STE WILLIAMS

The Estonian government is suspending the use of the Baltic country’s identity smartcards in response to a recently discovered and wide-ranging security flaw.

Residents of the Baltic country will still be able to use smartphone equivalent of the technology, which is used to access government services and online banking. Use of eResidents cards will be suspended from midnight tonight until holders re-up their certificates. The move will affect an holders of more than 750,000 ID cards who have not yet been able to update their certificates,” according to local reports.

e-Residency managing director Kaspar Korjus apologised for any hassle caused by the suspension in a blog post on Medium here.

“There are still no known incidents of an Estonian digital ID card being misused, but the threat has been elevated so previous certificates containing the vulnerability will be suspended tonight at 24:00 on Friday 3 November,” Korjus explained. “Smart ID can provide uninterrupted access to e-services such as banking, but must be activated now while certificates are active.”

Gareth Niblett‏, a security consultant who holds Estonian residency, told El Reg: “Risk assessment determined likelihood of cracking higher, so forcing certificate updates out of abundance of caution. Estonian Mobile-ID Smart-ID remain secure usable. eID Digi-ID/eResidents cards need to update their certificates to continue using.”

Estonia is a pioneer in providing government services online to its population of around 1.35 million. Acceptance of and trust in the technology is widespread, so the need to update cards will likely be regarded as an inconvenience rather than something that might undermine longer term confidence.

Issues with ID cards in Estonia are the result of a wide-ranging cryptographic vulnerability. RSA keys produced by smartcards, security tokens, laptops, and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and therefore need to be regenerated with stronger algorithms. The security weakness stems from faulty crypto libraries bundled with Infineon TPMs – AKA trusted platform modules. Research on the security weakness came out last month after it had been disclosed to relevant vendors and after a series of updates had already been pushed out. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/03/estonian_e_id_lockdown/

Senior Equifax executives sold their shares in the credit agency just before its stock price plunged when the world was told it had been thoroughly hacked.

The US biz has since probed the transactions, and you’ll all be extremely pleased to learn of that investigation’s conclusion: that there was no wrongdoing, nothing untoward, and it was all completely above board.

Sometime mid-May, miscreants exploited a vulnerability in one of Equifax’s websites – specifically, a bug in an installation of Apache Struts 2 for which a patch was available but was not deployed by Equifax IT staff – to infiltrate its internal systems. As a result, sensitive personal information on roughly 150 million people in the US, UK, Canada, and beyond was slurped from the agency’s databases.

The cyber-break-in was detected on July 29. Funnily enough, a couple of days later, four top managers – chief financial officer John Gamble; president of US information solutions Joseph Loughran; president of workforce solutions Rodolfo Ploder; and senior veep of investor relations Douglas Brandberg – flogged their company stock to the tune of about $1.8m.

On September 7, about a month later, Equifax publicly confessed it had been hacked. Its share price promptly did this:

Crash … Equifax shares slump on news of mega-hack (Source: Google Finance)

The stock offloading did not go unnoticed. The biz drafted in a panel of three directors from other firms to review the share sales, and they have ruled there was no evidence of insider dealing. Trebles all round.

“The special committee has determined that none of the four executives had knowledge of the incident when their trades were made, that pre-clearance for the four trades was appropriately obtained, that each of the four trades at issue comported with Company policy, and that none of the four executives engaged in insider trading,” the investigating trio revealed today.

Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

READ MORE

Of the aforementioned execs who sold their shares, three got the green light from Equifax’s legal department to do so, despite the discovery of the hack. Finance boss Gamble sold 6,500 shares, worth about $950,000, on August 1, and nine days later was informed of the security blunder at an offsite management meeting, the committee reported.

Ploder sold 1,719 shares worth $250,000 on August 2, but wasn’t told of the attack until August 22. Brandberg also sold 1,724 shares on August 2 but didn’t get news of the breach until August 14.

The odd one out is Joseph Loughran, III, who as president of US information solutions would – you’d think – be one of the first to know about the network infiltration. He asked for clearance to sell 4,000 shares worth about $585,000 on July 28, a day before the hack was uncovered, and executed the trade on August 1, but it took until August 13 for him to be warned of the thefts.

On August 15, Equifax’s legal department stepped in and ordered all staff with knowledge of the database theft to stop trading in company stock, then priced at about $142 per share. After the news of the hack broke, the price fell to $93 before recovering a little to $109 by today.

The special committee was headed by Elane Stock, the former president of toilet paper conglomerate Kimberly-Clark, and aided by Robert Daleo, a former CFO at Thomson Reuters, and Thomas Hough, treasurer of Metro Atlanta Chamber Of Commerce, Equifax’s home town in Georgia, USA. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/03/equifax_share_trade_investigation/

Once again Google’s Play Store has proved less than excellent at tackling malicious apps, after netizens found a fake version of WhatsApp that was good enough to fool over a million people into downloading it.

The rogue program was spotted by Redditors earlier today, and the software looks very much like the real deal. However, when opened, it appears to download and run the real WhatsApp Android client albeit with adverts wrapped around it, making a fast buck for whichever miscreant produced this dodgy imitation.

Fake on the left, legit on the right

“I’ve also installed the app and decompiled it,” reported DexterGenius.

“The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk.’ The app also tries to hide itself by not having a title and having a blank icon.”

The fake app, now removed from the official Play Store, appeared to be developed by WhatsApp Inc, the legit Facebook-owned maker of the messaging client. However, thanks to some Unicode trickery, a hidden space at end allowed this dodgy version to masquerade as a product of WhatsApp Inc, albeit with two bytes, 0xC2 0xA0, at the end forming an invisible space. In other words, it appeared to be a legit app from a real developer, but really it wasn’t.

Despite clearly being a counterfeit build of a highly popular application, Google’s software guardians failed to spot the scam; the program had over a million downloads.

Google told The Register it is looking into the matter, and it’s likely the writer of the fake version is going to be banned. The Chocolate Factory has been touting the benefits of machine intelligence in tracking down miscreants lurking in its store. Maybe some more human intelligence is needed, too. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/03/fake_whatsapp_app/

New data shows fears of irresponsible handling of sensitive data, to a lack of control over their personal digital information breeds distrust among consumers.

High-profile breaches around the globe are putting consumers on edge and instilling a sense of mistrust that financial institutions and other businesses can deal with securing their sensitive information and data, according to two recent reports.

In the past year alone, Equifax suffered a massive breach which exposed the personally identity information of 143 million consumers in the US and Yahoo announced its 2013 breach ultimately affected all of its 3 billion account holders.

“The threat landscape is continually evolving,” says Pieter Penning, a PricewaterhouseCoopers (PwC) Cybersecurity and Privacy Practice partner.

Indeed. Consumers are aware of cybersecurity threats, such as the emergence of ransomware, and remain skeptical that companies can ward them off in an attack or prevent a repeat occurrence post attack, according to reports from PwC and the BAV Group, which surveyed more than 2,000 Americans as part of their Consumer Intelligence Series: Protect.me, and a study by Carnegie Mellon University professor Rahul Telang and his student Sriram Somanchi, who issued a report Security, Fraudulent Transactions and Customer Loyalty: A Field Study.

These concerns could lead to consumers discontinuing their patronization of a business, the reports note.

“For financial firms, we know that they will lose customers if they are not proactive in reaching out to them [post attack]. For the other firms, the long-term implications are still not well documented,” Telang says. “Of course, the short-term fallout is that firms incur significant costs in managing their reputation [post attack].”

The findings in the reports reveal consumers’ attitudes toward the cybersecurity of the companies they deal with, and what organizations can do to retain their customers before and after a breach:

Majority of consumers worry about cyberattacks. The PwC report finds 69% of consumers believe companies they patronize are vulnerable to hacks and cyberattacks.

Lack control over personal information. Only 10% of PwC survey respondents feel they have complete control over their personal information.

Trustworthiness varies among industries. The cybersecurity of banks are perceived safe, 42%, compared with the marketing and advertising industry, 3%, according to the PwC report.

Willing to walk away. Companies failing to handle their customers’ data responsibly may find 87% of their customers will take their business elsewhere, according to the PwC survey.

Businesses should disclose why a cyberattack occurred. Financial firms face a 3%-point increase in customer churn if they fail to explain to customers why the incident or breach happened in the first place, the Carnegie Mellon report states. Without this explanation, customers feel their future transactions remain at risk.

Reach out and compensate. Of all the steps a company can take to retain a customer after a breach, compensation was the highest, 27%, among PwC survey respondents. Carnegie Mellon’s Telang also notes that if harm to a consumer is clear, reach out to them in a personal way and compensate them in either money or service to reduce the chance they will discontinue patronizing the business.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Related Content:

• Adobe To Pay $1 Million Compensation In Data Breach Case
• $12B in Fraud Loss Came from Data Breach Victims in 2016
• Scottrade Breach Hit 4.6 Million Customers, Began 2 Years Ago

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/mobile/consumers-dont-trust-businesses-can-protect-their-data/d/d-id/1330321?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat actors leverage SEO to ensure malicious links rank highly in Google results to infect targets with Trojan.

Most people use Google to search for answers but don’t know the results aren’t always safe. Attackers have begun to exploit this reliance on Google by using Search Engine Optimization (SEO) to populate search results with malicious links and distribute the Zeus Panda Banking Trojan through a compromised Word document.

SEO enables hackers to make their links more dominant in search results. In this case, attackers are “poisoning” the results for specific keywords related to banking and finance, effectively narrowing their victim pool to a specific group so they can steal financial information.

“SEO poisoning by itself isn’t really new,” says Earl Carter, threat researcher for Cisco Talos and one of the authors who detailed this discovery. “People have always been trying to manipulate search results. What was unique is they’re using it in the distribution of malware.”

Based on the keywords used, it seems the attackers are targeting geographic regions. Some examples of targeted keyword searches include “nordea sweden bank account number,” “al rajhi bank working hours during ramadan,” and “sbi bank recurring deposit form.”

In this campaign, hackers used compromised Web servers to ensure malicious links will appear prominently in these searches. Most of the time, they successfully displayed several poisoned links on the first results page. The links seemed unsuspicious because attackers hid their activity under compromised business websites that already had ratings and reviews.

“As user awareness training becomes more common, [users] are less likely to open unexpected attachments, but those same users may be likely to click result number one on a Google result page,” says Talos threat researcher Edmund Brumaghin. Researchers checked other search engines and concluded Google is the attackers’ key focus.

Users who browse pages hosted on compromised servers kick-start a multi-stage malware infection. The same redirection and infrastructure has been seen in other attacks; for example, fake antivirus and tech support scams in which users are asked to call a phone number.

Ultimately, targets are redirected to a site hosting a malicious Word document. The doc contains malicious macros that execute when users download and click “Enable Content.”

What’s inside

Researchers determined the malicious payload in this campaign seems to be a new version of the Zeus Panda banking Trojan, which steals sensitive data like banking information. The sample Talos analyzed is a multi-stage malware payload in which the initial stage has several anti-analysis techniques and prolonged execution to evade detection. While its functionality is still the same, the evasion techniques make it harder for reverse engineers to figure out.

This malware first queries the system’s keyboard mapping to determine its language, and terminates if it detects Russian, Belarusian, Kazak, or Ukrainian. Earlier analysis of Zeus Panda also revealed it wouldn’t run on systems in Russia, Ukraine, Belarus, or Kazakhstan.

Zeus Panda checks to verify whether it’s running within hypervisor or sandbox environments including VMware, VirtualPC, VirtualBox, Parallels, Sandboxie, Wine, or SoftIce. Finally, the malware scans for tools commonly used among analysts for investigating malicious software. If any of these checks turn up positive, the malware removes itself from the machine.

Researchers can’t say with certainty whether the Zeus Panda threat actors are also behind this campaign. “The same threat actors, over time, constantly try to find new ways to get in,” says Carter. “It could be the same guys, it could be different guys.”

Alternatively, they say, this distribution mechanism could be the work of threat actors who are “farming it out” to attackers who want to spread different forms of malware, similar to how the Necurs botnet distributes various campaigns via email.

Carter and Brumaghin emphasize the importance of building on user awareness training to include verifying whether links are trusted. Just because a site appeared high in Google search doesn’t mean it’s safe.

“Make sure you know what site you’re going to when you go to a Google result, or result in any search engine, says Brumaghin.

Related Content:

• ‘Silence’ Trojan Mimics Carbanak to Spy, Steal from Banks
• Consumers Don’t Trust Businesses Can Protect Their Data
• Social Engineer Spills Tricks of the Trade
• 10 Mistakes End Users Make That Drive Security Managers Crazy

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/hackers-poison-google-search-results-to-deliver-zeus-panda/d/d-id/1330322?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Every now and then we are reminded that even the largest, cleverest companies can suffer security failures so unexpected it leaves one gasping in incredulity.

Take the case of Google’s Issue Tracker –  the “Buganizer” to its friends – the company’s internal system for tracking general software bugs, feature requests and vulnerability reports in its own products.

This is also where outsiders report newly-discovered security vulnerabilities to Google, so one would assume it would be locked up very carefully. The consequences of not doing so, of allowing the wrong pair of prying eyes to browse through a list of unfixed vulnerabilities in hugely popular Google products, don’t bear thinking about.

Because Google takes security deadly seriously, right? Not according to researcher Alex Birsan who found he was able to manipulate this system as a sort of backdoor to do alarming things he shouldn’t have been able to.

The least serious being:

• Break access control to receive email conversation threads between internal programmers. Not a big deal perhaps but it still earned Birsan a $5,000 (£3,750) bug bounty when he reported it to Google so perhaps extra digging would have revealed more dangerous pivots.

More worrying:

• Change his registered Buganizer email address to an internal Google one by exploiting weaknesses in email updating. He wasn’t able to gain access to the company’s email platform but might have been able to order a taxi using the internal GRide. Reporting this earned Birsan $3,137.

Bingo!:

• Receiving details of any security vulnerability (identified by a user ID) simply by pretending to unsubscribe from it. That left Birsan’s bounty account $7,500 to the good.

Birsan concedes that the latter issue might be self-limiting as Google processes serious security flaws in a one-hour time frame but there’s no getting away from what he stumbled upon:

Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.

That’s a total of $15,637 for a few hours of digging around in Google Issue Tracker, arguably the most security-critical Google system anyone outside the company has access to.

And it’s not a small platform either, processing an estimated 2000-3000 issues per hour internally. Google later told Motherboard:

We appreciate Alex’s report. We’ve patched the vulnerabilities that he reported, as well as their variants.

Presumably, the company will also be conducting a thorough review of its issue tracker in case there are any other weaknesses it’s missed.

Naked Security like to draw a moral from these sorts of security stories to cheer ourselves up, which in this case is that the simple passing of time is often security’s most under-estimated foe.

Issue Tracker and its predecessors will have been around in some form or other since Google was founded in 1998, long before security was top of anyone’s worry list. Over time, there is a risk of vulnerabilities creeping in as the system is extended or rebuilt – particularly if the work is done by people in a hurry, without the right skills, or with little knowledge of the previous developers’ handiwork.

And, so, layers of assumptions and small mistakes accumulate over time (a phenomenon known in programming circles as technical debt) which aren’t always noticed unless it’s someone’s job to look for them – which in busy companies filling up with new employees, new systems and new ideas, it often isn’t.

It’s something almost every company above a certain size or age should recognise. When the mighty stumble, gloating is a sure-fire way to tempt fate.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FaaNOIdRLlk/

Analysis High street banks should be exemplars of good security but many are letting the side down when it comes to following cryptographic best practice.

Tests by security researcher Scott Helme and The Register showed a marked divergence in performance. We assessed the security of online login sites run by six UK high street banks using security tools from SSL Labs and Helme’s Security Headers assessment site*. The results were mixed.

The consistent problem was a lack of support for HTTP Strict Transport Security (HSTS), a cryptographic technology introduced in October 2012 and designed to protect websites against protocol downgrade attacks and cookie hijacking.

“The risks in terms of protocols and cipher suites just show the banks aren’t keeping current on the latest configuration and are letting them age in production,” Helme told El Reg. “The biggest concern would be that they support HTTPS but haven’t deployed HSTS. HSTS was introduced to fix two pretty serious flaws with browsers and HTTPS so they should really be looking at deploying it.”

Encryption expert Professor Alan Woodward, a computer scientist at the University of Surrey, agreed.

“HSTS is such an obvious thing to do if you have an HTTPS site; I can’t see why they don’t,” he said. “Why is it important? Because without it an attacker can find ways to hijack what a user might assume is a secure connection and conduct man-in-the-middle attacks.

“Transport Layer Security (TLS) is one of the best defences we have for ensuring the security of online transactions, so not enforcing it is quite incomprehensible… With the availability of tools like SSLStrip it’s all too easy to hijack connections without HSTS.”

Barclays

Barclays

SSL Labs: Barclays domain doesn’t support Forward Secrecy, which they “absolutely should”. “There is no reason not to,” Helme said. The bank’s certificate chain is also incomplete and has multiple HSTS headers deployed. Both these shortcomings are misconfigurations which should be addressed. SSL Labs awards Barclays’ online banking site a grade B.

Security Headers: Barclays gets an A on the security headers scan, which is a solid grade. There are a couple of warnings that the bank could do with addressing but nothing too concerning, Helme added.

HSBC

HSBC

SSL Labs: Much like Barclays, the bank doesn’t support Forward Secrecy and it really should. It’s also a little worrying to see the bank still supporting the RC4 cipher – this should really be disabled now, Helme said. HSBC’s online banking site gets a grade B from SSL Labs.

Security Headers: Slightly worse here too with a grade C. The most crucial thing the bank has missing is a HSTS policy which, for a secure website using HTTPS, is an absolute requirement.

HSBC’s security headers

Lloyds

Lloyds

SSL Labs: A really good grade with an A for Lloyds. Helme said the thing holding it back from an A+ is really simple – HSTS.

Security Headers: Only a grade C. They really need to be deploying HSTS, Helme said. This will get the bank to an A+ on SSL Labs and to a B on Security Headers. Secure sites really do need HSTS and should also consider Content Security Policy (CSP) too, he added.

NatWest

NatWest

SSL Labs: NatWest’s grade C is the lowest scored by all banks and there are a few concerning things on these results. The bank’s certificate chain needs to be updated and it’s still using weak ciphers and Diffie–Hellman parameters. This is most likely just an old configuration that hasn’t had any attention for quite some time.

Security Headers: Another C grade here and the same problems again, Helme said. They have no HSTS or CSP deployed on their site. HSTS is an absolute must and has been a defined internet standard for five years now, so there has been plenty of time for adoption.

NatWest’s security headers

RBS

RBS

SSL Labs: All the same issues as NatWest, according to Helme. RBS scores a mediocre grade C with SSL Labs.

Security Headers: As per NatWest, the absence of HSTS or CSP deployment results in a relaitvely lower score.

Santander

Santander

SSL Labs: The best TLS (HTTPS) configuration out of the lot. “It’s a shame I’m talking about the lack of Forward Secrecy yet again but this is what’s holding them back from an A+,” Helme said. “They really need to add support.” Santander’s online banking site gets an A- from SSL Labs.

Security Headers: Slightly better with a grade B here and very nice to see the bank has properly deployed HSTS, Helme said. If they deployed Content Security Policy with Upgrade Insecure Requests it’d be a perfect compliment to HSTS and increase its grade to an A.

The banks could all achieve much better grades through some relatively simple steps, according to Helme.

Overall, there are some very simple steps that all of the banks could take to improve security for their customers. A lack of Forward Secrecy across the board isn’t great in 2017 and again a majority of them fail to support HTTP Strict Transport Security (HSTS) too. Supporting these technologies has no negative effect, customers with newer browsers will use them and customers with older browsers would ignore them so I can’t see a reason why they wouldn’t deploy them. To compliment their protection a CSP with Upgrade Insecure Requests (UIR) enabled would offer further security on top of HSTS. Overall it’s not terrible but when we’re focusing on large financial institutions I’m expecting them all to perform above average so they have a little way to go.

In March 2016, Netcraft reported that only 5 per cent of web admins had implemented HTTPS correctly.

“I was really rather shocked,” Professor Woodward told El Reg. “Of course not everyone has the ability to apply HSTS (imagine sitting behind some services where it’s not actually all the way back to the origin) but most larger organisations have control over such things. That figure from Netcraft is an overall figure.

“For a bank not to do it has to be a no-no. If you can envisage one dialogue that should have TLS enforced it is one where financial data, especially relating to your accounts, is being transferred.”

Netcraft singled out NatWest for not implementing HSTS. Despite Netcraft’s stinging critique, the bank still has not rolled out the technology 18 months later.

El Reg invited RBS/NatWest to comment on the poor security ratings of its websites and criticism over the failure to support HSTS on Tuesday. We asked them for a comment and this is the only response they sent, despite having the best part of three days in which to consider their stance: a spokesman told us: “It’s been confirmed to me that we do have a number of layers protecting the website from the type of man in the middle attacks outlined in the Netcraft article.”

El Reg looked at the security of online banking sites rather than the home (main) page of banks. We began the project after chatting with a Reg reader regarding concerns he had about the security of his bank’s website, Barclays, after he received warnings when visiting its site from multiple computers. These warnings turned out to be a glitch but his concerns over its failure to support HSTS are altogether more substantive, as our comparative research illustrates. ®

Bootnote

*Security Headers analyses the HTTP response headers set by websites to see which security features they have enabled and if they are configured properly.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/03/uk_bank_security_audit/

The acquisition signifies the growth of open source software and need to secure software early in development.

Synopsys, a firm focused on silicon chip design and application security testing, will acquire Black Duck Software, which builds products to automate the process of securing and managing open source software. The acquisition will be funded in cash and is expected to close in December.

As part of the deal Synopsys will pay $565 million, or $548 million of cash acquired, and assume certain unvested equity of Black Duck employees.

This transaction is another sign software development is shifting to open source, which has grown due to its lower development cost and quick speed to market. However, poor visibility into open source software (OSS) has businesses concerned about security and compliance.

OSS makes up 60% or more of code in today’s applications, Synopsys reports in a release. It seems Synopsys is planning to leverage Black Duck’s technology, which scans open source code for security vulnerabilities and compliance issues, to stay ahead of the game in software security.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/synopsys-to-buy-black-duck-software-for-$565-million/d/d-id/1330318?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The CISO’s job will get easier because of trends in the industry. Here’s how.

Today, 66% of companies don’t have enough cybersecurity personnel on staff, with that skills gap widening to a shortage of 1.8 million information security workers by 2022, predicts a new study from (ISC)2. With the number of data breaches also increasing at a record pace, something must change. Will it be automation technology, advanced tools, or more training? Regardless, the next generation of security will be staffed by less-experienced people empowered to do the jobs previously only experienced analysts could do — because it’s necessary.

Here are the four ways I see the security analyst role, and the forces around it, evolving. For the CISO, it means your job is going to be a whole lot easier, too.

Security teams will become more diverse. The analyst position will evolve to diversify — and that’s a good thing. I believe that our thinking around the role of a security analyst hasn’t been right. We have a talent gap, in part, because we have a narrow understanding of what a security professional needs to be. There are many elements that play into a security program, and it’s not all about technical acumen. As an industry, we tend to get fixated on the latest ransomware or zero-day exploit, so it’s easy to see why many assume you need extensive, technical skills to make meaningful contributions in the information security world.

However, the effectiveness of the vast majority of today’s security teams has a lot more to do with getting basic security controls and best practices in place, and partnering effectively with the rest of the business. A security pro needs to collaborate with other departments, implement security training programs, manage third-party risk, put effective password policies in place, and more. These junior security analysts need to evolve to become better communicators and advocates — because today, many of the attacks on an organization are internal. Whether it’s due to bad actors or just lack of education, a recent Verizon breach report found that more than 7% of users who receive phishing emails fall for them. This is preventable, and it’s up to the security team to make that happen.

Security technology will become simpler. Today it’s easy to become overwhelmed by information. Security professionals are tasked with more and more events around all possible nefarious activity. According to industry research, a mere 4% of alerts are investigated by security teams due to the massive amount of alert activity on the whole. There’s no question that security analytics need to move toward simplicity — whether it’s using more contextual alerting, “conversational English” nomenclature improving the user experience, or implementing machine-learning tools to intelligently sift through massive amounts of information. Alert fatigue needs to become a thing of the past for all analysts. I’m sure we’re all tired of it by now.

Security strategies will centralize around data. There are two forces that demonstrate my point. First is the reality that breaking news on a weekly basis surrounds enormous data leaks — just recently, Equifax, Yahoo, the Securities and Exchange, and Sonic — and a stunning lack of clarity around the extent and scope of data that has been compromised in each case.

The second force is the European Union’s General Data Protection Regulation. Organizations have not mapped out their data, and they’re struggling now to comply with EU regulations. As a result, enterprises are making moves to locate, classify, and understand who’s accessing their data and where it’s being stored, and utilizing more advanced frameworks for data monitoring and controls. This data transparency is no longer a nice-to-have, particularly given impending regulatory deadlines. A heavier focus on data governance in itself will make analysts’ jobs less complex than they’ve been before.

Automated technology will play a larger role. Every year there’s a different hot buzzword in security — in 2017, it’s automation. So it won’t come as a surprise that to keep up with more senior analysts, less-experienced analysts may need to employ security technology that has a higher level of automation. Related to my first point, automated technology has the potential to close some of the talent gap problem. Although we’ve been pretty far away from realistically achieving that until now, that will change in 2018. This type of technology has finally advanced to the point where it works.

What I’ve discussed represents just four of the many ways that the next generation of security as a whole is changing, along with the role and responsibilities of security teams, as a result. With a combination of technological advancements and smart human intervention, we’re moving in the right direction to even the playing field against attackers — and the next generation of security pros will be the ones who see that through.

Related Content:

• 10 Steps for Stretching Your IT Security Budget
• Who Says Brilliant Security Engineers Can’t Be Amazing People Managers?
• Security Training Awareness: 3 Big Myths

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Tony Gauda is a serial entrepreneur with a deep history in security, storage, and SaaS businesses. Tony holds several issued patents and previously invented the convergent encryption and core technology for Bitcasa. As the CEO of ThinAir, Tony has invented information … View Full Bio

Article source: https://www.darkreading.com/endpoint/4-ways-the-next-generation-of-security-is-changing---/a/d-id/1330299?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Take our new flash poll and tells us if the current political climate is making you rethink disaster recovery and business continuity planning.

Whether you are appalled, disturbed, or unfazed by the controversy over the claims of Russian interference in the 2016 US Presidential election, the barrage of headlines continuing today are a constant reminder of the threats facing our nation’s governmental systems and private industry from nation-state hackers that aim to do us harm.

Last month, the Trump administration announced a plan to establish a new cybersecurity strategy derived from an Executive Order signed by the president in May. We want to hear readers’ views on whether the current US political climate is causing your organizations to make infosecurity-related changes to disaster recovery or business continuity plans? Your choices in our new Political Climate Change poll include:

• Yes
• No
• No, but we are considering it
• Still waiting for cybersecurity guidance from the Trump admin EO
• Other (Please explain in the comments)

If you have other points of view, we encourage you to share them in the comments so that others can weigh in. Click here to take the flash poll and join the conversation.

Related Content:

• Political Climate Change (poll) 
• 8 Notorious Russian Hackers Arrested in the Past 8 Years
• Trump Administration to Craft New Cybersecurity Plan
• Trump Issues Previously Delayed Cybersecurity Executive Order

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: https://www.darkreading.com/endpoint/russian-election-tampering-and-enterprise-security-plans/a/d-id/1330319?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple