Wednesday, December 30, 2015

User Behavior Based Biometrics: The New Frontier

Gone are the days when online security could be trusted to a simple username and password combination or simple identity checks. As fraudsters got better at bending and breaking the system, e-commerce and digital banking initiatives had to keep pace, creating tough rule-based systems to check for fraud and adding new technology like IP detection and Device ID. But even these measures are no longer enough. As this article explains, the next great leap in digital security isn't based on a device or a password, but on the user themselves--User Behavior Based Biometrics.

Wednesday, December 23, 2015

A Look Back at SCADA Security in 2015

A Look Back at SCADA Security in 2015

It should come as no surprise that SCADA systems and ICS that control key functions in critical infrastructure are especially at risk of cyber attack. This article reviews the current state of SCADA security; present a 2015 timeline that that highlights the growing risk of SCADA attacks; and discusses technologies you can use to bolster the security in SCADA and ICS systems.

Thursday, December 17, 2015

Cybersecurity Predictions 2016: Luck or Leadership?

Cybersecurity Predictions 2016: Luck or Leadership?

By Simon Crosby, Co-founder & CTO, Bromium

In the blink of an eye, 2015 is almost over. When looking back at it and what it meant for the cybersecurity industry, this year has been predictably busy. We saw large acquisitions, including those of EMC by Dell and Websense by Raytheon, while companies such as Rapid7 and Sophos went public. Large funding rounds were a near weekly occurrence, and as a result the sector raised more than $2.3 billion within the first nine months.

Cybersecurity spending increased sharply and by the end of the year should finish at around US$80 billion, according to Gartner’s estimates. While the U.S. House and Senate continued to debate cybersecurity legislation, US government agencies amassed a whopping security budget of $12.5 billion, collectively.

There were unforgettable breaches -- like TalkTalk, Hilton, and Carphone Warehouse, although the sexiest headlines went to the Ashley Madison breach. There also were countless daily reports of breaches due to “sophisticated attacks” and resulting losses from companies whose infrastructure -- despite all the spending -- remained woefully vulnerable. Even United States President Barack Obama stepped into the fray, cementing an agreement with China in the hope of limiting the scope of nation-state hacking. Good luck with that!

Looking back, it’s painfully clear that while we may not have known then the names and faces of the victims, or the numbers behind the M&A, funding, budget and breach news, most of this was predictable in 2014. So will next year be any different, or are we doomed to repeat the past, yet again?   

Unfortunately in most respects, 2016 won’t change much: users will still unknowingly click on malicious links; IT departments will still be bad at staying up to date with patching; the bad guys will continue to attack; and the tide of misery from breaches will persist. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organization to the high ground based on a well-considered, security-first strategy.
It is important to remember that, despite their claims, most security vendors cannot help you. Within the market we see too many “me too” vendors, who’s main focus in on the staple of detection. Within the endpoint security sector alone, over 40 vendors are bringing to market a feature set that Gartner terms “EDR,” or endpoint detection and response. The sole goal of this is to help find a breach in progress -- provided you know what to look for in the first place. Despite vendor claims, detection can’t protect you, and it isn’t advancing much, even when disguised as artificial intelligence (AI). In a world of adaptive, intelligent attackers, even the best AI technologies have a tendency to make masses of mistakes. In fact, Ponemon estimates that a typical large enterprise spends up to 395 hours per week processing false alerts -- approximately $1.27 million per year.

Of course, security (still) won’t be solved inside the Beltway. Year after year, public sector companies hang their hats on the hope that cybersecurity legislation will somehow do the trick. This year was no different. You may recall recall that CISA and the Wassenaar Agreement both sparked industry-wide debates around data security, civil liberties, privacy and exploit controls. There is no doubt that security is a serious issue and a hard problem to solve, but it’s one that is not going to be solved by governments. . Much like healthcare, security is a systematic problem that requires more than a band-aid or firewall to fix. Security legislation will require government collaboration that it is simply unrealistic to expect at this current time. 
It is also important to remember that the same vendors that promise to secure you still won’t be held accountable for breaches. PwC predicts that the cyber insurance market will triple in the next five years. While insurance will do little for the peace of mind or job stability for CISOs whose companies experience a breach, it will hopefully force organizations to take a long, hard look at the cost of their continued insecurity. It’s time for you to force your vendors to be accountable instead. If a vendor claims to secure your network, force them to accept liability if your organization is breached. Pay your endpoint security vendors based on the value they deliver.  Free is a good option when regulations demand the functionality, but the vendors fail to protect you. Force your vendors to put their money behind their marketing messages. Greater accountability means greater drive for cybersecurity technologies that do what they claim to do and actually help to mitigate threats.

My Recommendation: Instead of relying on post-hoc analysis in the hope of spotting a breach, your focus in 2016 should be on adopting solutions that make your infrastructure more secure by design, to prevent a breach before it starts. Move to the cloud. Adopt micro-segmentation and micro-virtualization. And upgrade to the latest operating systems.

I don’t think we’ll see an end to data breaches in the near future, but if organizations stop relying on faith in marketing claims and government and being complacent and start questioning the status quo and demanding answers and accountability from vendors, we’ll be able to see many of the breach news headlines disappear.  


Wednesday, December 16, 2015

Predicting the Cyber Security Future in 2016

Predicting the future is a fun year-end activity.

This article by Lancope CTO TK Keanini provides a brief retrospective on 2015, including the biggest patterns seen from within the cyber security industry; highlights the biggest trends to expect in 2016; from cracking as a service to DNA breaches; and discusses how these trends will impact businesses and individuals alike and have long reaching implications.

Tuesday, December 15, 2015

Protecting the Oil and Gas Industry from Email Threats

According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy sector is facing a significant rise in cyber attacks. The high volume of business communications conducted via email within this industry give hackers quite the window of opportunity to intercept sensitive information through the use of spear phishing. This article by OPSWAT's Doug Rangi describes spear phishing attacks that have occurred in various sectors of oil and gas, along with recommendations on how the industry can boost their cyber security and specifically adopt new preventative measures to protect against these and other email-borne threats.

Friday, December 11, 2015

7 Largest Data Breaches of 2015

10Fold Reveals Seven Largest Data Breaches of 2015
Close to 200 Million Personal Records Breached Around the World

SAN FRANCISCO, CALIF. (Dec. 11, 2015) —10Fold, a full-service B2B technology public relations agency, today announced that more than 193.4 million personal records are vulnerable to identity theft and fraud attributed to the top data breaches of 2015. In its year-in-review, 10Fold analyzed 720 data breaches that occurred throughout the year and highlighted seven of the largest.

"As the research 10Fold has conducted clearly shows, security never sleeps. Each of the top seven data breaches compromised more than 5 million records, indicating that attackers are becoming stealthier, are employing more sophisticated techniques and are going after bigger and more lucrative targets," said Angela Griffo, vice president of the security practice  at 10Fold. "What's more, our research indicates that cyber criminals are increasingly going after targets in the medical and healthcare verticals, which store valuable patient data that can't be reissued like a credit card. Looking at the top breaches at year's end allows us to detect patterns while also giving us a glimpse of what we can expect to see in the future."

News reports about the seven largest data breaches, which are listed below, indicated that each of the attacks affected more than five million users. 10Fold selected these data breaches based on independent research and review of third-party resources such as ID Theft Resource Center and Information Is Beautiful.

Largest Insider Breaches of 2015

1. Excellus BlueCross BlueShield: Excellus BlueCross BlueShield announced that it was the victim of a sophisticated attack after hackers gained access to its information technology systems dating as far back as December 2013. This attack followed a series of healthcare hacks that had started at the beginning of the year. The Excellus hack in particular compromised the personal identifiable information of more than 10 million members, making this the third-largest healthcare breach in 2015. The exposed information, which includes names, birth dates, Social Security numbers, member identification numbers, financial account information and claims information, leaves members vulnerable to fraud and identity theft.

2. Premera Blue Cross: One month after the breach at Anthem Blue Cross, Premera Blue Cross released a statement saying it had experienced a cyber attack affecting up to 11 million members. The hack was discovered by the organization on January 29 of this year, although the initial attack dates back to May 2014. Premera's investigation team determined that attackers infiltrated the organization's information technology system, which allowed them to access applicants' and members' personal information, such as names, birth dates, Social Security numbers, member identification numbers and bank account information. Affected customers included employees of Microsoft, Starbucks and Amazon.

3. VTech: VTech was hit by the first data breach to ever directly target children; an unauthorized party accessed customer data through the Learning Lodge app store customer database and Kid Connect servers on November 14. According to the company, the attack affected 6.4 million children and 4.9 million customer (parent) accounts worldwide, exposing personally identifying information such as names, passwords, IP addresses, download history, and children's gender and birth dates.

4. Experian/T-Mobile: Experian North America stated that attackers breached a server in one of its business units that contained personally identifiable information for approximately 15 million T-Mobile customers. The data included names, birth dates, addresses and Social Security numbers or an alternative form of ID, such as drivers' license numbers. The breach occurred, in part, because T-Mobile shared customer information with Experian to process required credit checks for service or device financing. Breaches such as these underscore that when customers share their information with a business, their personal data isn’t always kept private.

5. OPM: The Federal Office of Personnel Management announced that a cyber attack compromised the records of more than 21.5 million citizens, enabling attackers to gain access to highly personal information contained on background investigation applications. Altogether, the attack affected 19.7 million individuals who applied for security clearances, 1.8 million relatives and other government personnel associates, and 3.6 million current and former government employees. What's more, the stolen data also included 5.6 million fingerprint records belonging to the background-check applicants. According to news reports, the breach caused U.S. intelligence and law enforcement officials to be concerned about the theft of data on government forms submitted for security clearances. And with good reason — these applicants share detailed information about themselves, including mental-health history and previous relationships. Hackers that gain access to the identity and fingerprints of employees with existing security clearances can cause serious, and irreparable damage to users' privacy.

6. Ashley Madison: The hacker group identified as The Impact Team claimed to have accessed Ashley Madison’s user database, financial records and other proprietary information, including the personal data of 37 million users. A manifesto written by The Impact Team disclosed that the "full delete" feature on Ashley Madison was a lie — that the company did not scrub the personally identifiable information of customers who opted to have their profile and history deleted, but instead kept their payment information and purchase details, which hold identifiable information. The manifesto also instructed Avid Life Media (ALM), the parent company of Ashley Madison, to permanently delete the forums of Ashley Madison or they would release all customer information. ALM opted to keep the site running and consequently, The Impact Team released the customer records two months later.

7. Anthem: The largest healthcare data breach in history occurred at the beginning of 2015. Anthem announced in February that it was the victim of a data breach that resulted in the theft of approximately 78.8 million highly sensitive patient records. By the end of the month, Anthem disclosed that the breach likely impacted an additional 8.8 to 18.8 million non-patient records that included names, birth dates, Social Security numbers, addresses and employment data. The attack on Anthem was the beginning of a series of healthcare hacks this year, including assaults on Premera Blue Cross, CareFirst BlueCross BlueShield, UCLA Health Systems and Excellus BlueCross BlueShield.

Wednesday, December 9, 2015

Changing Human Behavior Is the Key to Thwarting Cyber Threats in 2016

London (UK) - 08 December 2016 - PhishMe today offered three predictions for the threats it believes UK organizations will battle in 2016:

1. Phishers Will Continue to Divide and Conquer

Phishing has been the number one attack vector for over five years and 2016 will be no different.

Rohyt Belani, CEO of PhishMe explains his thinking, "We, as an industry, have lagged in engaging employees to be a part of the organization’s security posture. For decades, enterprises have focused on traditional security awareness techniques like computer-based training (CBT) that simply don't work; they have no sustained impact on behavioral change. At PhishMe, we have succeeded in helping our customers engage their employee base by turning them into informants of suspicious emails, providing such employees with the necessary tools to report the same in a frictionless manner, and then most importantly in providing the incident response teams at these organizations a solution to rapidly triage these reports and operationalize the attack intelligence obtained. The human is no longer the weakest link for our customers; they are the strongest asset."

2. Focus Will Move Back to Prevention of Breaches, Rather than Detection after the Fact

While prevention of individual infections is almost impossible, preventing the breach of confidential and proprietary data as a result is paramount.

"The industry gave up. They surrendered and turned to post-breach detection and mitigation because the hackers were winning," explains Scott Greaux, VP Product Management at PhishMe, "With average time to detection still over 200 days this approach hasn't worked either and I think in 2016 we will see the focus shift again. System infections will occur, and at the moment there's no silver bullet to change this, but we need to prevent these infections from translating to large data breaches. That means conditioned email users will play a key role, providing the timely and actionable threat intelligence thus minimizing attacker dwell times, that will help prevent breaches in 2016."

3. All Forms of Trust Will be Abused

It seems that criminals listen to the advice given to people about cybercrime and turn it around in a bid to thwart defenses. The traditional wisdom was 'don't click links or open attachments from un-trusted sources.' In 2015, the increase in attacks targeting email is primarily about abusing those trust relationships. In 2016, other forms of trust are going to be under attack. Passwords stored in browsers, especially on mobile devices and 'Bring Your Own Device' phones and tablets will be a big target. 

The advice from Gary Warner, Chief Threat Scientist at PhishMe is that, "This year we need to be encouraging the adoption of two factor authentication and 'unknown device' alerting as never before – including on internal systems.  In another area of trust, a malware compromised workstation logs in to the corporate systems with the same power as an authorized user. Big data breaches are largely enabled by the concept that certain users should be allowed to 'See Everything' and this must be reeled back to 'see only some things' or 'see anything,' but only at reasonable volumes."

With increased reporting of suspicious activity, advances in threat analysis to enable better campaign identification, and raising the shield by challenging all of the 'trust' assumptions made, organizations can make 2016 a safer year.

Monday, December 7, 2015

Top 5 Predictions for Online Fraud in 2016

As 2015 comes to a close, all of us fighting fraud may start preparing for the upcoming fraud battle in 2016. As mobile apps and web services continue to increase in number and functionality, they remain an attractive target for fraudsters. Meanwhile, cyber attackers have continued to adapt to evade traditional security defenses using the latest mobile hacker tools and cloud technology to impersonate legitimate users. If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends you're likely to encounter in 2016.

Thursday, December 3, 2015

U.S. Presidential Campaign Will be Affected by a Cyber Attack, and Other 2016 Predictions

It's the of the year for predictions of how bad the security environment will be for the coming year.  Here are predictions from David Gibson, VP of strategy and market development at Varonis. By the way, focusing on end-user education and monitoring is long overdue. I don't think it's hyperbole to say, "Insiders are the new malware."

1. The U.S. Presidential campaign will be affected by a cyber attack.  
Hillary Clinton's private email server has already brought cybersecurity into the U.S. Presidential race. In 2016, a cyberattack will strike the campaign, causing a major data breach that will expose donors' personal identities, credit card numbers, and previously private political preferences. Imagine being a donor with an assumption of anonymity. Or a candidate whose “ground game” depends on big data analytics about voter demographics and factors affecting turnout – data that turns from an asset to a liability if it isn't protected. The breach will affect the campaign not only as a setback for the unfortunate candidate or party affected, but by bringing the issue of cybersecurity prominently into the campaign as a major issue that is closely related to geopolitical threats such as the spread of terrorism. Campaign data is a gold mine for hackers (donor lists, strategies, demographics, sentiment, opposition research), and an event like this will serve as another wake-up call to the U.S. government that cybersecurity needs to be a continual, central focus and investment at the highest levels. The candidate who demonstrates knowledge and command of cybersecurity threats and government readiness will win the election.
2. The frequency of public data breaches will increase substantially.
The Identity Theft Resource Center (ITRC) reports a total of 641 data breaches recorded publicly in 2015 through November 3. Most organizations know this number represents the tip of the iceberg. The frequency of known data breaches will increase in 2016, due not only to increasing privacy and breach disclosure laws but also the increasing failure of traditional perimeter-focused security investments to protect valuable data. Employees' use of mobile devices and companies' migration of IT workloads to the cloud will also contribute to a sharp rise in breaches. Over time, this should help to shift priorities toward investing in more proactive data-centric protection, but it's likely things will become worse before they get better.

3. End-user education and monitoring will become the focal point of data security efforts.
Insiders are the new malware. Executives and IT professionals are becoming as afraid of their own employees – as innocent vessels for outside attackers with dangerous levels of access to sensitive data – as they are of outside attackers. Companies will turn to the importance of end-user education in 2016 as they realize that, no matter how intensely they invest in security, they hit a dead end if their users don’t drive by the rules of the road. They need to be involved in the security processes, observe classification and disposition policies (that need to be defined) and know to stop clicking on phishing emails. Employees are crucial to the security process, and have more power in controlling it than they realize. You can't patch users but you can educate them. You can also monitor and analyze how they use data to spot unwanted attacks.

4. At least five more C-level executives will be fired because of a data breach.
In recent years we have seen the careers of several top executives suffer in the wake of cyber attacks. Target CEO Gregg Steinhafel and CIO Beth Jacob, U.S. Office of Personnel Management Director Katherine Archuleta, Sony Pictures' Amy Pascal and others were either fired or forced to resign after massive data leaks cost their organizations money, customers and credibility. This will accelerate in 2016.  Blame for data breaches is shifting from IT to the C-suite. Data impacts every facet of an organization. If management is not investing in and focusing heavily on securing data and its use, it is now understood that they are putting the entire company and its stakeholders at risk.

5. Increasing false positives in data security bring to light the need for limited, accurate information.
Organizations will get much more serious about how much data they collect and their deletion efforts. When Target suffered its massive breach during the 2013 holiday season, the alerting capabilities of its IT team had generated months of warnings.  Still, no one caught it. This remains a common problem today. Why? The plethora of security tools installed in most companies overwhelms IT security. Their teams are strapped and the amount of false positives generated by exponentially growing volumes of information cause these teams to miss crucial vulnerabilities. In 2016, smart IT teams will focus on signal-to-noise ratio improvements in the analysis and alerting solutions they deploy.