crime – Page 166 – STE WILLIAMS

The Uphill Battle of Triaging Alerts

library
crime | hacking | security

Prioritizing alerts is foundational to security, but almost every organization struggles to manage this process efficiently. Here’s what you can do about it.

As organizations increasingly shift focus to threat detection and response, there’s one issue that seems to get worse over time: alert triage. Prioritizing security alerts has been a critical function for security teams since the early 1990s — so why does it remain such a challenge decades later?

Security teams are overwhelmed by daily alerts from security information and event management (SIEM), endpoint detection and response (EDR), and other detection tools, mostly due to the sheer volume of alerts generated, which is growing all the time, along with a rise in low-quality alerts and false positives. Many teams find they can only analyze a fraction of the thousands of alerts that come in each day, leaving threats that often go unnoticed for months.

This problem is believed to have played a part in Target’s massive data breach in 2013. The company’s security team reportedly failed to take action after detecting potentially malicious activity. Experts speculated that Target had been receiving hundreds of alerts every day that were mistakenly dismissed as false.

Alert triaging has become even more challenging over the past decade as the attack surface has grown. While Windows and Linux server threats were once the main focus of attackers, cloud, mobile and Internet of Things technologies have given rise to their own threat detection needs, leading to new massive piles of alerts. Alert triaging is foundational, yet almost every organization struggles to manage it efficiently.

What’s standing in the way? Here are four issues:

Issue 1: Today’s environments are more diverse.
In the past, when everyone used the same server operating system, one firm could create a flowchart for its alert response, target, and history, and it could apply to other organizations with the same system. This made it easier for security teams to address the volume of alerts that were similar.

But these days, security tools and IT environments can range from advanced deception tools and machine learning, to traditional IT, cloud and industrial IoT technologies. One organization may still use on-premises mainframes, while another may be cloud-native, which makes having a unified approach impossible.

Issue 2: Many advanced threats don’t appear in alerts.
Even when you can successfully identify, analyze, and act on an alert, you must also account for the threats that you can’t see. Ransomware, for example, clearly announces itself, but the process for other crimeware (and especially for stealthy state-sponsored threats) isn’t as obvious.

Sophisticated threat actors who can easily go undetected are on the rise. According to the Council on Foreign Relations (CFR), state-sponsored attacks have increased 122% from 2014 to 2018, and attackers have found ways to evade detection by hiding in encrypted traffic, which the Electronic Frontier Foundation now says comprises more than half of total traffic on the Web. These cybercriminals leverage SSL tunnels to sneak malware into the corporate network, hide commands, control traffic, and exfiltrate data.

Even achieving alert triage perfection won’t make detection and response capabilities truly world-class because attackers will always find ways to adapt to new detection tools and methods. This is forcing security teams to actively hunt for threats, rather than merely gathering (and then clearing) alerts.

Issue 3: Automation and machine learning tools have limits.
To create alert playbooks, some security teams lean on security orchestration, automation, and response (SOAR) technology. But too often, they buy these tools without understanding the prerequisites or even the reasoning behind their implementation. I’ve seen a security leader authorize the purchase of a SOAR tool to avoid coding a playbook, only to discover that the first task after implementation was to define his playbook in the tool via Python.

Furthermore, many detection technologies produce a litany of false positives and fail to completely cover monitored assets. I’ve worked with several security professionals who have grown frustrated with new anomaly-based systems that produce vague and untraceable warnings. In some cases, machine learning (ML)-based systems have actually produced more false positives than legacy tools do.

While security teams increasingly rely on ML technology to solve alert problems, I’ve also seen many reports that ML-produced alerts can be more difficult to confirm in real security operations, as they often lack transparency and context. For instance, an ML tool may spot a behavioral outlier, but it’s unclear what the client should do next, where it should look, or who it should ask.

Issue 4: If not robots, then what?
“Security is a process, not a product.” This quote from Bruce Schneier still stands. In theory, the solution is simple: Hire a small but skilled security team to define, refine, and implement mature alert response processes and customize tools and workflows to address alert overload. But in practice, the cost of assembling an expert team makes this option less feasible for many organizations. What we need is a combination of human brains confirming the alerts that are prepared by the machines in a way that’s optimal for human decision.

To put this into practice, security teams should apply business context to alerts (such as the implications of an alert’s severity), conduct alert triage steps outside of IT, and address the alerts presented by the system. Otherwise, you run the risk of missing important alerts and becoming the next massive data breach to dominate headlines.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Is Voting by Mobile App a Better Security Option or Just ‘A Bad Idea’?“

Anton is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is the author of several books and serves on advisory boards of several security startups. Before joining Chronicle, Anton was a research vice president and Distinguished … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-uphill-battle-of-triaging-alerts-/a/d-id/1336233?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Before you high-five yourselves for setting up that bug bounty, you’ve got the staff in place to actually deal with security, right?

library
crime | hacking | security

Disclosure Bug-bounty pioneer Katie Moussouris has urged companies to hire the necessary staff to handle vulnerability disclosures before diving headlong into handing out rewards.

Likening the process to digestion, the CEO of Luta Security said many companies launch bounty programs without the ability to properly process bug reports and use them to improve the security of their software beyond just patching over individual issues. As a result, developers end up receiving loads of reports for basic flaws, like denial-of-service or cross-site scripting errors, and paying out bounties, but don’t ever fix the root causes of those errors.

“It is like going to an all you can eat buffet without a working digestive system,” Moussouris told attendees of the Disclosure infosec conference in San Francisco on Tuesday. “Really unpleasant. I do not recommend it.”

Even penetration tests can be ineffective: customers may not have the in-house expertise to really understand the findings of a red-team and their recommendations. “When I was a professional pentester, certain clients were just checking a box,” Moussouris told The Register after her conference talk. “When we came back a year later, I just needed to change the date on the report.”

Requirements too high, talent pool too small

Part of the problem is the misconception that offering rewards for vulnerability discoveries, and opening your doors to bug-bounty hunters, is a silver bullet that will kill off all your security bugs. In too many cases, companies use the programs in place of hiring qualified staff who can root out flaws before code is pushed to production.

In reality, bounties should be just one item in a large shed of tools used by IT departments to defend their systems. It doesn’t help that some organizations running bug bounties for clients tend to market them as must-have programs.

“It is hard when bug-bounty companies are venture-capital backed, marketing heavy, and all they want you to do is the one thing they sell,” Moussouris said. “Bug bounties make more money the less secure you are.”

Another issue is the way companies view the lowest levels of their security staffing. In what has become a running joke of sorts in the infosec community, jobs labeled as “entry level” often ask for years of experience and arbitrary certifications. This not only leaves businesses short-staffed, but excludes a potentially massive pool of smart folks retraining or wishing to retrain from other industries, particularly women and minorities – groups who feel the deck is already stacked against them.

“We can’t fill all the security maintenance roles, the people who have to do the vulnerability management and bug fixing roles, with the number of professionals that exist today,” she told us, adding that people who can’t meet the ridiculous requirements for so-called entry-level jobs are an “untapped natural resource.”

Here is where Moussouris – who back in the day launched Microsoft’s first bug bounty scheme, and founded the Windows giant’s vulnerability research program – sees an opportunity for everyone to benefit. Companies wanting to throw cash at a bug-bounty program could put their budgets to better use by instead hiring professionals for true entry-level security roles, checking for and fixing bugs in-house, and making sure they don’t pop up again in new code.

Once the business has that structure in place, they will be ready to make full use of penetration testing reports and bug-bounty programs, she said.

In a world of infosec rockstars, shutting down sexual harassment is hard work for victims

Culture also plays a role

The infosec community needs to adjust its focus as well, according to Moussouris. In large part, the idea of the celebrity bug-hunter needs to give way to a more mature approach that emphasizes the defensive role of security rather than just finding ways to break things.

“It is about different labor types in security, and it is about changing this idea that all rock stars in security do is find holes,” Moussouris mused. “As you mature and look for more meaningful work, the idea should be you can have a career that progresses not just in destruction, but also in prevention.”

Then there is the matter of making routine security maintenance exciting again. Moussouris is tasking the security sector with glamming up things like software updates.

“We need to make it sexy to keep your servers up to date,” she said, “but more important than that, we need to make it so it is not just patching all the time.” ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/06/disclosure_bug_bounties/

CrowdStrike Adds New Products & Web Store Apps

library
crime | hacking | security

Company introduces Falcon for AWS, Falcon Firewall Management, and third-party applications.

CrowdStrike has announced a series of updates to the Falcon Platform and the CrowdStrike Store, introducing Falcon for AWS and Falcon Firewall management while also adding third-party applications to the CrowdStrike Store.

The announcements, made at the company’s annual user conference, Fal.Con UNITE 2019, began with Falcon for AWS, which lets customers optimize their purchase for elastic workloads and deploy it with integrated metering and billing.

Falcon Firewall Management is a new module that provides centralized host firewall management for customers; the company says it’s intended to be of special use to those organizations making the transition from traditional on-premises firewalls to cloud implementations.

The CrowdStrike Store has added a number of third-party applications, including apps from Acalvio, Dragos, and RiskIQ as part of a stated intent to become a unified security cloud ecosystem of trusted applications.

For more, read here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/crowdstrike-adds-new-products-and-web-store-apps/d/d-id/1336276?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Siemens PLC Feature Can Be Exploited for Evil

library
crime | hacking | security

A hidden feature in some newer models of the vendor’s programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it.

An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.

Researchers at Ruhr University Bochum in Germany stumbled across the hardware-based special access feature in Siemens’ S7-1200 PLCs while studying its bootloader, which, among other things, handles software updates and verifies the integrity of the PLC’s firmware when the device starts up.

They found that an attacker using the special access feature could bypass the bootloader’s firmware integrity check within a half-second window when the PLC starts up and load malicious code to wrest control of the PLC’s processes.

Just why the special access feature resides in the PLCs remains a mystery. There have been cases of embedded devices found harboring hidden maintenance ports left behind by vendors, for example, but the researchers were baffled by the existence of this one in the Siemens PLCs.

“We don’t know why [Siemens has] this functionality,” says Ali Abbasi, a research scholar at Ruhr-University Bochum, who, along with PhD student Tobias Scharnowski and professor Thorsten Holz, worked on the research. “Security-wise, it’s wrong to have such a thing because you can also read and write to memory and dump the content of memory from the RAM.”

The researchers shared their findings with Siemens, which says it’s working on a fix for the vulnerability.

“Siemens is aware of the research from Ruhr University Bochum concerning hardware-based special access in SIMATIC S7-1200 CPUs. Siemens experts are working on a solution to resolve the issue. Siemens plans to publish further information regarding the vulnerability with a security advisory,” the company said in a statement provided to Dark Reading. “Customers will be informed using the usual Siemens ProductCERT communication channels.”

A key question is whether the fix requires a hardware replacement rather than a software update. When asked whether the PLC fix would be a software or hardware update, Siemens said its “experts are evaluating the alternatives.”

But it turns out there is a silver lining with the Siemens PLC special access feature: “It’s also useful for people like us who protect these devices. It provides for memory forensics of the PLC,” Abbasi says.

The researchers were able to use the special access feature to view the content of the PLC memory, which means a plant operator could spot malicious code that may have been planted on his or her device. “Siemens doesn’t let you see the content of the [PLC] memory, but you can do that with this special access feature,” Abbasi says.

The researchers built a tool that performs this forensic memory dump, which they will release at Black Hat Europe next month in London when they will present their research findings

What They Did
The researchers were able to write their own code to the PLC’s flash chip via its firmware update feature without the bootloader’s checksum feature detecting it. The question, they say, is how to mitigate this type of attack since malicious code would be embedded into the flash memory of the bootloader.

“It really depends if Siemens can fix it via a software update or not. If they can with software, it also means the attacker can override the contents of the bootloader, which means there’s no way to fix it,” Abbasi says.

That’s one reason the researchers wanted to release their tool for dumping contents of the firmware. “That then means an attacker can’t hide his existence” in the PLC, Abbasi says.

An attacker with physical access to the port, or by rigging the PLC while it’s being manufactured in the supply chain, could use this technique to read and write to the memory of the hardware. That would allow him or her to manipulate the operation of the PLC, providing phony measurements or other instrumentation data, for example.

“One of the main issues is there’s this notion of trust in a newly delivered PLC,” Scharnowski says.

He notes that it’s not the special access feature itself that allows you to read and write to the flash. “It’s a combination of features that if you put them together in a clever way, you can use them to get your own code execution on it,” Scharnowski says. “If you can do that, then you can control the PLC fully.”

Props for Siemens Security
The researchers say they chose to study Siemens’ PLCs because it’s one of the market leaders and also because there’s little known publicly about the PLC’s operating system, Adonis.

While many embedded systems today remain poorly secured, they say Siemens has done more with security than some other vendors.

“Honestly, if you compare them to other PLCs, they are doing very well. They keep adding features and security features that we have to bypass,” Abbasi says. “They are doing a lot of good things that place them ahead of others in the embedded security domain.”

Even so, the researchers maintain there’s a lot more work to do in protecting plant operators from attackers or supply chain corruption of their PLCs. If there’s a special feature like the one in Siemens PLCs, they say, the vendor should inform their customers. “Customers deserve to know so in their risk calculation they can consider this risk as well,” Abbasi says.

The Ruhr University Bochum team’s work is the latest in a string of PLC research projects. This summer another team of security researchers built a phony engineering workstation that was able to dupe and alter operations of the Siemens S7 programmable logic controller (PLC) after discovering that modern S7 PLC families running the same firmware also share the same public cryptographic key.

And in 2016, Abbasi, then a Ph.D. candidate at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, created a PLC rootkit that could operate on any brand of PLC.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/siemens-plc-feature-can-be-exploited-for-evil---and-for-good/d/d-id/1336277?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Office for Mac 2011 users warned about SYLK file format

library
crime | hacking | security

Any Apple users out there still running Microsoft Office for Mac 2011? If so, there are at least two reasons why that might not be a good idea.

The first is that Microsoft stopped supporting this version with bug and security fixes in October 2017, which means that any vulnerabilities in the software are essentially there forever.

The second is that the US CERT Coordination Center (CERT/CC) has issued a warning prompted by new research. The warning details the risky way Office for Mac 2011 handles a forgotten macro format called XML (no relation to XML markup) when embedded inside a Microsoft spreadsheet exchange format called SYLK (SYmbolic LinK).

It’s unlikely many people will have heard of either but as with so many formats from the distant past, support for them lingers on inside today’s software as something attackers might exploit in certain circumstances.

Last year, Dutch researchers noticed that SYLK’s .slk file format was a great “candidate for weaponization on Mac” for reasons that have been underestimated.

First, Office’s ‘be careful’ protected mode sandbox warnings weren’t triggered when trying to open files in this format.

More seriously, in Office for Mac 2011, the default macro execution warning – disable all macros without notification – could allow an attack exploiting XML inside .slk files to slip through unnoticed.

The only alternatives to this are the clearly unwise enable all macros or disable macros with notification which stops any macros from running automatically but informs the user each time it has to intervene.

Disable all macros without notification should be safer but, ironically disable macros with notification is the option that would warn of a malicious XML/SYLK file.

Workaround

If you run Office for Mac 2011, the oversight will almost certainly never be fixed because, as already noted, this version is no longer supported and hasn’t been getting updates for more thwn two years already.

A workaround of sorts is to reset the default macro setting to disable macros with notification, which is achieved by opening Excel and clicking Preferences Security Privacy Disable all macros with notification.

The downside of this is that it raises the chances of a standard malicious VBA macro from executing because there’s a chance the user will make the wrong decision.

As for newer versions of Office for Mac, according to CERT/CC, Microsoft fixed the executions oversight in Office 2016 and Office 2019, which means these versions should be safe in the new default disable macros with notification state.

However, according to the same researchers, that might not be the case if the later ‘fixed’ version (Office for Mac 2016, say) was installed over an older version, in which case the vulnerable mapping and default notification appears to be inherited.

We can’t confirm this but it’s worth bearing in mind if you upgraded from Office for Mac 2011 to a later version.

Windows and beyond

Although the problem is specific to one version of Office on the Mac, there’s no reason why malicious XML/SYLK files couldn’t in principle be used to target Windows versions too.

On Windows, you can use the Office Trust Center to block SYLK files on the basis that if the format is not being used it won’t be missed.

While you’re about it, you might as well block .SLK files at your network gateway, too, whether they’re delivered as email attachments or web downloads, especially if you have Mac users, who don’t have access to the Office Trust Center feature.

In recent times, forgotten, obscure or downright obsolete file formats have turned into a nuisance for email and office application users, with attackers mining them for their malicious potential.

Blocklists are a handy defence, with Microsoft recently putting another 38 old formats out to pasture to help reduce the attack surface.

But every time they add to the list, someone finds another one that might cause trouble. These formats have taken decades to build up – getting rid of them might take almost as long.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HjBh551ovHI/

Concerns raised over privacy and security of UK Home Office’s £842m biometrics programme

library
crime | hacking | security

Updated An independent ethical advice group has raised concerns about the UK Home Office’s £842m Biometrics programme, which will store millions of people’s highly sensitive biometric data, due to go live next year.

In 2017 the Home Office tasked the National DNA Database Ethics Group to expand its remit to cover the use of forensic identification techniques, including facial recognition technology and fingerprinting in government.

On Monday the Biometrics and Forensics Ethics Group (BFEG) released its first annual report dated 2017. The Register has asked the body why it appears to be two years late.

In it, the body expressed concerns over the Home Office Biometrics (HOB) programme, designed to deliver “a unified biometric service for the government that is effective, adaptable, efficient, proportionate and lawful”. The programme consists of three main modalities: DNA; fingerprint identification; and facial recognition.

During the year the working group said it identified a number of potential issues resulting from the programme.

These included:

the complexity and risk associated with the transfer of data from one system to another
the protection of the public when data was transferred
whether the combination of datasets would result in individuals gaining greater access to data than was originally intended
the sensitivity of both data and metadata
ensuring that checks were not skipped, despite tight deadlines.

In its recommendations it said it would be “necessary to explore the aggregated implication” of interactions between the Home Office National Law Enforcement Data Programme (NLEDP), the Home Office Biometrics (HOB) programme, and projects to upgrade the Emergency Services Network and Automatic Number Plate Recognition system as “these may interact with each other in the future”.

In October the Home Office awarded US company Leidos a £300m, 10-year deal to connect the Home Office’s legacy IDENT1 for UK police forces and law enforcement with the Immigration and Asylum Biometrics System (IABS).

The report also recommended that the “public should be informed of the boundaries of [Metropolitan Police Service’s] facial recognition trials project and its future uses. The MPS should be explicit, open and proactive in stating that it was not be used to gather intelligence covertly or to generate a soft watch list using social media.”

It also said a public consultation should be conducted, prior to the next scheduled custody images review [in 2020], to ascertain the views of the public in relation to the retention and use of custody images.

Earlier this year researchers found MPS’s use of facial recognition to be highly inaccurate and of dubious legality.

There are now around 21 million shots of faces and identifying features like scars or tattoos in the custody image database. This includes images of people who haven’t been charged with a crime because – unlike the UK’s DNA or fingerprint databases – these images are only removed if someone requests it.

“Future IT systems should allow for the centralised storage and automatic deletion of custody images. The retention regime governing these IT systems should be agreed prior to the development of new technology.”

The Register has asked the Home Office for comment. ®

Updated to add

Mark Watson-Gandy, newly appointed chair of the BFEG, told The Register: “The report covers a period of transition for the group during which it expanded from the National DNA Database Ethics Group to the Biometrics and Forensic Ethics Group.

“The change was associated with an increased remit from the consideration of ethical issues in the use of DNA to the ethical impact of the capture, retention and use of all biometric identifiers including, but not limited to; DNA; facial recognition; fingerprints; and footwear.

“Transition of the group and turnover of staff has delayed the publication of this report. The second annual report from the Biometrics and Forensic Ethics Group will be published once parliament returns and will provide an update on the recommendations given in the 2017 report.”

‘Peregrine falcon’-style drone swarms could help defend UK against Gatwick copycat attacks

library
crime | hacking | security

The British government has funded 18 anti-drone projects as part of its £2m push to stop a repeat of the Gatwick drone fiasco of 2018 – including a friendly drone swarm that will employ “peregrine falcon attack strategies” to down errant unmanned flying things.

Among the ideas that have scooped up to £800,000 each in funding for further development are plans to use machine learning to train cameras and other sensors on what a small drone looks like to aid early detection, as well as direction-finding of 4G and 5G-controlled drones.

In addition, one plan includes “low risk methods of stopping drones through novel electronic defeat or interceptor solutions”. That is, jamming a rogue drone or flinging something into it to knock it out of the sky.

One wacky firm is working on a counter-drone swarm that will use “peregrine falcon attack strategies”.

Funded by the Defence and Security Accelerator (DASA), as we reported in April, the competition is intended to bulk out the British state’s ability to KO unwanted drones at will, whether they’re being flown near the country’s second-busiest airport, dropping drugs into prisons, flying over sports stadiums and livestreaming fixtures, or anything else naughty you can think of.

More seriously, the Armed Forces are increasingly worried about the threat from drones, as was demonstrated by the first ever landing of what the MoD now calls “aerial vehicle systems” aboard new aircraft carrier HMS Queen Elizabeth.

DASA’s David Lugton said in a canned quote: “The threat from UAS [unmanned aerial systems] has evolved rapidly and we are seeing the use of hostile improvised UAS threats in overseas theatres of operation. There is a similar problem in the UK with the malicious or accidental use of drones becoming a security challenge at events, affecting critical infrastructure and public establishments; including prisons and major UK airports.”

Around 90 bids were received for the DASA funding, said the organisation.

Among the successful bidders were defence multinationals BAE Systems, Northrop Grumman, Thales and MBDA, all with various similar proposals for radar and sensor systems intended to pick up small drones, as well as privatised British defence research establishment Qinetiq, which is working on an electromagnetic death ray “hard kill for disrupting the UAVs’ on-board electronics”.

Phase 2 of the competition begins next year, with the intent being to develop the 18 shortlisted ideas into something usable by military and police agencies alike. ®

Proofpoint Acquires ObserveIT to Bolster DLP Capabilities

library
crime | hacking | security

The $225 million acquisition will help Proofpoint expand its data loss prevention capabilities with email, CASB, and data at rest.

Proofpoint today confirmed plans to acquire ObserveIT in a $225 million cash transaction. It plans to use the insider threat management platform to build out its data loss prevention (DLP) capabilities to respond to threats in cloud applications, email, and lightweight endpoint agents.

ObserveIT offers endpoint agent technology and data risk analytics. Proofpoint plans to expand its technology into a new DLP platform designed to join email, cloud access security brokers (CASB), and data at rest into one tool. Its idea is to improve teams’ real-time detections of suspicious activity across more data, people, devices, and applications as employees use more devices and services to do their jobs.

“More and more users are accessing corporate data from endpoint off the corporate network in both sanctioned and unsanctioned cloud apps,” wrote Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, in a blog post on the acquisition. As they do, companies demand new controls to understand where and how users interact with their data.

This new integrated tool will be part of the Proofpoint information protection suite and is predicted to be available in 2020. The acquisition is expected to close late in the fourth quarter of 2019, pending customary closing conditions and regulatory approvals.

As part of the deal, Proofpoint will also invest in ObserveIT’s insider threat management platform, which will continue to be available. Current users will have access to Proofpoint’s broader threat intelligence and RD resources as ObserveIT continues to work on the platform.

The State of Email Security and Protection

library
crime | hacking | security

Phishing and ransomware top the list of security risks that organizations are not fully prepared to deal with.

Email security continues to be top of mind for organizations as attackers become more devious in how they conduct their attacks. Companies face evolving threats, which are often extremely personalized and mimic common real-world emails they receive. To better understand the climate of email security, Barracuda surveyed 660 IT professionals across various industries and locations on the impact of phishing.

An Increased Sense of Confidence
Sixty-three percent of professionals report that their organization’s data and systems are more secure than they were one year prior. Among the three regions surveyed — America; Europe, the Middle East, and Africa (EMEA); and the Asia-Pacific region (APAC) — APAC reported the highest sense of security (70%), while EMEA reported the lowest (52%). Although this rise is likely caused by an increased security presence and education practices, if an organization lacks the tools to detect these threats, it may be superficial.

Despite an overall positive outlook, phishing and ransomware top the list of security risks that organizations are not fully prepared to deal with, along with spearphishing, malware, viruses, data loss, spam, smishing (that is, phishing via text message), email account takeover, and vishing (phishing via phone). Only 7% of organizations are not worried about any of these risks. In fact, email threats continue to proliferate and have a major impact. On average, 82% of organizations claim to have faced an attempted email-based security threat in the past year, although the figures differ slightly by global region.

Loss from a Breach Is More Than Financial
In addition to 74% of organizations reporting that email security attacks have had a direct business impact, they are also affecting the personal lives of IT security professionals, with nearly three-quarters experiencing higher stress levels, worrying outside the office, and being forced to work nights and weekends. APAC reports the highest levels of personal impact from email security attacks.

In addition, an overwhelming 78% of organizations say the cost of email breaches is increasing, with one-fifth saying they are increasing dramatically. Identifying and remediating threats, communicating with those affected, business interruptions, and IT productivity losses are all factors, as well as potential data loss, regulatory fines, and brand damage.

As a result, 66% of respondents claim that attacks have had a direct monetary cost on their organization in the last year. Nearly a quarter (23%) say attacks have cost their organization $100,000 or more.

Employee Education
In conjunction with the previously noted increase in a sense of security, employees continue to play an integral role in their company’s security. Ninety-four percent of organizations say employees are reporting suspicious emails to IT on a daily basis, but 58% say most emails reported to IT aren’t actually fraudulent. More than three-quarters (79%) of organizations say their employees aren’t good at spotting suspicious emails for a number of reasons, which shows a lack of readiness to spot email threats.

Only 21% say that the employees do a great job of alerting IT to suspicious emails only when needed. Additionally, 18% report that their employees were careless and did not recognize obviously suspicious emails.

These findings are concerning because phishing emails that prey on the poor security awareness of end users is one of the most common ways for attackers to download malware and steal data from organizations. Plus, reporting the wrong types of emails only wastes the time of already-stretched security teams. In addition to better awareness training, improved tools are needed to filter potentially dangerous emails and ensure they never make it into the inboxes of end users in the first place.

Phishing and Malware Are Common
Email security is a challenge because there are several types of threats that are commonly seen. With increased security technology, attackers are using more personalized methods to engage with victims, often bypassing traditional security systems.

Phishing remains top of mind, as 43% of organizations have been the victim of a spearphishing attack in the past 12 months. Seventy-five percent of security professionals have personally received training on phishing in the last year, which is much needed because 70% of organizations have experienced a variety of direct business impacts as the result of these attacks.

Furthermore, most IT professionals (79%) say they are worried about attacks and breaches stemming from inside the organization. Their fears are valid: A hacker could compromise an employee’s email account via spearphishing and use it to target other with business email compromise attacks or phishing emails that appear very authentic.

In addition to phishing threats, an overwhelming 90% of Office 365 users have security concerns. Eighty-six percent of organizations agree that third-party email security solutions are essential for keeping an Office 365 environment secure.

The Future of Email Security
Email threats will continue to evolve at the same time as protection methods become more advanced. Organizations must keep email security in the forefront of their efforts and ensure that employees are educated and aware.

Releated Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How HR and IT Can Partner to Improve Cybersecurity.”

Mike Flouton is vice president for Barracuda’s email security business. In this role, he oversees product management for Barracuda’s portfolio of email security solutions: Barracuda Total Email Protection, Barracuda Essentials, Barracuda Sentinel, and Barracuda PhishLine. View Full Bio

Article source: https://www.darkreading.com/endpoint/the-state-of-email-security-and-protection/a/d-id/1336229?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

10 Tips for Building Compliance by Design into Cloud Architecture

library
crime | hacking | security

A pair of experts pass along lessons learned while building out the team and processes necessary to support Starbucks’ mobile app.

Image Source: Adobe (blackboard)

Among the speakers at last week’s (ISC)2 Congress were a pair of security and compliance leaders who helped build out a major cloud project for Starbucks. Matt Wells and Scott Schwan, founders of compliance automation startup Shujinko, were called on by Starbucks several years back to build out the team and processes necessary to support Starbucks’ mobile app with fully PCI-compliant and secure cloud architecture measured against standards established by the Center for Internet Security (CIS).

“Basically, in about nine to 12 months, with 20 engineers, we were able to build a highly automated, scalable, repeatable environment that Starbucks could use to back everything they’d want to roll out, and they used that as a foundation to then start moving other applications to the public cloud,” explained Wells, who serves as CTO.

Wells and Schwan, CEO, delved into the details of their work at Starbucks to offer the crowd tips on how to bake compliance into their own cloud architecture and scale DevSecOps in the process. We offer the highlights from their insights, in their own words.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio

Article source: https://www.darkreading.com/10-tips-for-building-compliance-by-design-into-cloud-architecture/d/d-id/1336240?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple