STE WILLIAMS

Tune in this month: What every small-to-medium biz can do to fend off cyber-crooks

Webcast Miscreants are constantly on the lookout for new ways to get at your data, becoming more dangerous all the time as a result.

Perimeter walls can no longer be relied on to stop determined hackers and cyber-criminals from slipping into your networks to compromise servers and machines.

Even the smallest businesses are at risk, and while most big companies have teams of experts on hand to deal with regular cyber-security alerts, small-to-medium enterprises (SMEs) often lack the skills and resources needed to to repel today’s increasingly skilled attackers. Just keeping antivirus software up to date is not enough.

What more can smaller enterprises do to protect themselves? Various endpoint detection and response (EDR) solutions that promise to tackle threats are available on the market, though which one do you choose and how do you use it?

If you are charged with taking care of your company’s IT security, tune into our webcast starting at 3pm UK time on 15 January, 2020, to hear an expert at Helsinki-based security specialist F-Secure provide some valuable advice for SMEs.

The discussion will cover the following topics:

  • Understanding the mindset of cyber-criminals who focus on the smaller business.
  • How EDR can help you build a robust response to the latest threats.
  • How to choose the EDR solution that fits your company’s needs.

You can register or login to sign up for the webcast, brought to you by F-Secure, right here.

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/06/f_secure_webcast/

IT exec sets up fake biz, uses it to bill his bosses $6m for phantom gear, gets caught by Microsoft Word metadata

A now-former senior IT exec has admitted conning his employer out of $6m – by setting up a fake tech services biz that billed his bosses for bogus services.

US prosecutors announced on Friday that Hicham Kabbaj, 48, of Floral Park, Long Island, New York, pleaded guilty to one count of wire fraud. He faces up to 20 years in the clink, though in all likelihood will get much less, and will be sentenced later this year by presiding federal district Judge Richard Berman.

“Today, Mr Kabbaj pled guilty to a serious felony because he chose to misuse his position of trust as a corporate executive to steal company funds for his own personal gain,” said Jonathan Larson, the Internal Revenue Service special agent in charge of the case.

According to Uncle Sam’s court filings [PDF], between August 2015 and May 2019, while in various roles that allowed him to handle IT purchasing for his unnamed employer, described as a “global internet company” based in Manhattan, Kabbaj funneled millions into his own pockets through phony tech purchases.

For what it’s worth, between May 2015 and August 2019, a certain Hicham Kabbaj worked for Rakuten Marketing, a global online marketing outfit, in New York, in various IT-related roles including senior veep of technical operations and engineering, according to LinkedIn. Rakuten did not respond to a request to comment.

According to investigators [PDF] here’s how the scam worked. Back in 2015, Kabbaj set up a shell company called Interactive Systems that was pitched as an IT services provider, but was in fact little more than a business name and a bank account.

Over the course of the next four years, Interactive Systems billed his employer for various bits of equipment – including a firewall and 16 servers – with Kabbaj receiving and approving the invoices at his end. Interactive Systems was also paid a monthly retainer. However, no gear or services ever turned up, and payments for the bogus kit just went straight into Kabbaj’s personal coffers.

jaws

Five years in the clink for super-crook who scammed Google, Facebook out of $120m with fake tech invoices

READ MORE

To cover his tracks, and avoid scrutiny, the crook omitted to put any serial numbers on the invoices, or reused serial numbers of equipment his employer already owned. However, he wasn’t that smart: four of the invoices were written in Microsoft Word, and the file metadata showed they had come from Kabbaj’s copy of the software.

“From in or about August 2015 through in or about April 2019, Interactive Systems submitted to Company-1 approximately 52 invoices,” prosecutor Scott McNeil told the New York courts. “Four of these invoices were submitted in Word document format, and the metadata for these four invoices identified Kabbaj as the author. Each invoice from Interactive Systems was addressed to Kabbaj.”

Once his bosses had paid for the phantom gear, Kabbaj would simply shift the received cash from Interactive Systems into his own bank account. This netted the fraudster a cool $6m (£4.6m). The last of the payments was said to have occurred in May 2019. A few months later, Kabbaj was collared and charged by the Feds in September after investigators spoke to two of his colleagues and gathered the evidence they needed to nail him.

As part of his guilty plea, Kabbaj agreed to return $6,051,453 to his former employers, and hand over any proceeds from his crime, including his two homes at Palm Beach Gardens, Florida, and Hewitt, New Jersey.

While proficient, Kabbaj is not revolutionary in his scheme. Other IT managers have previously been busted for running the same racket. Which makes you wonder how many others might be out there (our tip line is always open.) ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/04/tech_manager_theft/

Cryptocurrency exchange Poloniex issues password reset warning

When is a password breach not a password breach? When is a password warning a hoax?

That’s the double-trouble situation that faced cryptocurrency exchange Poloniex this week, following a tweet at the end of last year in which, according to Poloniex:

[S]omeone leaked a list of email addresses and passwords on Twitter, claiming the information could be used to log in to Poloniex accounts.

The company itself tweeted as follows:

Of course, there’s a big difference between knowing someone’s password for service X, and hacking service X.

Crooks sometimes present a list of hacked passwords as some sort of “proof” that they successfully broke into a server, but unless they can produce a significantly long list, this sort of “evidence” doesn’t prove much.

Indeed, in December 2019 we wrote about the conviction of a hacker from London called Kerem Albayrak.

He filmed himself logging into two people’s iCloud accounts as part of a blackmail attempt against Apple, demanding $100,000 in iTunes cards in return for not inflicting damage on millions of additional iCloud accounts.

The two breached accounts were supposed to support his claim to have a massive stash of Apple iCloud passwords, but he’d got hold of those two passwords without hacking Apple at all.

According to Poloniex, that’s much like what happened in this case.

The “Poloniex emails and passwords” announced on Twitter seem to have been from a previous, unknown breach, and the crooks were simply chancing their arm by guessing that at least some of the account names and password might also work on the Poloniex site.

Poloniex claims that just 5% of the users in the “hacked list” were actually Poloniex customers at all, and that 90% of the accounts in the list were already in the well-known haveibeenpwned database that tries to keep track of the billions of already-discovered breached records that are circulating online.

Those two figures do indeed suggest that Poloniex wasn’t the source of the breached data.

Also, Poloniex says that it uses a salt-hash-stretch mechanism called bcrypt in its password database, which protects passwords from recovery by cybercrooks even if they manage to steal the whole database.

Instead of storing the password itself, you store the output of a time-consuming cryptographic calculation based on the password. That means that when a user types in their password, you can check that it matches the hash in your database, and thus that it is correct, but you only ever need to have the actual password in memory briefly. You can work forwards to verify the hash if you already know the password, but you can’t work backwards from the hash to figure out the password. Crooks with a list of hashes can try to crack the passwords one-by-one, an enmormously time-consuming task that makes it as good as impossible that they could ever recover an extensive list of passwords.

Poloniex nevertheless reset the passwords of any users who did show up in the list – a good precaution just in case any of the old passwords might have worked.

Interestingly, Poloniex says that, because it uses bcrypt and stores hashed passwords, it “cannot confirm if the password listed with your email address is the password you use on Poloniex.”

As far as we can see, Poloniex could put all the passwords on the list through the bcrypt algorithm and see if any of them did match up with the stored hashes – basically, carrying out a pretend login for each listed account – so we’re not sure why the company says it cannot check how many passwords do match up.

Facebook and other cloud services do just that – they deliberately acquire and try known-breached passwords against their own users in the hope of being able to reset those passwords and warn their users before the crooks get round to it.

Nevertheless, we concede that testing a large list of passwords would be a lot of extra work – the same sort of processing power needed to process the same number of actual logins – so we can understand why the company chose not to do so.

When is a breach not a breach?

We’ve now answered the first question above: “When is a password breach not a password breach?”

In this case, the crooks do seem to have come up with breached passwords, but they were just regurgitated from an earlier breach, not the result of a new one.

The second question is a bit tricker: “How to know that a password reset warning isn’t itself a scam?”

Poloniex has tried to answer that by following up the breach notification email it sent out to users whose passwords were reset with a more public announcement giving information about what happened.

What do do?

Our advice isn’t specific to Poloniex accounts, or to cryptocurrency accounts – these tips work across the board:

  • Never reuse passwords. Crooks routinely try breached passwords from site X on your accounts on Y, Z, M, N and P, too. This process, called credential stuffing, can be automated – so don’t make it easy for the bad guys.
  • Never click on links in unsolicited password reset emails. If you didn’t request the reset yourself, then avoiding links means you are less likely to be tricked by crooks trying to scare you into visiting a bogus “reset page”. Find your own way to the real site instead and you’ll avoid getting phished.
  • Never rely on passwords alone. If a service you use supports 2FA (two-factor authentication), turn it on. 2FA usually works by texting one-time codes to your phone or using an app to generate login codes that are additional to your password. This stops crooks logging in with your password alone.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dPiwIyaAYY0/

New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc

Cisco is kicking off 2020 with the release of a crop of patches for its Data Center Network Manager.

The updates address a total of 12 CVE-listed patches and range in severity from moderate to critical, though should all be patched regardless of rating. Nearly all were found within the REST and SOAP APIs.

The immediate priority should be cleaning up CVE-201915975, CVE-201915976, and CVE-201915975, a trio of authentication bypass bugs that can be exploited remotely without authentication.

The three flaws are all related to the use of static encryption keys or credentials used by DCNM. CVE-2019-15975 allows an attacker to use the static key via REST API to craft a new, valid session token which grants admin privileges. CVE-2019-15976 describes the same issue via the SOAP API, while CVE-2019-15977 describes static credentials that only allow access to “certain confidential information,” but that infomation could be used for other attacks.

Also patched were three path traversal vulnerabilities in DCNM that, while bad in their own right, become an even bigger risk when paired with the above-mentioned authentication bypass bugs. An attacker can exploit the authentication bypass flaws for admin access, then use the path traversal bugs to get access to other devices and data. Those flaws were designated CVE-2019-15980 and CVE-2019-15981.

cisco

Cisco slips on a Tolkien ring: One chip design to rule them all, one design to find them. One design to bring them all…

READ MORE

CVE-2019-15984 and CVE-2019-15985 are SQL injection flaws inside the REST and SOAP APIs that would allow a remote baddie to send arbitrary SQL commands. Both CVE-2019-15978 and CVE-2019-15979 allow the remote injection of OS commands.

Information disclosure is also possible via CVE-2019-15983, which Cisco describes as an XML External Entity Read Access vulnerability – basically, the bad guy uses SOAP API commands to send XML that can then read arbitrary files. This requires admin access, which, luckily, is awarded via exploiting one of the earlier bypass flaws. Like we said, beware chained exploits.

Finally, there is CVE-2019-15999, a flaw that would allow a remote attacker to get low-privilege access to JBoss Enterprise Application Platform, a component that should only be accessible to local accounts.

Admins are advised to review, test, and install all of the patches as soon as possible. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/03/critical_cisco_patches/

Cisco Drops a Dozen Vulnerability Patches

Among them are three for critical authentication bypass flaws.

Cisco celebrated the new year by dropping patches for 12 vulnerabilities. The patches include fixes for three critical authentication bypass flaws, two command injection vulnerabilities, a pair of SQL injection vulnerabilities, three path traversal vulnerabilities, a vulnerability in the Data Center Network Manager (DCNM) JBoss Enterprise Application Platform (EAP), and an XML external entity vulnerability.

Satnam Narang, senior research engineer at Tenable, wrote a blog post in which he pointed out that the three authentication bypass flaws are among the most severe, largely because they act as gateways to exploiting the other vulnerabilities.

Eleven of the vulnerabilities were discovered by Steven Seeley of Source Incite, while the 12th was reported by Harrison Neal of PatchAdvisor.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “SIM Swapping Attacks: What They Are How to Stop Them.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cisco-drops-a-dozen-vulnerability-patches/d/d-id/1336718?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware Victim Southwire Sues Maze Operators

Attackers demanded $6 million from the wire and cable manufacturer when they launched a December ransomware campaign.

Southwire, a prominent Georgia-based cable and wire manufacturer, is suing the Maze ransomware operators following a December 2019 attack in which the defendants stole sensitive information and later published it when their demand for ransom went unfulfilled.

Maze ransomware has grown prevalent since it was detected by Malwarebytes researcher Jerome Segura in May 2019. The malware was also seen in attacks against the city of Pensacola, Fla., and Allied Universal; when the latter missed its ransom payment deadline, Maze operators published 700MB of stolen information and demanded $2.3 million to decrypt its network.

It seems the same pattern occurred in Maze’s attack on Southwire, which resulted in the theft of 120GB of data and encryption of 878 devices, Bleeping Computer reports. The operators demanded 850 Bitcoins, or $6 million, in exchange for the information. When Southwire didn’t pay, they posted a subset of the company’s stolen files on a website they built and controlled.

As a result, Southwire has filed a civil lawsuit in the Northern District of Georgia against the anonymous Maze attackers, referred to in the complaint as John Doe, “for injunctive relief and damages” under the Computer Fraud and Abuse Act (CFAA) and the common law of trespass to chattels.

According to the official complaint, Southwire alleges the defendant wrongfully accessed its computer systems and extracted confidential business data and other sensitive data. “Defendant then demanded several million dollars to keep the information private, but after Southwire refused Defendant’s extortion, Defendant wrongfully posted part of Southwire’s confidential information on a publicly-accessible website that Defendant controls,” it states.

Unless the attackers are directed to cease exposure of this information, the complaint continues, they will likely continue to post more of Southwire’s stolen data to its website. In doing so, they could potentially cause “substantial, imminent, and irreparable harm” to the company.

The complaint states Southwire spent “far in excess of $5,000” to investigate the incident and remediate the damage Maze has caused and could cause. News of the incident has been spread to harm Southwire’s reputation and alarm customers and employees, it adds. The defendant violated the CFAA “by knowingly and intentionally accessing Southwire’s protected computers without authorization or in excess of any authorization and thereby obtaining information from the protected computers in a transaction involving an interstate or foreign communication.”

On top of its lawsuit against the Maze operators, Southwire is seeking injunctions against World Hosting Farm Limited (WHFL), which hosts the attackers’ website, after demands to remove its confidential data from the Internet went unaddressed, according to TheJournal.ie. The injunction requires WHFL to remove all data related to Southwire and its clients from the website. It also mandates the defendants hand over all the stolen data and that no additional information taken from Southwire be published anywhere else.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “SIM Swapping Attacks: What They Are How to Stop Them.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/ransomware-victim-southwire-sues-maze-operators/d/d-id/1336719?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Python is dead. Long live Python!

Python is dead. Long live Python!

Python 2 has been one of the world’s most popular programming languages since 2000, but its death – strictly speaking, at the stroke of midnight on New Year’s Day 2020 – been widely announced on technology news sites around the world.

But Python isn’t dead, because Python 3 has been around since the late 2000s.

So there will be no “interregnum” period during which Python doesn’t exist – just as in a hereditary monarchy, succession is considered technically instantaneous, ensuring an unbroken line.

If you’re programmer or a sysadmin (and, in truth, a sysadmin is just a special sort of programmer who is expected to use their skills to code people out of the holes that others have coded them into), then you have almost certainly used Python at some point.

And if you’ve never programmed in Python yourself, you’ve almost certainly used software written in Python, or relied on online services that were supported by software written in the Python language.

So, given that Python 2 has been replaced by Python 3 without any interruption, and given that nothing bad happened when Python 1 switched over to Python 2 around the turn of the millennium, why is the “death” of Python 2 such a big deal now?

Well, the problem – or the perceived problem – is that the changeover is not quite as straightforward this time as it was before.

When Python 2 came along, it was a natural progresion from Python 1, and software written in Python 1 was, essentially, already valid Python 2.

So you could just replace your Python 1 software development system with a Python 2 installation and carry on as usual.

However, when Python 3 was introduced, it included what software developers call breaking changes – differences that were incompatible to the point that you couldn’t just take a Python 2 program, run it under Python 3, and expect it to perform correctly.

Why break things?

Python 3 was devised, at least in part, to be different from Python 2 in carefully planned and incompatible ways.

The idea was not only to add new features to Python 3 but also to remove some of the pitfalls and imperfections that Python 2 was forced to inherit from Python 1 in order to stay compatible with it.

As the Python website says:

Python 3.0 (a.k.a. “Python 3000” or “Py3k”) is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especially how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. Also, the standard library has been reorganized in a few prominent places.

That’s usually the whole idea of breaking changes in programming – you do them not because you want to break the software in the future, and thereby to make things worse, but to break with some of the mistakes you made in the past, and thereby to make things better in the long run.

That’s why Python 2 and Python 3 have coexisted for so many years – to give programmers plenty of time to port their code to Python 3, ready for the end of the Python 2 era.

Why not keep Python 2 for ever?

In an ideal world, the Python ecosystem – remember, Python is a free and open-source project, not a commercial venture – would simply carry on supporting Python 2 for ever…

…but that would eat up an enormous amount of time, most of it given voluntarily by Python fans around the world.

Plus, the Python community devised Python 3 to be better than Python 2, and to remove some of its risky, confusing and unnecessary parts.

Indeed, all that time-consuming work “backporting” new fixes to the old codebase would ironically make it easier for die-hard Python 2 fans to keep on living in the past.

What to do?

Python 2 software will still work, so there’s no immediate problem – the “death” of Python 2 is a conceptual issue, not a literal one.

In other words, if you still have large Python 2 projects that you haven’t yet ported to Python 3, you’re not in imminent danger of your software stopping working.

But the entire Python 2 environment will no longer be getting security fixes, making it a bit of a fool’s errand to carry on using it.

As the Python Foundation’s news blog explains:

Users are urged to migrate to Python 3 to benefit from its many improvements, as well as to avoid potential security vulnerabilities in Python 2.x after April 2020. This move will free limited resources for the CPthyon core developer community for other important work.

So, we recommend:

  • Use Python 3 for all new Python projects.
  • If you don’t yet have a plan for retiring or porting your Python 2 apps, make one now.
  • If you’re relying on a vendor who’s still coding in Python 2, ask them about their plans to move forward.
  • Learn Python 3 if you’re new to programming and just getting started.

As an interesting aside, even though 01 January 2020 is the official “death of Python 2” date, you’ll have noticed the mention of “April 2020” in the Python Foundation’s comments above.

Indeed, it seems that CPython (the primary Python implementation, itself written in C) will actually see its last major version in April 2020, after which “all [CPython] development will cease for Python 2.”

So perhaps Python 2 isn’t quite dead after all…

…perhaps it’s just resting; maybe pining for the fjords?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7JIZhhJjW1Y/

Don’t Xiaomi pics of other people’s places! Chinese kitmaker fingers dodgy Boxing Day cache update after Google banishes it from Home

Xiaomi has blamed some post-Christmas cache digestion problems after finding itself plonked on the naughty step by Google, which blocked the Chinese tech conglomerate’s devices from its Nest Hub and Assistant last night.

This follows a shocking glitch where one Xiaomi Mijia security camera owner was able to peer into the homes of several strangers.

The issue was raised by Reddit user Dio-V, who noticed that his Google Nest Hub was showing him stills from other people’s homes, rather than footage from his own camera.

In a comment posted to the Google Home subreddit, you see several clear frames depicting a sleeping baby, someone’s hallway, and an unidentified man passed out on an armchair. It’s not immediately obvious when these pictures were taken, or how long the issue has remained unresolved.

The Xiaomi Mijia 1080P Smart IP Security Camera retails for £38 on Amazon, and can be bought from Chinese retailers like BangGoood and GearBest for about $25. Dio-V says he bought his camera new from AliExpress, and it was running the latest firmware version.

For its part, Google has contacted the Redditor affected, and promptly disabled Xiaomi’s integrations. And while this will undoubtedly inconvenience many users, it’s better to be safe than sorry.

It told several outlets late last night: “We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices.”

Xiaomi provided The Register with this statement, attributing the flaw to a caching issue:

Xiaomi has always prioritized our users’ privacy and information security. We are aware there was an issue of receiving stills while connecting Mi Home Security Camera Basic 1080p on Google Home hub. We apologize for the inconvenience this has caused to our users.

Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions.

We have also found 1,044 users were with such integrations and only a few with extremely poor network conditions might be affected. This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app.

Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again.

This isn’t the first security issue associated with a cheap IP camera. A cursory browse of Shodan, a search engine for dodgy IoT devices, reveals thousands exposed to the internet, allowing anyone to peer in. The main difference here is that Xiaomi isn’t a fly-by-night operator flogging rebranded and unsupported OEM kit, and is actually taking action.

That said, this episode is still hugely damaging to the company’s esteem, particularly as it’s in the midst of a Europe-wide push. It’s also unclear when Google will lift Xiaomi’s suspension. As always, when we find out, we’ll let you know. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/03/google_blocks_xiaomi_kit_after_letting_redditor_peer_into_strangers_homes/

Brit banking sector hasn’t gone a single day of 2020 without something breaking

It appears the UK banking system is playing a fiscal game of Top Trumps as both Yorkshire and Clydesdale Bank followed yesterday’s example set by Lloyds by not processing payments into customer accounts.

Problems followed a similar pattern as customers checked their accounts this morning to find expected payments not turning up.

Minor stuff like, er, salaries, that sort of thing.

The wailing kicked off from 6am local time, reaching a crescendo three hours later as customers hit refresh and refresh once more, but their expected payments continued to be absent.

Yorkshire Bank’s customer service orifice on Twitter gave up responding publicly to users just before 10am, presumably to focus on the wave of customers bombarding the bank’s news emitter. Over the course of the morning the bank went from “investigating this issue” to confirming that things were indeed borked.

The bank was, however, at pains to reassure customers that it would be dealing with the fiscal fallout caused by the outage and were quick to give us the following statement:

We are aware some customers have experienced a delay with transactions reaching their accounts today and are investigating this as a top priority. We are sorry for any inconvenience customers are experiencing. We are working to resolve it as soon as possible and we want to reassure customers they will not be negatively impacted financially as a result of this.

A cynic might wonder if the same Jim Henson creations responsible for Lloyds’ Faster payments did some moonlighting on the systems used by Yorkshire Bank, which also trades as Clydesdale Bank and Virgin Money.

To its credit, the bank has admitted that there is a problem and the promise of no “negative financial impact” is reassuring. However, it will be interesting to see how the bank is willing to go beyond overdraft fees and late payment penalties when calculating the amount of this impact.

It has been a difficult few days for the UK’s banking sector, but hopefully the problem will be resolved ahead of the inevitable rush to the pubs this evening for, er, soft drinks and soda.

It is January after all. ®

* Transfers Into Traders Seem Utterly Pants

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/03/yorkshire_clydesdale_bank_titsup/

Organizations May ‘Uncloud’ Over Security, Budgetary Concerns

With Gartner forecasting cloud revenue to hit $370 billion by 2023, and Microsoft highlighting how cloud has become a core element in enterprise IT, cloud’s momentum looks unstoppable.  But cloud customers are bumping up against some harder realities; according to our most recent cloud data security report, 48% of organizations that store sensitive data in the cloud would consider moving that data back on premises. It’s a costly and time-consuming proposition, yet organizations are thinking about it. Why?

In most cases, organizations uncloud because they face unexpected issues. Initially the plurality of organizations migrated to the cloud to cut costs (31%) and ensure availability for remote workers (26%). However, the survey results show that organizations are ready to uncloud due to their inability to ensure the desired level of protection (24%).

About one third of the organizations would uncloud because they didn’t achieve the initial goals of cloud migration. Among those who moved their data to the cloud to cut costs, 29% are ready to uncloud due to unexpected high costs. Among those who moved data to the cloud for security reasons, 27% would uncloud due to considerable security concerns.

Let’s take a closer look at factors that affect the decision to uncloud, as well as possible best practices that could obviate the challenges. 

Unexpectedly high costs from storing too much data in the cloud
Prior to a migration, most companies (67%) don’t discover and classify all the files which actually need migrated; in fact, 63% simply moved all their data to the cloud. This is likely the driver to the unanticipated high costs of storing data in the cloud.  Moreover, they neglect to take this opportunity to get rid of redundant, old, and trivial (ROT) files which complicates the lives of users and leads to unusually high cloud storage costs.

Best practice: Before moving data to the cloud, find and classify all your data. By doing this, you can be sure that you are migrating only the data required by the business. In addition to keeping a tight grip on your data (deleting or archiving ROT data), this will lower your overall costs associated with storing data in the cloud.

Inability to ensure the security of sensitive data in the cloud
About half of organizations looking to uncloud had at least one cloud security incident in 2018. This fact is disturbing, since organizations store extremely sensitive data in the cloud: 50% store personally identifying information of customers and clients, 24% store payment data, and 18% store intellectual property. What is even more frightening, 53% of organizations couldn’t determine who was to blame for the security incidents. This means that organizations lack visibility into their cloud environment and cannot investigate security incidents properly, which makes it hard for them to prevent similar incidents in the future and protect their data.

Best practice: To minimize risk of security incidents and investigate them more efficiently, you should audit your cloud environment to see who did what, when and where, and detect any suspicious activities around sensitive files. Also, don’t forget about data discovery and classification (DDC). “Data classification also allows organizations to focus their security and compliance efforts on sensitive information, to standardize and apply controls commensurate with risk, and to streamline those activities within business processes,” Gartner claims in a 2018 report titled Hype Cycle for Data Security

The Netwrix study highlights the benefits of DDC and shows that organizations that classify their data have less chance of experiencing an incident. Only 14% of organizations that performed data classification had incidents in 2018 — a rate 3.5 times lower than for organizations that didn’t classify their data.

Lack of financial support and budgetary constraints
It’s hard to protect your data in the cloud if you lack financial support. About 61% of those who plan to uncloud said that their cloud security budgets didn’t increase in 2019, and 38% said that management doesn’t provide any financial support for cloud security initiatives. 

Best practice: You need to deliver the value of cloud security investments to your management. Specifically, you need to explain to management that a secure cloud is a great way to boost your business, while failure to protect sensitive data like customer PII can have negative financial impact, resulting in business downtime, costly data breaches, lawsuits, bad publicity and fines from regulatory bodies.

The best way to prevent disappointment with your cloud migration is to understand how much data you have, who has access to it and which data is most critical in your IT environment, so you can prioritize your security efforts and protect your data against compromise. Deep understanding of your data will also help you reduce cloud costs, as well as manage data more effectively by carefully choosing which data to migrate, which to leave on premises, and which to delete or destroy.

Article source: https://www.darkreading.com/cloud/organizations-may-uncloud-over-security-budgetary-concerns/a/d-id/1336670?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple