risk to the security of their corporate data in order to maintain productivity. 
•    Asked to agree or disagree that the protection of company data is a top priority for their CEO and other C-level executives, only 35 percent of end users agreed while 53 percent of IT professionals believe it is a top priority for senior executives.
•    Asked for the most likely causes of the compromise of insider accounts, 50 percent of IT practitioners and 58 percent of end users say negligent insiders. "Insiders who are negligent" was by far the most frequent response for both IT and end users, more than twice as common as "external attackers" and more than three times as common as "malicious employees."
•    End users are far more likely to attribute data breaches to insider mistakes than IT or security professionals. Seventy-three percent of end users say data breaches are very frequently or frequently due to insider mistakes, negligence or malice, while only 46 percent of IT respondents draw the same conclusions.

Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute, a leading research center dedicated to privacy, data protection and information security policy, observed, "At a time when one would expect general improvement in end-user hygiene due to increased awareness of cyberattacks and security breaches, this survey instead found an alarming decline in both practices and attitudes. If an organization’s leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users' compliance with information security policies and procedures. Major differences between the IT function and end users about appropriate data access and usage practices make it harder to reduce security risks related to mobile devices, the cloud and document collaboration."

Yaki Faitelson, Co-Founder and CEO of Varonis, said, "Human error will always be a weak link in security. Insiders compromise security maliciously or accidentally and outside attackers continue to hijack the credentials and systems of employees, administrators, contractors, and executives. The only way to stem this tide is to implement controls on data access, monitor all activity and implement the most advanced user behavior analytics and alerting technologies throughout the organization."


We'll be publishing "Walling Out the Insiders: Controlling Access to Improve Organizational Security" by Michael Erbschloe in February 2017. The book is grounded in the reality that many, if not most organizations have limited security budgets and security personnel. It

  • Explains security planning and management strategies in a manner that can be understood by security professionals as well as non-security managers and executives.
  • Provides long-term security design, implementation, and management methods to guide managers through the long process of achieving improved security.
  • Provides practical advice on how to determine security weaknesses and security needs.
  • Provides practical advice on how to select security vendors and service providers.
For more on the insider threat, read these articles:

The Insider Threat: A View from the Outside

Why Insider Threats Are Succeeding

The Top 10 Ways to Combat Insider Threats

Insider Threat Concepts and Concerns

Friday, August 26, 2016

SMBs Subject to New Fines for HIPAA Compliance Issues

August 26, 2016 - There’s a new warning from the government to small businesses. Safeguard your company, or else.

The US Health and Human Services Office for Civil Rights (OCR) said they would investigate small security breaches. Normally they investigate breaches affecting more than 500 people, but now they’re investigating breaches affecting less than that number.

"The news from The US Health and Human Services Office for Civil Rights should be a wakeup call to small business," Ebba Blitz, CEO of Alertsec. "If the OCR uncovers widespread HIPAA compliance issues, that could mean small companies are at risk for new fines."

This is important because smaller companies who need encryption don’t have to pay for an IT department or cumbersome software. They can get enterprise-level encryption software that would be unavailable otherwise.  This is crucial to small businesses who are required by HIPAA to encrypt their laptops.

"According to the Ponemon Institute more than half of all data breaches emanate from a lost or stolen unencrypted laptop," Ebba said. "When we work and live with sensitive information at our fingertips this information needs to be safe. Not only is a breach damaging to patients and clients, ultimately it will affect you brand and revenue. Protecting health information will soon be an issue that will move from the IT departments to the boards."

OCR listed that factors will spark an investigation:
•         the size of the breach;
•         whether theft of or improper disposal of unencrypted Protected Health Information (PHI) occurred;
•         whether unwanted intrusions to IT systems (for example, by hacking) occurred;
•         the amount, nature and sensitivity of the PHI involved; or
•         cases where an entity has numerous breaches involving similar issues.

This makes encryption more important than ever before. If a laptop is lost or stolen (more than 1 million laptops are lost in the USA every year, according to Ponemon) the information can be hacked. However, if the computer is encrypted it can’t.

Thursday, August 11, 2016

Cyber Criminals Possibly Influencing US Presidential Election

PORTLAND, Ore. - August 11, 2016 - Tripwire today announced the results of a survey of over 220 information security professionals who attended Black Hat USA 2016on July 30-August 4, 2016.

Tripwire's opinion-based survey assessed how cyber security issues were impacting the current U.S. presidential election. When asked if cyber criminals were influencing the outcome of the upcoming election, nearly two-thirds (sixty-three percent) of the respondents said, "yes."

The FBI is currently investigating a high-profile breach of the Democratic National Committee’s computer network after its email content surfaced online. Security experts believe Russia may have orchestrated the hack to influence the outcome of the presidential election. Additionally, AndrĂ©s SepĂșlveda, a political hacker connected with manipulating elections across Latin America, said he was "100 percent sure" the U.S. presidential campaign was being tampered with in a controversial March interview with Bloomberg.

"This is an unprecedented moment in both politics and information security," said Tim Erlin, director of IT security and risk strategy for Tripwire. "A foreign power possibly influencing the U.S. presidential election through electronic means is a game changer for information security professionals. While these survey results aren't surprising, they are very important. We're seeing a significant shift in the role that information security plays on the global stage. While the DNC attack is the most visible, it's not the first incident. We've been building up to this type of event for a number of years."

Additional findings from the survey included:

• Eighty-two percent of the respondents believe state-sponsored attacks on elections should be considered acts of cyber war.
• The 2016 Republican Party platform states that victims of cyber attacks should have "a self defense right" to retaliate. Just over half of the respondents (fifty-five percent) believe this policy would improve national or global cyber security.
• Only ten percent of the respondents consider nation-state attacks to be one of the top two security threats their organizations face.

"In addition to considering nation-state cyber attacks to be an act of war, respondents favor an organization's right to strike back," said Dwayne Melancon, chief technology officer and vice president of research and development for Tripwire. "These two positions have one thing in common: a high margin for error. Attribution of cyber attacks is very difficult. For example, investigations sometimes discover that attacks appearing to come from other countries actually have a command and control base in the U.S., and vice versa. If a cyber attack escalates into war or retribution, you'd better be certain of its origin."

Erlin continued, "While it's clear that the majority of respondents believe state-sponsored attacks are an act of cyber war, there's little consensus on what an appropriate response should be. It's time for the conversation to move beyond true and false to defining an appropriate cyber war response."

Tuesday, August 9, 2016

Data Theft Rising Sharply, Insider Threats Cited as Leading Cause

New Study: Data Theft Rising Sharply, Insider Threats Cited as Leading Cause

New Ponemon Institute Report Finds Most Employees Have Too Much Access, Multiplying Damage When Accounts Are Compromised

London, UK, August 9, 2016 – Three out of every four organizations have been hit by the loss or theft of important data over the past two years, a sharp increase since 2014, according to a new survey of more than 3,000 employees and IT practitioners across the U.S. and Europe. The report, released today, was conducted by the Ponemon Institute and sponsored by Varonis Systems, Inc.

The rise in data loss and theft, according to the survey, is due in large part to compromises in insider accounts that are exacerbated by far wider employee and third-party access to sensitive information than is necessary, and by the continued failure to monitor access and activity around email and file systems – where most confidential and sensitive data moves and lives. 

The survey report, “Closing Security Gaps to Protect Corporate Data: A Study of U.S. and European Organisations,” resulted from interviews conducted in April and May, 2016, with 3,027 employees in the United States, United Kingdom, France, and Germany.  Respondents included 1,371 end users and 1,656 IT and IT security professionals, in organizations ranging in size from dozens to tens of thousands of employees from a variety of industries including financial services, public sector, health care and life sciences, retail, industrial, and technology and software.
Among the key findings:
  • Seventy-six percent of IT practitioners say their organization experienced the loss or theft of company data over the past two years. This is a significant increase from 67 percent of IT respondents who gave the same response in the 2014 study conducted by Ponemon for Varonis.
  • IT respondents say insider negligence is more than twice as likely to cause the compromise of insider accounts as any other culprits, including external attackers, malicious employees or contractors.
  • Seventy-eight percent of IT people are very concerned about ransomware, a type of malicious software that that blocks access to files until a sum of money is paid. Fifteen percent of organizations have experienced ransomware and barely half of those detected the attack in the first 24 hours.
  • Eighty-eight percent of end users say their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, financial reports, confidential business documents, or other sensitive information assets. This is sharply higher than the 76 percent recorded in the 2014 study.
  • Sixty-two percent of end users say they have access to company data they probably shouldn’t see.
  • Only 29 percent of IT respondents report that their organizations enforce a strict least-privilege model to ensure insiders have access to company data on a need-to-know basis.
  • Only 25 percent of organizations monitor all employee and third-party email and file activity, while 38 percent do not monitor any file and email activity.
  • Thirty-five percent of organizations have no searchable records of file system activity, leaving them unable to determine, among other things, which files have been encrypted by ransomware.
Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute, a leading research center dedicated to privacy, data protection and information security policy, observed, "Despite all the technology available and the spike in highly publicised attacks, data breaches continue to rise. The most valuable data featured in most breaches is unstructured data such as emails and documents. When emails and files are surfaced, they tend to cause scandal, forcing the breach to have a lasting effect on the company’s reputation. This survey raises key points as to why hackers are able to maximise impact – too many employees have too much access, beyond what they need to do their jobs. On top of this, when employees access valuable data and their activity is not tracked or audited, it becomes far too easy for an external hacker or a rogue insider to get away unnoticed.”

Yaki Faitelson, Co-Founder and CEO of Varonis, said, “Right now we’re in a technology arms race with hackers and insider threats. Unnecessarily excessive internal access combined with a lack of monitoring and auditing sets organizations up for disaster. Sony Pictures, the Panama Papers and the recent Democratic National Committee intrusions all concerned the theft of files and emails that were not protected well enough from insider threats or outside attackers that compromised insider credentials, causing major damage to those organizations and their reputations. These new findings, alongside the fallout from those breaches, should keep executives awake at night. What will be the straw that makes businesses focus their efforts on protecting their precious information assets? Varonis is helping thousands of organizations around the world address these challenges, prepare for and stop ransomware and other malicious threats that get inside and impersonate insiders.”

Thursday, July 28, 2016

Evaluating Corporate Defense through Different Lenses

An interview in Forbes with Sean Lyons, author of a new book entitled "Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program." Lyons is globally recognized as a corporate defense pioneer and thought leader. As the architect of the cross-functional discipline of corporate defense management (CDM), he is widely regarded as the foremost authority in this emerging field. With almost three decades of experience in corporate defense activities he is a firm advocate of the requirement for corporate defense to play a more prominent role in corporate strategy.

Wednesday, July 13, 2016

Fraud, Inc.

Fraud, Inc.
by Robert Capps, VP at NuData Security

July 13, 2016 - Eskenzi PR - While fraudsters are getting more sophisticated and organized, they are also growing in numbers. The relative ease in which an individual can commit credit card fraud, along with the sheer volume of cheap card account data available on the black market, makes it a highly lucrative business to be in. When combined with the number of vulnerable merchants, and the lack of accountability, well, every day is Christmas day.

Here's the math:
Ease of attack +
Bountiful cheap credit card data on the black market +
More opportunity to commit fraud +
Very lucrative +
Little down side of penalties/accountability
= more people who are willing to commit the crime.

So, why the US is the king of card fraud online? It's the ubiquity of eCommerce merchants that accept credit cards for payment, coupled with a lack of preparation on the part of most eCommerce merchants to combat fraud risks, and made worse by a lack of consistent cooperation between merchants, card brands, and issuing banks, to take a holistic stand against the card fraud risks.

Contrary to some reports, EMV adoption in the US is not currently driving the increase of Card Not Present (CNP) transaction fraud online, although in time it will eventually reduce CNP fraud from counterfeit cards being created and used in store.

Consumers as Unwitting Accomplices
Consumers are victims of financial/card fraud over and over, because they continue to shop at the same places, and use their cards in the same ways, even after cards have been replaced. Often, falling victim to the same ongoing skimming and data theft attacks against a compromised retailer.

Even our own devices are sometimes complicit in the theft, with malware and other threats often resident on them, leading to immediate re-compromise after a card is replaced by a financial institution.

We've seen that new account/application is fraud rising due to the ubiquity of rich consumer data available on social media, and via other sources. Making it easier for those with malicious intent to go out and apply for a loan or credit card in your name, or even engineering their way in to controlling your existing accounts. This puts good cards and accounts in the hands of the bad guy, allowing them more time, and greater access to the credit line of a legitimate consumer, often before the crime is detected and can be mitigated. In some cases, access may persist for months before it is detected, often because the overdue notices begin to arrive in the legitimate customer's mailbox.

Close the Door, for Good
There are solutions that protect merchants and consumers from identity and credit card fraud risks. One solution that is seeing broad adoption is based on the science of behavioral biometrics, which provides continuous, multi-factor authentication that goes beyond the typical static data matching used to identify consumers to their creditors, merchants, and banks.  Behavioral biometrics accomplishes this task, by evaluating the entire customer behavior profile, built up over time. Providing true insight in to how a customer behaves, and comparing these behaviors to other interactions by this user, it accurately identifies them in future interactions - all without adding friction to the user experience, and without opening up the legitimate user to impersonation and account takeover.

Studies like this continue to highlight what we’ve all been thinking for a long time, namely that true authentication demands a higher degree of scrutiny of the end user at the keyboard, not just device in use, or the static data entered into a web page.

Friday, July 1, 2016

Strengthening Security with Password Managers

July 1, 2016 -- USTelecom dailyLead -- Given the abundance of Internet-based activities focused on financial and other sensitive transactions, poor password habits place consumers in a highly vulnerable position. For the majority of Americans who admit their password habits are lacking, password managers and apps could be a game-changing tool and an important resource that protects their personal information. Creating and regularly updating complex passwords are among the top recommendations security experts suggest. Password managers allow users to remember just one password while managing several.