Thursday, January 28, 2016

Top Five Enterprise Data Privacy Mistakes

Did you know today was Data Privacy Day? I didn't either until this came in.

PORTLAND, Ore. — January 28, 2016 — Global businesses are reevaluating their data privacy programs this year as new privacy regulations targeted at businesses take effect. The European General Data Protection Regulation is a new privacy regulation with fines as high as four percent of annual global revenue for companies that fail to safeguard data of EU citizens and residents. In the U.S. 16 states recently introduced new, ACLU supported data privacy legislation. In spite of efforts to improve privacy protections many enterprises are not doing enough to protect consumer data.
“Data privacy day is a great opportunity for organizations to reevaluate their privacy program,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”

According to Erlin, the top five data privacy mistakes businesses make are:

1. Failure to keep only essential consumer data: Many organizations keep a lot of customer data in case they need it “someday.” While this approach may seem prudent this data can easily become a major target for cyber attackers and, because it isn’t business critical, it may not receive the same protections as other, more sensitive data.

2. Failure to encrypt customer data: While there are some regulatory requirements for encrypting customer data, companies need to establish internal processes to keep data encrypted. Leaving customer data unencrypted makes it much easier for attackers to grab.

3. Failure to secure access paths: Encrypting customer data is important, but it must be decrypted for use in an application at some point. Attackers will aim to compromise the applications that use customer data in order to get to that data. “Don’t worry, the data is encrypted,” is a dangerous mind set.

4. Failure to patch known vulnerabilities: Security experts may be more interested in the technical analysis of the latest malware, but successful attacks are more likely to exploit the three year old web server vulnerability that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.

5. Failure to monitor and control simple misconfigurations: More than one of the breaches that have been in the headlines recently has been the result of a misconfigured database or server. If you’re not monitoring sever configurations for change, you have a blind spot in your security that attackers can leverage.

IoT Scale Is Outpacing Its Security – Telefonica

You knew this would happen. The pace of technological changes far outruns our ability to manage them. IoT is no different. Companies roll out new products and services and worry about securing them later. Infoworld recently ran a story about home automation horror stories. It's just the beginning. And while Scientific American debunked the Wired story of hacking a car, one has to ask, why not? These tales grab us because they strike close to home. But the industrial scale, and threats, are so much greater.

So, better late than never.

Get a handle on securing the IoT with Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations. The book brings together some of the top IoT security experts from around the world who contribute their knowledge regarding different IoT security aspects. It answers the question "How do we use efficient algorithms, models, and implementations to cover the four important aspects of IoT security; i.e., confidentiality, authentication, integrity, and availability?"

Order your copy today!

Monday, January 25, 2016

What Is the EU General Data Protection Regulation?

It has been a long time coming, but the new EU data security and privacy law, also known as the General Data Protection Regulation (GDPR), is finally close to being finalized and will likely go into effect sometime in 2017. This article includes an outline of the GDPR and why it is important for organizations to not panic over changes to the existing data rules; the current Data Protection Directive (DPD) and why the EU felt the need to change to the GDPR; some of the more important vocabulary included with the new law; and outlines of the new articles contained with the GDPR and how they will affect organizations.

Thursday, January 21, 2016

Is Your Business Winter Ready?

Here in NYC, all the TV weather forecasters are predicting the storm of the century, if not the greatest storm of all time. Some are calling it "Snowmageddon!" Oh,  my.

Have you formulated a plan to avoid grinding to a halt should your employees find themselves cut-off or the office inaccessible that includes keeping data safe? The answer could be to have adequate infrastructure in place that allows workers to securely work from home, or while stranded anywhere sensible with an internet connection. This article examines what technologies are there to help, and what security implications that need to be considered.

Wednesday, January 20, 2016

Tips for Stronger Passwords

Bill Carey, VP of Marketing for RoboForm offers these helpful tips and tricks to ensure that your password doesn’t make the annual list of the worst passwords in 2016!

1. Try the ‘First Letter’ method when creating new passwords. Take the first letter of your favorite expression, lyric, song or movie, etc., and put them together in a creative way. For example, the evolution of a password based on Frank Sinatra’s My Way may be:
  • For what is a man?  What has he got?
  • Turns into – Fwiam?Whhg?
  • It has capital letters, lowercase letters, symbols and is 11 characters long.  Pretty strong…

2. Passwords are the first line of defense for most business networks, but too many managers and employees continue to use easily hackable passwords containing names, birthdays, titles and other information hackers can find online in seconds. Instead, require employees to use passwords that contain both upper and lowercase letters, symbols and numbers. That makes it much more difficult for hackers to gain access. 

3. Change passwords every 30-60 days and use a different password for each site: Keeping the same password long-term is dangerous, and using a single password for multiple sites is just asking for trouble: In that scenario, all a hacker would have to do to gain access to sensitive data stored on numerous sites would be to crack a single password. Change passwords at least every 60 days and use a unique one for each secure site. 

Tuesday, January 19, 2016

5 Steps to Securing Data Workflows in Your Organization

With all organizations having data flowing constantly into and out of them, the risk of malware infecting the system is greatly increased. To protect against these threats, most organizations have anti-malware solutions implemented at the different entry points, including email, web and portable media, in an attempt to stop malware from entering the organization's network. But is this the most effective way to stop malware? This article highlights why implementing a secure data workflow is more beneficial to organizations than single solutions at different entry points; the five steps organizations need to take to implement a secure data workflow; and how the use of multiple anti-malware engines can assist an organizations secure data workflow even further.

Wednesday, January 13, 2016

Internet Explorer End-of-Life Security Tips

PORTLAND, Ore.--(BUSINESS WIRE)--Beginning on Tuesday, January 12, 2016, Microsoft will no longer support Internet Explorer (IE) 8, 9 and 10. Users of IE 11 will continue to receive technical support and security updates, leaving users of legacy versions of IE more vulnerable to malware. According to Computerworld, only 55 percent of IE users – more than 340 million people – are using the latest version of the browser.

“It is safe to assume that cybercriminals have been stockpiling IE vulnerability information ahead of the support cutoff, and they will easily learn new attack techniques for older versions by analyzing future IE 11 updates,” said Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT). “Using Tripwire’s VERT vulnerability database, rough estimates indicate that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous IE versions.”

Tripwire security experts offer the following advice for organizations that cannot switch to IE 11 by the cutoff date:

• Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks.

• Businesses with application requirements for older Web browsers should block browsing from vulnerable systems. This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web.

• IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers.

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”

Thursday, January 7, 2016

Black Energy Attack on Ukrainian Power Grid

Federal agencies in the US are looking into the Black Energy malware and possible state sponsored hackers that took down the Ukrainian power grid just before Christmas. About 700,000 were affected for several hours. If this proves out, it will be the first documented case of an attack that actually interrupted service and is a grave concern for governments around the world.

Tim Erlin, Director of IT Security and Risk Strategy for Tripwire says, “Industry experts have been talking about how cyber attacks could directly affect the power grid for a long time, so it shouldn’t be a surprise that it’s now actually occurred. Discussing a threat doesn’t count as mitigation. Energy companies need to invest in securing their infrastructure, from control systems to corporate IT. Investment isn’t just about buying products. It’s about people, skills and process. Purchasing the latest security device is easy compared to training security staff effectively.

"All malware, including BlackEnergy, requires an infection vector to get to its target. Attackers will almost always take the path of least resistance. Today, that means published vulnerabilities, misconfigurations and phishing scams. These are all security issues that we can address, with sufficient resources.
"It’s myopic to think of this threat as an ‘energy sector’ problem. Any industry that relies on industrial control systems is at risk. Any industry where networked devices cause physical change in the world is a target for these kinetic cyber attacks.”

Tuesday, January 5, 2016

What Santa Didn't Bring Me

I was a little disappointed on Christmas morning when I discovered that Santa didn't leave any manuscripts of the following topics:

threat hunting
moving target security
insider threats
security kill chain
physical security and the IT department
security operations
synchronized security
security awareness
data loss prevention

It's still not to late to bring some Christmas joy to a boy's heart. If you or a friend or a colleague have any interest in writing a book in 2016 on these or some related topics, please let me know.

Best wishes for 2016.


Monday, January 4, 2016

Is Machine Learning Cybersecurity's Latest Pipe Dream?

A recurring claim at security conferences is that "security is a big data, machine learning (ML), and artificial intelligence (AI) problem." This is unfortunately wildly optimistic, and wrong in general. As this article explains, while certain security problems can be addressed by ML/AI algorithms, in general the problem of detecting a malicious actor amidst the vast trove of information collected by most organizations is not one of them.