Tuesday, September 19, 2017

GDPR: The Pandora’s Box Is Open for Enterprise Websites

According to this article in Website Magazine, 

"Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union's General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements--customer, partner and employee--held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora's box, there's a slew of GDPR-driven evil emitting from your digital properties."

Here are some books by Paul Lambert that focus on The EU's General Data Protection Regulation

The Data Protection Officer: Profession, Rules, and Role

Understanding the New European Data Protection Rules

Monday, September 18, 2017

What Businesses Need to Know in the Wake of the Equifax Breach

What Businesses Need to Know in the Wake of the Equifax Breach
By Jason Tan, CEO of Sift Science

Online businesses everywhere are going to be dealing with the effects of the recent Equifax breach. It’s a tough truth to swallow, but these large-scale data breaches have become a fact of life – and it’s not just the breached business that pays the price. As fraudsters mine the valuable data that’s been compromised, all e-commerce sites and financial institutions need to be on alert.

Keep an eye out for signs of account takeover.

Last year, 48% of online businesses saw an increase in account takeover (ATO), according to the Sift Science Fraud-Fighting Trends report. And the Equifax breach is likely to exacerbate this trend, potentially flooding the dark web with names, addresses, Social Security numbers, and other personal information that fraudsters can leverage to gain access to a legitimate user’s account. They then make purchases with a stored payment method or drain value from the user’s account.

Some of the signals that could point to an ATO:

  • Login attempts from different devices and locations
  • Switching to older browsers and operating systems
  • Buying more than usual, or higher priced items
  • Changing settings, shipping address, or passwords
  • Multiple failed login attempts
  • Suspicious device configurations, like proxy or VPN setups

Keep in mind that taken individually, each of these signs may be normal behavior for a particular user. It’s only when you apply behavioral analysis on a large scale, looking at all of a user’s activity and all activity of users across the network, that you can accurately detect ATO.

Monitor for fake accounts and synthetic identity fraud.

Fraudsters can also take all of the different pieces of personal data leaked in the Equifax breach to steal someone’s identity and create new accounts. They may also pick and choose pieces from various people’s accounts – like a birthday, Social Security number, and name – and mix them together to create an entirely new ID.

To keep tabs on fake accounts, you can monitor new signups to look for risky patterns, like a sudden spike in new accounts that can’t be attributed to a specific promotion or seasonal trend. If the average time it takes a new user to sign up suddenly gets much faster, that may point to fraudsters using a script to quickly create accounts. And seeing multiple new accounts coming from the same IP address or device is a red flag for a single person creating many accounts.

Stay focused on maintaining user trust.

Even if a breach doesn’t happen on your site, any downstream fraud attacks still happen on your watch. If you don’t invest in protecting your users from the devastating effects of ATO, identity theft, and fraud, you will soon lose their trust. Trust is earned in drops, but lost in buckets.

At the same time, e-commerce businesses and financial institutions should make sure they aren’t overly cautious to the point where they’re rejecting good customers and denying legitimate accounts. Preventing fraud is a delicate balancing act, and the right technology – which looks at a range of data points to make an accurate prediction about what is and isn’t fraudulent – can help you strike the right balance.

About the Author:
Jason Tan is the CEO of Sift Science, a trust platform that offers a full suite of fraud and abuse prevention products designed to attack every vector of online fraud for industries and businesses across the world.

Monday, September 11, 2017

Information Security: The Dismal Discipline?

Read this chapter from Why CISOs Fail: The Missing Link in Security Management--and How to Fix It and understand why the author likes to call information security the "dismal discipline," and why this perception needs to change.

Thursday, August 31, 2017

Universities Still Struggle to Provide Cybersecurity Education

The latest Global Information Security Workforce Study paints a grim picture, predicting that in five years, the number of unfilled cybersecurity jobs will raise to 1.8 million worldwide. The main reason is a lack of qualified personnel who can fill the role and a lack of universities providing cybersecurity education.

Monday, August 28, 2017

Chipping People: Are You Ready?

Shelly Palmer notes that "Proponents of the technology tout its convenience and the idea that you never have to remember your wallet or a password, ever again. While they are technically correct, chipping people invokes a train of thought that quickly descends to the darkest of places."

Would you voluntarily submit to this? What if chipping was a term of employment?

There's a link to a survey at the end of the article. Although it's not my survey, I'm interested in the results.

Wednesday, August 16, 2017

New Research on "Pulse Wave" DDoS Attacks

New findings from Imperva Incapsula researchers published today Attackers Use DDoS Pulses to Pin Down Multiple Targets details the emergence of a new assault pattern, which they’ve named Pulse Wave.   

According to lead researcher Igal Zeifman, “Pulse Wave DDoS represents a new attack methodology, made up of a series of short-lived pulses occurring in clockwork-like succession, which accounts for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 Gbps.”

The size of these attacks, and the amount of skill they exhibit, are likely the handiwork of skilled bad actors who have become practiced in portioning their attack resources to launch simultaneous assaults — meaning the intervals between each pulse are being used to attack a secondary target.

This new approach shows that some offenders have grown to understand that it is not necessary to hit a target continuously to take it offline; rather, repeated short bursts are enough to disrupt routers and servers, producing the same effect. By the time the systems have recovered from the first burst, or pulse, the hackers hit them again. In this way, they can double their resource utilization and pin down several targets.

The existence of such capabilities spells bad news for everyone, as they enable bad actors to greatly increase their attack output. The pulse-like nature of these attacks, however, is especially harmful for appliance-first mitigation solutions, since it can cut down the communication between their two components, preventing effective failover from the appliance to the cloud. Specifically, the attacks have the capacity to delay the time it takes for the cloud component of the mitigation solution to kick in. This increases the likelihood of the target going down and being forced to initiate a prolonged recovery process.  Moreover, the pulse wave assaults can prevent transition of data collected in the early attack stages from the appliance and into the cloud to further harm its responsiveness.
As the research points out, while Pulse Wave attacks constitute a new attack method and have a distinct purpose, they haven’t emerged in a vacuum. Instead, they’re a product of the times and should be viewed in the context of a broader shift toward shorter-duration DDoS attacks. Multiple industry reports—including the Imperva Incapsula quarterly DDoS Threat Landscape report— point to an increased number of short-lived DDoS events over the past year. As a result, the majority of all DDoS attacks today —both at the network and application layers— consistently last less than one hour. Moreover, the percentage of such short-burst attacks is growing each quarter. 

“For a commercial organization, every such instance translates into tens of thousands of dollars in direct and indirect damages. For professional offenders—already inclined to split up their attack resources for optimized utilization—this serves as another reason for them to launch Pulse Wave DDoS assaults. Consequently, we expect to continue encountering such assaults. We also forecast them to grow larger and become more persistent, fuelled by botnet resource evolution and the previously described macro trends we’ve observed in the DDoS landscape,” Zeifman added.

The full Research Paper ”Attackers Use DDoS Pulses to Pin Down Multiple Targets, Send Shock Waves” presents a detailed dive into the nature of pulse wave attacks and the threat that they pose and their place in the DDoS threat ecosystem.

Monday, June 26, 2017

How Long Can Resources in Short Supply Last?

Smart Energy: From Fire Making to the Post-Carbon World first traces the history of mankind's discovery and use of energy. It then reviews contemporary issues such as global warming, environmental deterioration, depletion of carbon energy sources, and energy disputes. Next, it evaluates technical innovations, system change, and international cooperation. Then, it tackles how civilization will continue to evolve in light of meeting future energy needs, how Smart Energy will meet these needs, and defines the global mission. The book closes with a summary of China’s dream of Smart Energy. This chapter considers how long petroleum, coal, and other carbon-based resources can last.

Monday, June 19, 2017

Understanding the Organizational Context for a Business Impact Analysis

Understanding the Organizational Context for a Business Impact Analysis

Conducting a business impact analysis (BIA) for an organization makes it imperative for a practitioner to understand the business and the manifold dependencies and relationships and to study the enterprise as an extended enterprise. This chapter from Practitioner's Guide to Business Impact Analysis explains the organizational context for conducing a BIA.

Monday, June 12, 2017

What Is the Role of a CISO?

This article discusses the role of the CISO, how it has changed over the years, and what tools and skills a CISO needs.

BTW, we have a slew of books on the roles of the CISO. You can find them here.

Wednesday, June 7, 2017

Rebecca Herold's June Privacy Professor Tips

Rebecca Herold's June Privacy Professor Tips  were published last week! This month's Tips cover a wide range of topics, including privacy concerns on the dark web, fake emails that look totally real, security threats from your (not so smart) used car, considering if you could lose your new home to hackers, yet another public employee under fire for personal email use, yet more surveillance considerations, as well as healthcare security and privacy news. Plus, her current list of recent publications and upcoming events.

Thursday, May 25, 2017

How Large Enterprises Can Protect Their Data from Increasing Ransomware Attacks

Ransomware attacks are increasingly making headlines as hackers find ways to access platforms to infect data. Experts worry that new and emerging data platforms provide low-hanging fruit to ransomware attackers.

Nitin Donde, CEO at Talena notes, "By their very nature, Hadoop and NoSQL databases are complex distributed systems with many moving parts, which while making it easy to manage and scale them independently, has also opened them up to the possibility of security attacks at multiple points of vulnerability.

"Most large enterprises deploy several of these systems and as a result, large enterprises are at a significantly increased risk of ransomware attacks. We have seen a spate of recent ransomware attacks on MongoDB, CouchDB and Elastic. By some estimates, the number of systems affected is in the thousands, which is a huge drain on the both capital and time."

In order for enterprises to mitigate and nullify these modern security threats to their business critical data platforms, Nitin recommends companies take the following steps to safeguard their data:
  • Instill the same level of policy rigor that can be taken for granted in traditional record-of-truth platforms such as RDBMSs, email servers and data warehouses. Some of the security frameworks such as Kerberos are complex to implement and maintain for big data platforms, but they will deter and prevent attacks right when they happen.
  • Making timely backups of the data in an efficient and scalable manner is paramount. With the landscape of security threats constantly changing, data backups are an enterprise’s insurance against loss of time and capital as they let you travel back in time in the event of a disaster.
  • Intelligent machine learning: With increasing volume and variety of data, it’s not humanly possible to constantly scan modern platforms for security threats. Intelligent machine learning-driven approaches must supplant humans for detecting anomalous behavior in both the acquisition as well as storage phases of data lifecycle management.

Tuesday, May 16, 2017

Cloud Encryption: Bring Your Own Key Is No Longer Enough

Encryption key management systems are now essential for all companies needing to lockdown data in the cloud, says Matt Landrock, Executive Vice President, Cryptomathic

‘Trust’ can be both a terrific enabler and a severe inhibitor in cloud services adoption. Keen to benefit from the cloud’s promise of flexible and scalable on-demand computing, businesses everywhere continue to migrate increasing volumes of critical data off-site and into the hands of third party cloud service providers. Each time this happens, however, they must answer the same question: what guarantees do I need before I can trust this provider to protect my data? 

Who holds the power to access a firm’s private data in the cloud is a big and thorny issue. Hosting services operate, by definition, across borders whereas the regulations that grant nation states and other third parties power-of-access, do not. Governing authorities around the world therefore vary in their ability to compel cloud service providers to sacrifice customer privacy and comply with their access demands. 

As a result, encryption now has a major role to play in the security process. Companies that trade in confidentiality, banks for example, commonly use encryption as a defense against third party intervention from nation states and cybercriminals alike. When rolled into their cloud provider’s managed service contract, however, encryption actually does relatively little to reassure: if the provider can already be strong-armed into granting access, surely they can also be compelled to relinquish their encryption keys, making life pretty awkward for everyone involved. Nonetheless, a study from Ponemon Institute & Thales[1], revealed that 37% companies worldwide still rely on their cloud providers to generate and manage both the keys and the encryption process. 

‘Bring Your Own Key’ (BYOK), where the end-user independently generates, backs up and submits its own encryption keys, neatly addresses this concern. If the service provider doesn’t have access to the key in the first place, it can’t be compelled to hand it over, meaning that the user’s data will remain encrypted no matter who tries to access it. Sadly, BYOK creates another set of problems. Assuming sole control over an encryption key, however, is a hefty responsibility. Loss or error could prevent a business from decrypting its own data, resulting in paralysis. Theft of the encryption key puts the entire security operation in jeopardy, meaning that the user’s back up process must itself be subject to high-security measures. What’s more, if the key is lost or stolen, help is very hard to come by. The service provider, having already been relieved of their key liability, is powerless to assist. In many ways BYOK replicates the problems associated with more traditional usernames and passwords. Key ubiquity, like password ubiquity, replaces one security headache with another:  should there be a key to all the keys? How is that key secured? And so on.

BYOK poses operational challenges, too. Once the user’s key has been created and submitted to the service provider it can’t be retrieved, or at least not easily. Security best practice also dictates that each individual cloud service should have its own unique key. Where vast stores of data are concerned, risk mitigation policies encourage firms use a variety of keys and to spread their data between several providers, each of which will have its own unique blend of encryption engines, protocols and messaging formats. This situation is worsening too: Forrester predicts that the practice of blending multiple cloud models will increase in 2017 and calls on companies to take specific steps to secure their whole environment.[2]
When combined, these factors add up to a complex and multi-faceted BYOK challenge, of which nothing less than bullet-proof management is acceptable.  

Fortunately, demand for what could now be called ‘Manage Your Own Keys’ (MYOK™) can be well supported by specialist software, purpose-designed to put users back in the driving seat. These platforms enabling users to control and manage the entire lifecycle of their own, unique portfolio of keys; generating, storing, deploying, retrieving, backing-up, restoring, revoking and updating as they go. 

Such systems also arm users with the capability to expand their use of encryption. Today’s large enterprises invariably use a host of different cloud models – public, private and hybrid amalgamations of the two. MYOK™ systems enable users to address them all with cryptography, creating and managing keys regardless of their required shape, form and destination. This is democratizing what has, until now, been regarded as a complex and highly technical security process.
This is just the beginning. The number and variety of uses for encryption keys is exploding. Having begun life in network management and financial services, encryption and other cryptographic functions are fanning out rapidly, to secure data created by smart devices, connected cars, intelligent building systems and all manner of other connected consumables that together comprise the Internet of Things.  

There is little doubting the level of enthusiasm for cloud-based data storage and transmission services. The big problem has been that major stakeholders have had a hard time balancing their need to guarantee security, control and confidentiality with the huge gains that the cloud can deliver in terms of flexibility, scalability and operational agility. Key management platforms enable this balance to be struck, reducing time to market for those delivering cloud-dependent products and services while, at the same time, ensuring they remain the sole proprietors of their data, regardless of where it is kept or how it is transmitted.

If the encryption industry is to avoid replicating the mistakes of the username and password model, it must promote an approach that has secure key management at the center. Only then can the full promise of the cloud be realized, finally unburdened by issues of trust.

NB: MYOK™ is a registered trademark of Cryptomathic Inc.