STE WILLIAMS

Fewer than one in five companies is currently using network segmentation to slow intruders from moving around its network, mainly due to the difficulty of configuring and maintaining firewall rules, according to a survey conducted by network security provider Illumio.

The survey, based on interviews with 300 IT professionals, found that 19% of companies currently use network segmentation to reduce the risk of a data breach, while another 26% are planning a project in the next six months. Yet a whopping 55% of companies are not even considering deploying segmentation in that time frame, according to the survey. 

The responses suggest that companies understand the benefits of segmenting their applications and servers, but the difficulty of the project has dissuaded many IT professionals, causing them to put off efforts, says Matt Glenn, vice president of product management for Illumio.

“When we talked to people, they never say that they don’t want to do segmentation,” he says. “They ask how can they do it and what is the cost.”

Network segmentation is one way of dispensing with trust and minimizing the impact that a user could have on the network. A variety of companies have touted the zero-trust model for security, labeling trust as weakness. By limiting access to specific critical assets and data, segmentation is one way of implementing zero-trust security and can harden networks against an intruder’s efforts to laterally move after a breach. 

Last year, network segmentation appeared on the to-do lists of nine out of 10 companies, according to a blog post from network security firm Forescout. Illumio’s survey suggests that companies still have to work to do, however. That’s understandable, as network segmentation projects take a great deal of time and planning. Moreover, companies need to do it right — if done incorrectly, segmentation can create roadblocks for legitimate users. 

Because of these difficulties, two-thirds of respondents considered the process of segmenting using firewalls to be fairly challenging or even more difficult, the survey found.

“Among their most pressing concerns were cost, troubleshooting, deployment and making changes,” Illumio stated in the report. “The difficulties respondents had with their firewalls ranged from deployment to obtaining budgets, implementing changes and verifying them.”

Most companies have to deal with a large number of firewall rules. Almost two-thirds — 62% — of organizations have more than 1,000 rules per firewall, according to the survey.

Using firewalls as the basis of network segmentation can slow down the deployment of new rules for applications, the company says. The average time to deploy and tune a firewall is one to three months, and it takes an average of one to two weeks to accommodate a new application, according to the survey. Such delays make segmentation via the firewall not friendly to software development life cycles focused on DevOps, Glenn says.

“Most people when they think about doing segmentation, they are thinking about doing it with a firewall, and that it’s like trying to put together Ikea furniture with a hammer,” he says. “It’s not going to work, but you only have one tool, so you use it, even if it is not the right one.”

As agile development and techniques such as DevOps grow in popularity, companies are searching for methods of making security more responsive to application configuration. Software-defined networking has become one way that companies can quickly segment networks as well as add responsive security features, such as deceptive network architectures that can waste attackers’ time.

Other companies — such as Cisco, Illumio, and VMware — focus on host-based segmentation, using the firewall of the application’s host to enforce security segmentation on the application.

In the end, companies need to find ways to more granularly apply security policies to assets on their network, according to analyst firm Forrester Research.

“Defending the perimeter is no longer an effective strategy,” the firm states on its Zero Trust site. “Zero Trust implements methods to localize and isolate threats through microcore, microsegmentation, and deep visibility to give you an organized approach to identify threats and limit the impact of any breach.”

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Manage API Security.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/application-security/few-firms-use-segmentation-despite-security-benefits/d/d-id/1336654?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Technology is more accessible and affordable than ever, levelling the playing field in everything from education to ecommerce. One of the latest innovations is in the field of finance and investing. One sector of the fintech industry employs machine learning algorithms that can predict stock performance and make recommendations.

The fact that many of these trading apps are mobile puts your financial future squarely into your own hands. However, it also makes your information accessible to others if you don’t protect yourself from phishing exploits. From an IT manager’s perspective, any employee using such a mobile app on a phone they also use for business opens up risks to the corporate network.

Particularly worrisome is spear phishing directed at a specific person. According to a study conducted by Iron Scales, 77% of these attempts are launched at 10 or fewer inboxes. The subject line and message mention you by name and include details that they’ve found on social media or professional profiles. Often, the message purports to be from a colleague or someone within your organization. They may want you to check out a work- or travel-related website or ask you to wire money to cover an emergency.

Read more here. 

Article source: https://www.darkreading.com/cloud/trading-online-steps-to-take-to-avoid-getting-phished/d/d-id/1336656?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A cyberattack against LifeLabs, Canada’s largest medical testing provider, left personal information of more than 15 million individuals exposed before the company paid a ransom to retrieve the data.

According to a letter sent to customers, the names, addresses, email addresses, customer logins and passwords, health card numbers, and lab test results for individuals in Ontario and British Columbia were breached in the attack, which was reported to law enforcement on November 1.

No information has been release on the amount of the ransom, or to whom it was paid.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Disarming Disinformation“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/15-million-patient-records-exposed-attack-on-canadian-lab-/d/d-id/1336647?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

“There is a crack in everything / That’s how the light gets in” — Anthem, Leonard Cohen

When it comes to enterprise applications, the cracks are certainly there, but it’s not light finding its way through the gaps — it’s criminals and their malware assistants. Some of the enterprise cracks appear through vulnerabilities in application code or firmware, but hundreds, if not thousands, of potential cracks exist in the places where apps and functions come together in an overall application — namely, APIs.

Application programming interfaces (APIs) are the formal, regularly stated ways that pieces of applications talk to one another. This means there is at least one API for every component in an application.

More than half of the APIs used in enterprise applications are developed internally, according to the “2019 Postman State of the API Report,” for which more than 10,000 developers were surveyed.  Another 28% of the APIs come from partner organizations, while roughly 19% are publicly available.

“If you think of any infrastructure today in enterprise applications and the components that support it, there is usually a mobile component, a website component, and a myriad of databases and services that support them, and all of this happens with APIs,” says Mehul Revankar, director of product management at SaltStack. “And so the API is in some way the invisible glue which keeps all of these things working together seamlessly.”

Critical Interface
Because APIs are so critical to the modern application framework, they are tempting targets for criminals. And the criminals’ jobs are made easier due to the lack of understanding many IT leaders have about just how many APIs are at work in their infrastructure.

Part of the issue, experts say, is the nature of modern applications. What once were monolithic applications that might make calls to a database and presentation layer are now nested layers of microservices and serverless components.

“What does it mean from an API perspective? What used to be a function call within the app in the past is now an API call,” says Shreyans Mehta, Cequence co-founder and CTO. The security challenge is making sure the APIs allow only authorized apps and users to pass data from one piece of an application to another.

The move to the modern application model is driven by the sheer velocity of modern business, with partners, customers, and internal business needs all driving the requirement for speed, says Kin Lane, chief evangelist at Postman. As a result, “People just don’t prioritize the cataloging and defining of what these [API] capabilities are,” he says.

Taking time to catalog APIs and understand how many APIs are actually in the organization’s inventory, then, is step one in securing APIs. But once you know what must be defended, how can you best go about that defense?

The good news, according to Lane, is that many of the APIs in use by enterprises will share a common basis. “The majority of APIs are more of a common-class REST or a Web API,” he says. “Those have a lot of common characteristics — it’s pretty straightforward to understand how to secure them.”

Protect the REST
With APIs discovered and catalogued, and protection for the RESTful sort well-understood, how then should organizations proceed to protecting the remainder of the APIs in the architecture? Some make the case for starting with the basics.

Laurence Pitt, global security strategy director at Juniper Networks, says encryption is a good starting point.

“There are many different methods when considering how to lock down an API, but it does not have to be overcomplicated,” he explains. “In most cases, it would suffice to make sure that the API is using HTTPS for communication to ensure that the traffic cannot easily be sniffed from the network, and then to use some form of authentication to allow access.”

While it isn’t perfect, that method will keep hackers using Internet crawling tools from finding open APIs and tiffing the traffic, Pitt adds.

The next security step could involve following a security framework for protecting APIs. Fortunately, a couple of frameworks are available that multiple experts recommend as part of a drive toward best practices.

Mehta points to the Open Web Application Security Project (OWASP) and its API Security project as a resource, though he does offer one caveat: “I don’t think it’s in that mature a state right now; there is more work to be done,” he says. “It could be a good start, but it’s missing a lot of pieces right now.”

A release candidate for the OWASP API Security Top 10 was published at the end of September. In other words, the API Security project is quite literally a work in progress. Even so, it presents 10 areas for security teams to be concerned about when it comes to APIs. Those areas range from broken object-level authorization and excessive data exposure to insufficient logging and monitoring.

Beyond OWASP
While the OWASP framework is still in the publication and finalization process, the National Institute for Science and Technology (NIST) has been working on Web application security frameworks for some time. NIST Special Publication 800-95 was published in 2007 and is still considered one of the foundational Web security documents by many professionals. And NIST has not stopped the framework development process

A draft version of NIST Special Publication 800-204, which covers security strategies for microservices-based applications, was published in March with a comment period that went through April. The final version of SP 800-204 was published in August. While important, Kiersten Todt, managing director of the Cyber Readiness Institute, says how the NIST framework — or any other — is used is more critical than what it contains.

“You can’t adopt the framework,” she begins. “The framework itself has 98 controls. Some companies are going to be able to use all 98. Many of them are not. So my point being that these are all tools that should be used as guidelines, but never destinations.”

Thoughtful Application
When considered as guidelines, the OWASP and NIST frameworks may be subject to constant revision. “You as a company have to constantly be assessing and reassessing your mission, your threat environment, your priorities, etc.,” Todt explains. “And so again, these are places to start, but they should be customized and they should be constantly assessed.”

As for the frameworks and technology organizations use to implement their controls, Postman’s Lane says perspective is critical. “Be wary of what’s next — that next shiny object to distract you from the hard work,” he says. “Don’t let it distract you from from the hard work of identifying what your APIs are and following the loss guidance consistently across your teams.”

In the end, “Just just be pragmatic and be thoughtful,” Lane adds.

Related Content:

• Waking Up to Third-Party Security Risk
• 5 Cybersecurity CISO Priorities for the Future
• Why Cloud-Native Applications Need Cloud-Native Security
• About 50% of Apps Are Accruing Unaddressed Vulnerabilities

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Disarming Disinformation“

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-to-manage-api-security/b/d-id/1336646?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The importance of data is a boon and challenge to today’s organizations, which rely on it to remain competitive but struggle to protect it. Providing employees with access to data that spans cloud stores and data warehouses can introduce security, privacy, and compliance risks.

Satori Cyber is a new startup emerging from stealth with $5.25 million in seed funding primarily led by YL Ventures. It aims to help businesses protect data as more teams, partners, and customers demand access. Its inaugural product is the Secure Data Access Cloud, a platform to give businesses capabilities they need to understand how data flows and who can access it.

Co-founder and CEO Eldad Chai met co-founder and CTO Yoav Cohen nine years ago, when the two were employees at Incapsula. When Incapsula was sold to Imperva in 2014, the duo continued to build security products as part of Imperva’s executive team. When the company was later sold to Thoma Bravo in late 2018, they started thinking about where they’d go next.

“We like to look at major business trends of the time and try to enable businesses to achieve those,” Chai says. “What we’ve seen in the past year is how companies have become more data-driven.” They noticed new cloud technologies and regulations create “a lot of friction” in achieving that goal and wanted to improve the process.

There are two types of strategies businesses take when trying to address data protection and governance, Chai continues. One is segregation, or breaking data into smaller chunks per use case. “The downside of that is it’s running a lot of infrastructure,” he notes. “It’s expensive and it slows down innovation because there’s no one place to access data.”

The second way is trying to piece together various controls on an existing platform in an attempt to achieve a greater level of visibility and control. “That’s cumbersome and costly in terms of time,” Chai says, and results in fragile implementation with a lot of manual overhead.

Satori’s Secure Data Access Cloud is “a proxy service that sits between consumers of data and data stores,” Cohen explains. The cloud-native platform sits in front of data stores and inspects both queries and results to build a map of how data flows across the environment and applies privacy policies, considering a person’s identity, data being accessed, and behavioral activity. It supports both software-as-a-service and customer-hosted deployment options, he adds.

“The platform sees every data transaction in the environment,” Cohen continues. “So it can identify whether it’s personally identifiable information, PCI, [and] data types of that sort to make sure sensitive information is not being exposed to people who shouldn’t be exposed to it.”

Satori is primarily interested in data generated by applications and consumer data. It targets midsize to large data-driven enterprises with large amounts of regulated data and high demand for internal access and analysis, Chai says. This could include major SaaS platforms, financial technology companies, and large retailers, all of which have online revenue-generating services for consumers, collect the data, and employ internal teams to analyze it.

Cohen says what sets Satori’s product apart from others is it doesn’t tie to any specific data store platform organizations are using today. “The solution is unopinionated about your existing architecture,” he explains. “It can be deployed regardless of how you decide to architect or organize your data infrastructure.”

“We’re not asking companies to change the way they interact and use data,” Chai adds. “Companies have their own way of doing things … if companies want to change data platforms, they can do that.” What they have found, he adds, is it’s more effective to aim to provide visibility regardless of the data storage organizations already use.

Both Chai and Cohen are based in Tel Aviv, where they plan to build its engineering team, and its go-to-market will be the United States. The company is starting with a team of ten, they say, and plans to recruit more as the product continues to progress.

Related Content:

• Rethinking Enterprise Data Defense
• How Data Breaches Affect the Enterprise
• ‘Motivating People Who Want the Struggle’: Expert Advice on InfoSec Leadership
• 10 Notable Cybersecurity Acquisitions of 2019, Part 2

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Disarming Disinformation“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/data-security-startup-satori-cyber-launches-with-$525m-seed-round/d/d-id/1336640?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Employee training plays a role in cybersecurity that is just as important as any technology. 

Too often, however, that training is approached as a one-off security campaign. Once the training activities are checked off the to-do list, they’re likely forgotten by both administrators and employees.

But security awareness isn’t a one-and-done problem. To address the expanding number of cybersecurity threats, companies need a comprehensive security awareness training program. The program should be well-designed and built to solve the company’s most pressing security problems. Creating a plan begins with a few critical steps:

• Identify the essential security topics facing the organization.
• Determine what type of information can best educate users about those topics.
• Map out the security program, and determine the timing of each security campaign.
• Create campaigns that build on each other.
• If there is redundancy in the program, make sure it’s intentional, as part of a plan to retest end users on what they learned in previous campaigns.

How a Fortune 500 Company Revamped Its Approach
A Fortune 500 company we work with recently saw significant improvements in the results of its security awareness program after rethinking its approach. The company’s security awareness program is built around a cybersecurity ambassadors program, which worked with roughly 100 volunteers who helped spread the message about security awareness to their team or office. But that wasn’t enough. 

“What I was finding [is that] people are busy with their workloads, so security is the last thing on their mind,” explains one member of the company’s security awareness team. “To make the cybersecurity ambassadors program really successful, we needed to look at it as managing people.”

To take the program to the next level, the security awareness team changed the way it engaged with the ambassadors, increasing communication from monthly to weekly, keeping messages fun and attention-grabbing, and sharing intel and insights that make the group feel like insiders. The team also started giving ambassadors more opportunities to take the lead on security awareness projects and customize what works best for their team or location. These changes improved morale and got the ambassadors more invested in the program. 

The change in approach paid off. The organization went from a 42% click rate on simulated phishing attacks in March 2018 to just 5% by the end of the third quarter that year. 

The company also expanded its security awareness computer-based training program and increased the frequency of simulated phishing attacks. Initially, team members were only phishing half of the company’s population every other month. But they stepped that up in early 2018 to include all employees and started sending simulated attacks on a monthly basis.   

Team members say these changes helped them focus on repeat clickers because they were able to identify those individuals more quickly, increase their training, and work with them to improve. Once they started sending simulated phishing attacks more frequently, they also increased communication about reporting suspicious emails, and the combination was effective. Reporting to the incident department went from a 20% report rate to 68%. 

How Computer-Based Training Can Help
One reason that companies scramble to throw together one-off security campaigns at the expense of creating a valid program is that gathering and distributing the material and performing the testing takes time. If the program and specific campaigns aren’t planned ahead of time, administrators wind up reinventing the wheel every few months when it’s time for the next campaign. 

With the advent of security awareness computer-based training solutions, it’s possible to largely automate the creation and initiation of multiple security awareness campaigns. The programs are customizable, and administrators can choose from a variety of simulation templates, landing pages, risk assessment surveys, and other content, making it easier for program administrators to schedule related campaigns with recommended content, each component building on the previous one. Campaigns begin and end at specified intervals, and managers receive an email with their results report.

Building a Risk Profile
Having access to performance data from the campaigns is critical because it creates a two-way flow of information. Users must be aware of the security threats they face, and administrators need visibility into the risks the company faces from employees. An awareness program should provide data from each campaign that administrators can use to direct future training and education efforts.

That data shouldn’t just include what each user did, but also a snapshot of the state of their equipment and software. If users click on a risky link, they might also have other poor tech habits, such as having browsers or operating systems that need updating, old plug-ins, or unregistered software on their devices. The reports should also include IP address information so that an administrator can tell if employees are accessing confidential data on public Wi-Fi networks or not using a required VPN.

Having that data helps administrators make better assessments and gain a clear picture of the average risk profile among users. This is essential to building an accurate risk profile for the organization, so that administrators can then take the appropriate steps to address any problems or weak spots. Once the risk profile is established, it could mean more training, coaching, or even an investment in new software or hardware to ensure everything is up to date.

That is the value of having a comprehensive security awareness training program versus a one-off campaign. Administrators can use the information they gather during each campaign to help improve the overall security awareness training initiative.

Security awareness computer-based training solutions give administrators the ability to quickly build programs from an existing library and automate data collection and reporting, which makes it easier for companies to run a professional, well-designed program without unnecessary effort. Ultimately, this allows administrators to spend more time dealing with risky employee behavior and addressing the underlying security issues that create those vulnerabilities.

• 13 Security Pros Share Their Most Valuable Experiences
• You Gotta Reach ‘Em to Teach ‘Em
• Security Training That Keeps Up with Modern Development
• No Quick Fix for Security-Worker Shortfall

Dennis Dillman is the VP of Security Awareness at Barracuda Networks. In his role at Barracuda PhishLine, Dennis has been responsible for the rollout of an entirely new training program that is now integrated with the PhishLine platform. He has also worked with Fortune 100 … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/dont-make-security-training-a-one-and-done/a/d-id/1336584?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Siemens Corp. contractor was handed a six-month prison sentence and a fine of $7,500 in US District Court for intentionally causing damage to the company’s computer systems.

David Tinley, 62, of Harrison City, Pa., from around 2014 to May 13, 2016, inserted logic-bomb code into programs he wrote for Siemens at its Monroeville, Pa., location. The malicious code triggered the software to malfunction. Siemens then would have Tinley fix the software issues — not knowing he had deliberately caused them.

After his prison sentence is completed, Tinley will be under court-ordered supervised release for two years.

Read more here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Disarming Disinformation.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/siemens-contractor-sentenced-for-writing-logic-bombs-/d/d-id/1336641?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple