STE WILLIAMS

This year, it seems like you can hardly turn around without bumping into some commentary on a breach. There’s expert analysis on every blog. The trade press eats up controversy stirred up by responses. Twitter trends. My inbox fills up with quotes and offers to hear more about the breach.

It’s all bad news, so it seems. But every cloud has its silver lining, and in the face of most breaches, the good news is pretty simple: It wasn’t you.

The reality is that a significant number of high-profile (and target-rich) organizations rely on the same vulnerable software that caught whoever the latest victim was with its security pants down. Many more outside that list probably do, too. You, for example.

But even if you have already inventoried your applications and breathed a sigh of relief at not finding anything potentially dangerous lurking under the surface, you aren’t out of the proverbial woods. There are tons of research reports about vulnerabilities and, no matter which you look at it, there is always a gap between the time a vulnerability is disclosed and when an organization applies the appropriate patches.

Some of those vulnerable systems are likely to be running in your data center right now.

Go ahead, I’ll wait while you check.

While you’re checking, you should also take stock of your application protection strategy. You see, at the heart of the many of vulnerabilities lies the truth that it could have been prevented by a comprehensive application protection strategy. We can argue all day about the existence of the vulnerability and the security practices employed by open-source software, but the reality is that a whole lot of software — third-party, open-source, closed-source, custom developed — is vulnerable. And we’ve seen many of those vulnerabilities lie dormant in software for years before being exploited. Shellshock, anyone?

In fact, just as you ought to assume you will be subjected to a DDoS attack, you ought to operate on the assumption that somewhere in an application there is a vulnerability waiting to be exploited. With that in mind, you can attack the problem by having the right mindset and answering two questions:

1. How do I prevent the vulnerability from being exploited?
2. If it is exploited, how do I detect it?

Prevention: Proactive Security
The answer to question one is to embrace a proactive approach. Patching is table stakes. It’s probably past time you audited your policies and processes with respect to patching, so if you haven’t done that lately, do it now. In addition, you should also be putting into place protections that help you strictly adhere to Security Rule Zero:

THOU SHALT NOT TRUST USER INPUT. EVER.

We’ve seen too many breaches that were ultimately triggered by unfiltered, unsanitized user input. In other words, the developers simply pass user input to frameworks, libraries, and even other code of their own without ever giving it a second glance. That’s how SQL injection happens. That’s how cross-site scripting happens. That’s how breaches happen.

The number of breaches that can be traced to the violation of Security Rule Zero boggles my mind. To prevent it, you need to seriously focus on secure development practices and—because we know that can fail, too—employ a Web application firewall (WAF) to assist in sanitizing data. Here’s a helpful tip from Lori: the WAF has to be active. Learning mode is great for, well, learning the app and fine-tuning policies. But if you don’t actually let the thing do its job, you’re not mitigating risk.  You’re just helping to encourage a false sense of security.

Be proactive. Adopt Security Rule Zero and enforce it everywhere.

Detection: Reactive Security
Question two (If it is exploited, how do I detect it?) assumes that even if you faithfully follow Security Rule Zero, still somehow an attacker made it through and has managed to obtain sensitive data. That’s data like account numbers and personal identifiable information (PII) such as social security numbers and login credentials.

There is still time to stop the breach from happening because a breach doesn’t actually happen until that data leaves your network. Inspecting outbound data is a critical component of a comprehensive app protection strategy. That means inspecting outbound responses for sensitive data. That’s data leak prevention solutions. A WAF can do it. A programmable proxy can do it. And I’m sure there are other solutions out there that lie in the data path and can detect the presence of sensitive data indicative of a breach in progress.

Inspecting outbound responses for size of content can also be a boon in detecting a successful exploit. If you know the response to a given URL is supposed to return exactly one record with approximately 4K of data, then a content response size of 64K ought to raise an alarm somewhere. Again, a WAF or programmable proxy can detect this kind of anomalous behavior and more importantly, do something about it.

The good news is (hopefully) you weren’t breached, and you have time to do something about the existential possibility that you will be at some point. Not being a “high profile” site doesn’t protect you anymore. Automation and the rise of botnets means attackers are getting more efficient in seeking out and exploiting more and more organizations because, these days, it costs them almost nothing to scan and attack.

You absolutely should patch everything you can. But just as importantly, you should have a serious and actionable application protection strategy that covers both directions — in and out. Security Rule Zero is not an option anymore. 

Be proactive. Be reactive. Most of all, be active and involved in securing your apps and the platforms they rely on.

Get the latest application threat intelligence from F5 Labs.

Lori MacVittie is the principal technical evangelist for cloud computing, cloud and application security, and application delivery and is responsible for education and evangelism across F5’s entire product suite. MacVittie has extensive development and technical architecture … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/the-good-news-about-breaches-it-wasnt-you-this-time/a/d-id/1330378?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Qualys has agreed to acquire certain assets of NetWatcher for an undisclosed amount of cash, the company announced Nov. 29. It plans to integrate NetWatcher’s technology into the Qualys Cloud Platform.

NetWatcher offers a system built on open-source components, which combine asset discovery, vulnerability management, intrusion detection, behavioral monitoring, SIEM, log management, compliance reporting, and continuous threat intel. Over the next 12 months, Qualys plans to leverage these tools in its cloud security system.

The Netwatcher team will join Qualys as part of the acquisition. CEO Scott Suhy will become vice president of strategic alliances and business development; CTO and founder Kenneth Shelton will become vice president of engineering and real-time threat correlation platform.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/qualys-buys-netwatcher-assets-for-cloud-based-threat-intel/d/d-id/1330523?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

INSECURITY CONFERENCE 2017 – Washington, DC – Defending the enterprise is increasingly getting complex, with cloud, mobile, and IoT services expanding the potential attack surface and yet IT security budgets may remain constrained to address new threats, Arun DeSouza, CISO and privacy officer with Nexteer Automotive, said in a presentation here today.

But a number of free, or low-cost, tools exist to help security teams deliver a strong defense and remain within their budget, according to DeSouza, who offered tips on this topic. “We are in the fourth industrial revolution and there is great opportunity, but also more risk,” DeSouza said.

Here are five free, or low-cost, security tools to extend a security budget:

• Bloodhound, a new open source pen test tool for Microsoft’s Active Directory environment. “This is a cool tool that identifies attack paths, so you can see how to shut them down,” DeSouza said.
• Nikto, an open source Web server scanner. “It’s a powerful tool that can scan over 65,000 known vulnerabilities,” DeSouza said.
• Reputation Monitor, a free service from AlienVault that conducts threat analysis. “If your public IPs and domains are compromised, it will alert you,” DeSouza said.
• Ghostery, a free browser extension for private web browsing. “It’s another way to sanitize data,” DeSouza noted.
• Google Authenticator, a two-step verification code generator. “Companies that don’t have an identity management framework in place can get a higher level of protection with this,” DeSouza said.

Related Content:

• 10 Free or Low-Cost Security Tools
• 10 Steps for Stretching Your IT Security Budget
• Gartner: Cybersecurity Spending Worldwide to Hit $86.4 Billion This Year

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/mobile/5-free-or-low-cost-security-tools-for-defenders/d/d-id/1330520?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

INSECURITY CONFERENCE – Washington, DC – Greg Touhill encouraged his audience of security leaders, whom he dubbed “the cyber neighborhood watch,” to swap war stories and lessons learned during his keynote at Dark Reading’s inaugural INSecurity conference, held this week in Washington, DC.

As the first CISO of the US federal government, and with an extensive background in government cybersecurity and the military, Touhill has several stories of his own. Drawing from years of experience, the Cyxtera president shared his own lessons learned to kick off an event created to bring cyber defenders together so they can discuss problems and challenges.

One of the biggest problems is explaining to the business how cybersecurity is a risk management issue. Most security pros struggle to communicate with business leaders, who “speak a different language than we do,” he explained.

“I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff,” said Touhill as an example. The enterprise instinct to buy new protective tools often distracts them from the core problem of managing risk.

One of Touhill’s lessons was to avoid chasing fads. Sometimes new doesn’t mean improved, he noted. Security leaders need to keep tech current, not buy every new tool. They should do their homework and base their product decisions on both risk potential and business value.

Knowing the value of corporate information is a key part of evaluating and managing risk. Business leaders know their data exists but can’t explain what it means or how much it’s worth. It’s tough to know where to prioritize security if you don’t know which data is most valuable.

“Information is one of the most valuable assets any business, any operation has,” Touhill emphasized. “Look at your infrastructure, look at how you architect. Know the value of your information and don’t try to defend everything. Defend what you need to defend.”

Security leaders must also prioritize security by design, he continued, using the transition to the cloud as an example. “A lot of folks jumped into the cloud without knowing about the tall, craggy mountains on the other side of that cloud,” he pointed out.

Touhill’s lessons extended to security employees. “Humans fail all the time,” he said, but you can bring down the risk of catastrophic events by training people and making sure they’re appropriately resourced. Hardening the workforce is “critically important.”

“People are your weakest link but also your greatest assets,” Touhill continued. It’s up to security leaders to make the business case for additional training, which is necessary but expensive. The need for education will never go away. Team members, and colleagues across the enterprise, should be taught to “think like a hacker” and “be very suspicious.”

The sentiment extended to another lesson: have a zero-trust model. Most security pros haven’t taken a full inventory of all the trust relationships they have, he argued, encouraging the audience to look at where their trust lies and “be skeptical.” Knowing and remembering the value of information will be critical as a new wave of professionals enters the workforce.

“We’re raising a generation of folks who are freely surrendering their privacy – your privacy – by giving up information and not recognizing the value of it,” Touhill said.

Other lessons touched on security fundamentals. He urged the audience to identify where they aren’t mastering basics or being consistent. “How many times has someone gotten breached and left the backdoor open?” he asked, relating his advice back to thinking like a hacker.

Attackers will go for the underbelly, Touhill continued. They will check every door and window to make sure they are locked. And if they’re not, they will take advantage of it.

Ultimately, along with protective measures and strategies, leaders must also “be prepared for a really bad day,” he concluded. Security teams identify risk and threats, protect against them, and often build response plans but rarely exercise them to practice for a real incident. Those who need to practice the most often don’t.

In the best organizations, everyone participates in cyber exercises and drills – even the boards and the CISOs. “A bad day is going to come for each and every one of us,” Touhill emphasized.

Related Content:

• Why Security Depends on Usability — and How to Achieve Both
• Developers Can Do More to Up Their Security Game: Report
• 8 Low or No-Cost Sources of Threat Intelligence
• Time to Pull an Uber and Disclose Your Data Breach Now

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/first-us-federal-ciso-shares-security-lessons-learned/d/d-id/1330519?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security and usability are a zero-sum game. Effective security has to come at the expense of usability, and vice versa. That’s the way it always has been, and so it always will be. Right?

Well, not necessarily — in fact, not at all. In the real world, any security initiative that degrades usability will lead to unintended consequences — user workarounds, rejection by the business — that make it less effective. The highest levels of security can be achieved only with an equally high level of usability.

Rapidly improving technologies and methods are making it more feasible than ever to achieve the best of both worlds: effective security with a better user experience. The first step is to reframe your objectives. “Perfect” security isn’t perfect if it makes the product or solution unusable. Instead, your goal should be to satisfy your security requirements while maximizing usability — and thus ensure that your methods will deliver effective protection as intended. Here’s how.

The Department of Yes
Security is rightly seen as a mission-critical requirement — something that must be built into your products and your business. Traditionally, this has led to security teams operating as the Department of No. Developers submit their code to the application security team and get back a list of no-no’s to be cleaned up. Business users seeking access to cloud services, new software, and third-party integrations are told “No — it’s not secure.” The message is clear: security is a constraint, not an enabler. If you want to get something done, the last thing you want to do is ask permission. The result is shadow IT, where users (and developers) do whatever they want without working through official channels, and without the scrutiny of the Department of No.

It’s easy to see how this leads to a much less secure state of affairs. Operating with the default stance of “no” creates a scenario where users, operators, and developers actively avoid the help and influence of those who best understand security requirements. 

Customers and Users Care about Features — not Security
The past is littered with examples of developers and businesses that placed a premium on security without considering usability and ended up with failure. For example, look no further than the ubiquitous login and password.

Login-based security has been around for decades and has been the target of hackers for nearly as long. Its familiarity makes it easy to overlook its poor design, but in reality, it’s one of the worst authentication methods currently available. Even before the advent of mobile devices, users routinely weakened the passwords they used in order to be able to type them quickly or remember them easily. They chose simple-to-guess words or strings (which were equally simple to brute-force), and reused them everywhere.

With the introduction of mobile keyboards, typing speed has dropped drastically. On a full-size laptop keyboard, the average person types approximately 38 to 40 words per minute (WPM). On an iPad, that number drops, and on an iPhone, the average probably drops further, to 20 WPM. It’s getting harder to enter text as passwords, making it even more tempting to use the shortest, simplest password possible.

Fortunately, we’re finally seeing better alternatives for user authentication. But how many hacks on logins have been executed in the meantime?

The Goal: Security Controls That Enhance the User Experience
Layering in usability as a principle of security design helps ensure that controls aren’t bypassed, ignored, or dumbed down in trade for convenience, increasing the level of effective security. One way to connect security controls with usability is by leveraging data and context. Again using authentication as an example, there has been significant innovation where contextual data such as location, device fingerprint, retina, eye-tracking, fingerprint, and even heartbeat enable more user-friendly authentication.

The goal of any security control should be the best security that can be implemented while enhancing the user experience for the technology being secured. Many times, this will come in the form of security invisibility, but sometimes it’s simply a matter of lessening the interface burden on the user. People may balk at memorizing an endless number of long, complex passwords, but a quick biometric input, complemented behind the scenes with device, time, and location analytics, can be accepted painlessly without a second thought.

Minimum Viable Security
To help product designers, developers, and business owners create secure solutions while focusing on usability, I propose a concept I call “Minimum Viable Security.” 

Let’s look at security as a continuum from “no security” to “perfect security” and overlay that with two circles. In one circle, we have levels of security that people will accept in their products before this degrades the usability to an unacceptable degree. In the second circle, we have the levels of security deemed acceptable by security stakeholders. The overlap between these two represents the point where customers and users will accept the solution, and security team members will be satisfied that it meets their requirements. This is the target we’re aiming for: the point of minimum viable security, where the solution provides both viable security and maximum usability.

By embracing this concept, businesses can build solutions, applications, and products that provide effective security while maximizing value and utility for customers and users. Security teams can respond more meaningfully to requests for new technologies and services; instead of simply saying no, they can provide guidance for meeting security requirements without impairing usability. When the focus shifts from perfect security to viable security, and usability is treated as an equally vital design priority, organizations can meet the needs of users and the business.

Perhaps most importantly, this more nuanced approach can help reaffirm the credibility of the security team within the organization. Developers and users become more willing to work through proper channels, increasing visibility and control for security teams by reducing the drivers of shadow IT. The security strategy becomes fully operational, not aspirational — and the business gets the protection it needs. 

Related Content:

• 10 Time-Consuming Tasks Security People Hate
• Let’s Take a Page from the Credit Card Industry’s Playbook
• Who Am I? Best Practices for Next-Gen Authentication

Tyler Shields is Vice President of Marketing, Strategy, and Partnerships at Signal Sciences. Prior to joining Signal Sciences, Shields covered all things applications, mobile, and IoT security as distinguished analyst at Forrest Research. Before Forrester, he managed mobile … View Full Bio

Article source: https://www.darkreading.com/risk/why-security-depends-on-usability----and-how-to-achieve-both/a/d-id/1330485?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple