STE WILLIAMS

Our friends over at The Register just documented yet another real-world example of a cybercrime known as SIM swapping.

In its most up-front form, here’s the sort of thing that happens.

A crook walks into a mobile phone shop, lets himself get talked into a top-of-the-range new mobile phone to replace the one he says he just lost.

Fell out of his pocket as he was rushing for the ferry and vanished into the harbour, no point in trying to get it back, wouldn’t still be in working order even if it could be dredged up and recovered.

Pulls out his credit card (OK, not literally his credit card, in all likelihood, but a passable clone of someone else’s credit card), and “buys” the new phone.

In fact, he’s not buying it; in non-legalistic terms he’s stealing so he can sell it online the very same afternoon – at half its recommended retail price, he’ll go from listing to sale in a matter of minutes.

But that’s not all: while he’s about it, he gets a new SIM card to replace the one that’s now sunk in the harbour mud, because the new phone isn’t much use without his old number.

Of course, the mobile phone shop carries out an identity check  – you can’t be too careful, after all, because you don’t want an imposter to be able to take over someone else’s phone number too easily!

Actually, you can be too careful: the guy just lost his phone, wasn’t expecting to need a new one so doesn’t have his passport with him, seems like a decent chap, and, if the truth be told…

…will probably walk out empty-handed, along with the tidy profit that would go with the sale, if he can’t buy the phone with a working SIM.

Why swap a SIM?

Our cybercrook just doubled his “returns”: as well as a stolen phone he can flog online, no questions asked, he’s also got someone else’s SIM card that he can use to get at their two-factor authentication (2FA) codes for a while.

Of course, it won’t just be anyone’s SIM card – he’ll have chosen the phone number of a victim for whom he already has login information such as usernames and passwords.

A SIM swap is therefore a simple, and annoyingly effective, way for a crook to hack your online accounts even after you turn on phone-based 2FA for added security.

That’s because mobile phone numbers aren’t actually phone numbers at all: they aren’t tied to your phone but to your SIM card, with the result that any 2FA process that depends on SMS messages is vulnerable to a SIM swap.

Ironically, SIM cards themselves are very secure: they’re as good as impossible to clone or to modify unofficially.

But the SIM card ecosystem as a whole has a weak point because almost any mobile phone shop can officially initiate the issuing of a replacement SIM card, where the mobile network ties a new SIM to an existing phone number.

That’s a bit like a country that redesigns its passports to make them much harder to forge,  but doesn’t also improve the security surrounding the process of applying for a passport in the first place.

How to spot a SIM swap

If you’re the victim of a SIM swap, you do get a vague sort of early warning: your phone goes dead, because a SIM swap not only activates the newly issued SIM, but automatically deactivates the old one at the same time.

Sadly, you might not notice your phone is dead for a while, and even when you do, you can’t immediately tell whether it’s due to a permanent SIM swap, or a temporary network outage.

Eventually, you’ll figure it out, but at that point you can’t just call up and report the problem – because your phone no longer works!

Worse still, when you do get through to your mobile phone provider, they may think that you’re the imposter, given that you clearly aren’t the person who previously swapped out the SIM.

In the meantime, you’re locked out from your 2FA-protected accounts as well as from your phone, so you probably can’t get in yourself to kick the crooks back out.

(Typically, the first thing a crook will do with an ill-gotten logon is to go in and change all the authentication and account recovery settings, to make it as hard as possible for you to wrest back control of your account once you realise what has happened.)

What to do?

If you’re in the US, it’s worth remembering that the National Institute for Standards and Technology (NIST) recently updated its official “rules for passwords“, announcing that phone-based 2FA is no longer be considered satisfactory, at least for the public sector.

NIST formed the opinion that the lack of control over the issuing of new SIM cards – something that can be initiated in almost any mobile phone shop – means that they simply aren’t good enough to serve as a “tamper-resistant” part of any government 2FA system.

If you’re worried about the risks of SMS-based 2FA for your own accounts, consider switching to an app-based authenticator instead, such as the one built into Sophos Free Mobile Security (available for Android and iOS).

Of course, the security of an authenticator app depends on the security of your phone itself, because anyone who can unlock your phone can run the app to generate the next code you need for each account.

Be sure to set a strong lockcode or passphrase – and use a recent phone model that is still officially and actively supported with security patches.

Also, whether you use SMS-based 2FA or not, contact your mobile provider to find out whether they have additional security you can apply to your phone account.

This additional security is typically still prone to social engineering, where a crook with the gift of the gab talks someone in the support team into skipping one or more important security steps, but it’s better than nothing at all.

Oh, and if your phone goes dead unexpectedly, especially when friends and colleagues on the same network have good signals and you would expect the same…

…try borrowing a phone and calling your provider, just in case.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Lyd6MbWKhSw/

As the Trump-era FCC moves to repeal net neutrality, the deadline for new comments on its proposal is rapidly approaching: July 17. With that, a diverse coalition of supporters of the current net neutrality rules are planning a last-ditch mass internet protest for tomorrow, July 12: Battle for the Net’s “Internet-Wide Day of Action to Save Net Neutrality.”

Among other actions, Battle for the Net is encouraging websites or mobile apps to display banners or other content demonstrating how they believe they and their users will be disadvantaged if net neutrality is repealed. For example, some sites will display “spinning beachball of death”, “blocked,” or “upgrade” alert modals that ask users to imagine cable companies interfering with the equal delivery of their content, and encourage users to contact the FCC and Congress to defend the existing rules. (These alerts won’t actually slow down the sites that use them.)

Some mobile apps could send push notifications to users; others are using a video bumper to explain their views on net neutrality and to encourage citizens to act. According to Battle for the Net, the gaming platform Discord and the dating site OKCupid will each promote action through in-app messages.

Battle for the Net’s diverse coalition encompasses a wide variety of organizations, companies and content providers worried about the elimination of rules that at present prevent ISPs from playing favorites in delivering content. A sampling of coalition members: GitHub, Etsy, Kickstarter, Twitter, Vimeo, Reddit, Y Combinator, Mozilla, Electronic Frontier Foundation, Automattic (WordPress), The Internet Association, the ACLU, the American Library Association, Pornhub, BitTorrent, boingboing, Color of Change, Consumer Reports, Creative Commons, DailyKos, Dropbox, DuckDuckGo, Funny or Die, Greenpeace,  Medium, MoveOn.org, O’Reilly, Slashdot, Soundcloud, Spotify, the World Wide Web Foundation, and Yelp. More than 100 leading YouTube content creators with a collective audience of 150,000,000 also wrote to support keeping net neutrality.

Netflix has also joined the protest, even after its CEO questioned how much it still cared about net neutrality now that it’s powerful enough to make its own deals with major ISPs. While Google and Facebook aren’t listed as members of Battle for the Net, according to The Verge, they’ve both confirmed that they’ll participate in the protest.

We’ve covered net neutrality several times before; for example, here and here (with links to FCC commissioner Ajit Pai’s defense of his plans to gut it, and one of many fierce responses. The FCC’s 75-page proposal, well worth exploring, is here. Business Insider provided a great step-by-step walkthrough of how to comment pro or con here, and former FCC official Gigi Sohn recently served up excellent advice on how to go beyond a generic comment and write one that’s more meaningful and impactful.

Some of Sohn’s tips include: write about how net neutrality affects you personally; write about what you think you’re buying when you purchase broadband Internet access; write about what choices you do or don’t have in purchasing internet service right now.

If you support net neutrality, why bother to comment, when two of the FCC’s three commissioners have made it clear that they consider it dead meat? Net neutrality’s defenders say they want to build the strongest possible public record for use in court by those who intend to sue once the FCC overturns the rules.

Strong, coherent, compelling public comments in large numbers have been known to influence courts considering whether an agency acted in ways that were arbitrary and capricious. (Profane comments, form letters, comments by “Mickey Mouse,” or comments generated by bots, are rather less effective in making this point.)

After the July 17 comment deadline, you’ll have a few weeks to reply to others’ comments, and then the FCC will vote. If, as everyone expects, it votes 2-1 to eliminate net neutrality, it’s on to court – and if you’d like your views considered there, now’s the time to state them.

Follow @NakedSecurity
Follow @BillCamarda

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yWWlhAWlcN8/

Your daily round-up of some of the other stories in the news

Dark web host breached

More bad news for users of the dark web: just days after AlphaBay, one of the biggest souks on the dark web vanished, hosting company Deep Hosting suffered a breach which led to “some sites [being] exported”, according to Bleeping Computer.

Deep Hosting said that a user calling himself Dhostpwned had registered a shared hosting account and then used it to upload two shells, one of which was able to execute, leading to some sites apparently being exported.

The PHP shell seems to have affected more than 90 sites, according to a page posted by the hosting company. “A large part of the PHP shell is unusable since a certain number of functions are blocked on the shared servers but one function was not blocked. The attacker was able to access the server and execute a command with limited rights.”

The attack took place over the weekend and it was apparently 24 hours before the Deep Hosting admins were able to patch their servers. “We believe that some sites have been exported,” they said, adding: “It is possible that the linked databases were also recovered.”

Since these sites include marketplaces where drugs are sold, malware repositories and carding forums, there is bound to be anxiety among users about who has got what data.

Radio station pwnd

Listeners to a local radio station in the English Midlands have been surprised a few times over the past month or so when the regular programming was knocked off air by a pirate using his or her own transmitter to hijack the station, Mansfield 103.2, and play a comedy but decidedly NSFW song from the late 1970s

The song, by a band called Ivor Biggun – led by 1970s and 80s TV star Doc Cox – has popped up at least eight times in the past month, and broadcasting watchdog Ofcom has launched an investigation to find the pirate who keeps pwning the radio station.

Ofcom says it’s taking the hijacking of the station extremely seriously. Tony Delahunty, the managing director of Mansfield 103.2, pointed out to the BBC that “it exposes a situation that is available for – who knows, a terrorist, that type of person, some idiot who wants to put emergency messages on. It could become an awful lot worse.”

His listeners’ responses have been mixed, he added. “We have had calls from people who have found it hilarious, while some have raised their concerns, including our competitors, and a lot of people in the industry are aghast at how difficult it is to stop these people.”

Russian hacker jailed for nine years

A prolific Russian hacker who stole tens of thousands of credit cards via a banking trojan botnet has been sentenced to nine years in prison, the Washington Post reported.

Alexander Tverdokhlebov, 29, born in Russia but now a US citizen who lives in Los Angeles, operated a botnet controlling half a million computers, according to US investigators, and put up for sale the details of at least 40,000 stolen credit cards between 2009 and 2013.

Tverdokhlebov lived an expensive lifestyle as a result, said prosecutors, keeping $272,000 in cash in safety deposit boxes in LA and Las Vegas. He told the federal court in Alexandria that he would “try to redeem myself”. The judge, TS Ellis, told Tverdokhlebov: “You’re a talented young man. You never thought you would be caught.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8kPUGRx3hWQ/

Insurers whose policies could give rise to claims for damage as a result of cyber attacks may have to adjust their policies or premiums to better reflect these risks, UK financial services regulatory bod Prudential Regulation Authority (PRA) has warned.

Firms should also carry out regular ‘stress tests’ to ensure that they are properly resourced to respond to a large number of claims at one time in the event of a major global cyber attack, according to the regulator.

The PRA has set out its expectations of insurers that underwrite cyber-related losses, whether as a result of cyber attacks or of accidental or non-malicious acts, such as loss of data. It has published a supervisory statement on the topic, which it has now finalised following a consultation exercise last year.

Dedicated cyber insurance is currently offered by only a limited number of UK insurers. However, a recent report by PwC estimated that the global cyber market would double to $5 billion in annual premiums by 2018 and treble to at least $7.5 billion by 2020. In March, the UK’s Institute of Directors warned that a “worrying” number of UK businesses had no plan in place to respond to a cyber attack, with just 56% of respondents to a survey confirming that they had a formal cybersecurity strategy in place.

In its supervisory statement, the PRA said that it expected insurers to be able to “identify, quantify and manage” their exposure to cyber security risk. This should include their explicit, ‘affirmative’ exposure through dedicated cyber insurance policies; and their implicit, ‘non-affirmative’ or ‘silent’ exposure, through property and casualty policies that do not explicitly include or exclude coverage for cyber risk.

Insurers should take particular care in relation to this ‘silent’ exposure, and “introduce measures that reduce the unintended exposure to this risk”, the PRA said. These measures could include adjusting the premium to reflect cyber risks and offering explicit cover; introducing “robust” exclusions; or attaching specific limits of cover, it said. Insurers should also make “adequate capital provisions that clearly link with this risk”, in the same way as they would for any other risk type, the PRA said.

Insurers could choose to extend specific products or lines of business to include cyber cover at no extra premium, the PRA said. However, before making this decision, the insurer’s board would be expected to carry out a “comprehensive assessment of the potential resulting losses” to ensure that the insurer’s exposure to cyber risk fell within its stated risk appetite, the PRA said.

“The short-to-medium term aim is to enhance the ability of firms to monitor, manage and mitigate non-affirmative cyber risk and to increase contract certainty for policyholders as to the level and type of coverage they hold,” the PRA said in the statement.

“The PRA expects firms to adopt a proportionate approach when assessing their non-affirmative exposures. The firm’s underwriting and risk management functions should play a key role in leading this effort,” it said.

Elsewhere in the statement, the PRA said that it expected firms underwriting cyber risk to have “clear strategies” on the management of these risks, owned and reviewed on a periodic basis by the board. Firms should also ensure that their knowledge and understanding of cyber insurance and associated risk was “fully aligned to the level of risk and any growth targets in this field”, it said.

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/11/pra_insurers_may_have_to_adjust_policies_to_reflect_silent_cyber_risks/

Computer security biz Preempt warned last October that Microsoft NT LAN Manager (NTLM) should be avoided. On Tuesday, it plans to support its assessment by going public with details of two vulnerabilities.

NTLM is an old authentication protocol. Though it was replaced by Kerberos in Windows 2000, Microsoft has not removed the code and it continues to be used.

As Preempt describes it, NTLM has weak encryption, weak nonces, no multi-factor authentication, and no mutual authentication, making it susceptible to replay and man-in-the-middle attacks.

“NTLM is risky and should be used with caution (if not totally restricted) in your organization’s network,” said Yaron Zinar, a security researcher at Preempt, in a blog post last year.

In April, Preempt contacted Microsoft to alert the company to LDAP and RDP Relay vulnerabilities in NTLM.

LDAP, it seems, fails to adequately protect against credential forwarding.

“This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user,” said Zinar in a blog post provided in advance to The Register. “To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI), which allows downgrade of an authentication session to NTLM.”

Preempt also finds fault with RDP Restricted Admin, which offers administrators a way to connect to remote systems without exposing credentials. The security biz discovered that this particular mode allows downgrading to NTLM for authentication negotiation.

So in theory, credential relaying and password cracking attacks on NTLM can be carried out against RDP Restricted Admin. And in conjunction with the LDAP relay flaw, an attacker could create a rogue domain admin whenever an admin utilized RDP Restricted Admin.

Microsoft acknowledged the NTLM LDAP flaw in May, giving it CVE-2017-8563, and dismissed the RDP flaw by telling Preempt it represents “a known issue.”

The Windows giant plans to issue a fix on Tuesday as part of its regularly scheduled patch routine. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/11/microsoft_patches_nt_lan_manager/

Russia and China are banning the use of virtual private networks, as their governments assert ever greater control over what citizens can see online.

In Russia, the State Duma – the lower house of the Federal Assembly of Russia (legislature) – unanimously adopted the first reading of new legislation that would ban the use of VPNs as well as online anonymizers like the Tor browser if they don’t block access to a government-run list of websites.

That list of websites will include any sites that provide software that can circumvent censorship. And, most insidiously, the law will require search engines to remove references to blocked websites so citizens don’t know what it is they are not allowed to see.

The legislation was approved in record time after the director of the FSB intelligence agency, Alexander Bortnikov, gave an hour-long talk to Duma deputies in a closed meeting, in which he said how important it was that the law was passed and passed quickly. Attendees were told not to report that the meeting even took place, apparently.

In a note explaining the law, Duma deputies argue that the law is necessary because the existing censorship apparatus in place is “not effective enough.”

A second law that also passed its first reading this month will require mobile phone operators to:

• Identify specific users
• Block messages if requested to do so by the state
• Allow the authorities to send their own messages to all users

Any companies that fail to comply with the rules can be fined up to one million rubles ($16,500).

Far East

Meanwhile, China has started enforcing its rules, approved in January, that do pretty much the same thing.

The Chinese government requires all VPN services to apply for a license, and as part of the license requirements, they are expected to block access to websites and services the Chinese government doesn’t approve of.

Now the government has “requested” that the country’s three mobile operators block the use of VPN apps on their networks, and have set a hard deadline of February 1 next year. Chinese users in their millions use VPNs as a way of bypassing widespread online censorship that blocks services such as Facebook and Twitter as well as many Western news websites.

The Ministry of Industry and Information Technology said back in January that the VPN and cloud computing market was undergoing “disorderly development,” and as such there was an “urgent need for regulation norms.”

That followed a largely ineffective effort to kill off VPNs back in 2015. But this time the government seems more determined to enforce censorship.

Earlier this month two VPN services – Green VPN and Haibei VPN – said they were shutting down their services in mainland China, having received a “notice from regulatory departments.”

The government also recently passed new rules that will censor information that does not reflect “core socialist values” – in effect banning discussion on topics such as drugs and homosexuality. Previously, Chinese internet users had grown used to a censored version of the internet built largely around protecting the ruling party by limiting political debate.

It’s unclear whether the same rules will apply to the political elite, however. The architect of China’s Great Firewall himself used one publicly in a presentation last year when he found himself blocked by his own creation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/11/russia_china_vpns_tor_browser/

Patch Tuesday Microsoft’s HoloLens may only be in the hands of developers, but that hasn’t stopped researchers from finding major security holes in the augmented reality headset.

Critical fixes for HoloLens were among the 57 CVE-listed flaws Redmond had to address in this month’s edition of Patch Tuesday. Of the 57 bugs blasted in various Microsoft products, 19 are listed as critical and 24 could potentially allow for remote code execution. Four vulnerabilities were disclosed publicly before today’s patches landed, but none are being targeted in the wild at the moment.

In addition to security fixes for the usual suspects – Internet Explorer, Edge, Windows, and Office – the July updates include patches for exploitable bugs in .NET Framework and Microsoft Exchange Server.

Just one of the four publicly known vulns is considered critical, and fortunately it is for a product not many people are using at the moment: Microsoft HoloLens.

CVE-2017-8584 is a remote code execution vulnerability present in the handling of Wi-Fi packets by the HoloLens firmware. Microsoft says an attacker who exploited the flaw (via a malformed Wi-Fi packet) would then be able to take control of HoloLens, including the ability to “install programs; view, change, or delete data; or create new accounts with full user rights.”

As is usually the case, the bulk of the critical fixes apply to the Internet Explorer and Edge browsers. Those include memory corruption errors in both browsers as well as multiple memory corruption flaws in the Scripting Engine for both browsers that would allow a malicious webpage to achieve remote code execution.

Also catching the eye of security researchers is CVE-2017-8463, a remote code execution flaw in Windows Explorer that is considered critical in all supported versions of Windows and Windows Server.

“An attacker would need to use a bit of social engineering to successfully achieve code execution,” writes Dustin Childs of Zero Day Initiative.

“They would need to share both a folder and a piece of malware named with an executable extension, and then trick the user into thinking that the malware was the folder. These types of bugs are commonly used in phishing campaigns and ransomware attacks.”

Buried elsewhere among the fixes is a months-old flaw in the Microsoft NT LAN Manager. That vulnerability, detailed to The Reg by researchers at Preempt, would potentially leave the door open for man-in-the-middle attacks.

Office, meanwhile, is once again the subject of remote code execution vulnerabilities (CVE-2017-0243, CVE-2017-8501, CVE-2017-8502) that can be exploited by opening malformed documents. Because the exploit requires the user to manually launch the files, the bugs are reduced to “important” status by Microsoft, though many admins know all too well that users can be tricked into opening an attachment just as easily as clicking on a link.

Meanwhile, Adobe has a (relatively) meager three CVE-listed vulnerabilities to clean up in Flash Player this month. Of those, one (CVE-2017-3099) is a critical memory corruption bug, another (CVE-2017-3080) allows security feature bypass, and the third (CVE-2017-3100) allows memory addresses to be leaked.

While Adobe is releasing the Flash Player patch for Windows, macOS and Linux, users running Chrome, Edge and Internet Explorer 11 (Windows 8.1 and later) should get the updates automatically. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/11/microsoft_july_patch_tuesday/

Looming, increasingly strict EU privacy regulations are pushing privacy spending to the top of IT priorities and budgets.

While security is all about locking down data, privacy is all about protecting that data while it’s being used to drive business value. In an increasingly data-driven business environment, the companies that are best equipped to turn their data into insight are gaining measurable advantage over the competition. This includes gathering information from customers’ data to feed your next marketing campaign, or predicting individual consumer behavior based on understanding clicks on a website.

In order to successfully and legally use data for business purposes, companies must comply with a number of state, national, and regional regulations. Recently, it has been the European Union’s (EU) General Data Protection Regulation (GDPR) that is occupying the minds of privacy professionals. In less than a year’s time, GDPR, the most sweeping change to data protection in the past 20 years, will go into effect and its impact will be felt by every organization that does business in the EU, or handles personal information of EU citizens in any manner.

To understand the status of US companies’ efforts to meet privacy mandates in general, and in particular, to meet the May 25, 2018 GDPR deadline Dimensional Research conducted a survey among more than 200 privacy professionals this past May. I’ve been associated with privacy and security companies since the 90s, and there are a few findings from the research that are particularly noteworthy.

The Job of Privacy is Getting Harder
Among the respondents, privacy is the sole job function for more than a third and an important part of the job for more than 60%. For the vast majority (98%) of these privacy professionals, the job of managing privacy is becoming increasingly complex. More than half describe the task as significantly more complex. At the same time, 96% of respondents say that the importance of managing privacy is increasing, with almost 70% noting that it’s becoming significantly more important.

For US privacy professionals, their role is becoming more important while the complexity of their job is increasing. Whether or not that means these privacy professionals feel empowered – or up to the challenge – in their roles is an open question. There’s a hint of an answer, though, if we look at the help respondents say they need most in order to comply with GDPR. 

GDPR Planning: Urgent Costly
When asked where privacy professionals need the most help, complying with data privacy requirements, and developing a GDPR plan topped the list at 39%, followed by addressing international data transfers (36%) and meeting regulatory reporting requirements (30%).

A majority of respondents (61%) haven’t yet begun implementing their GDPR readiness plan. The survey honed in on exactly the support these privacy professionals need to become compliant. The results are  creating new policies and processes (69%), and obtaining privacy expertise to understand regulations (63%), and technology and tools to automate and operationalize data privacy (48%). For larger companies with at least 5,000 employees, the need for technology jumped to almost 60% percent; for smaller companies with 500-1,000 employees, 36%

To find a solution to their GDPR woes, all of the respondents report that they will invest in resources such as consultants, new hires, and technology to help prepare for next year’s May deadline. A full 99% will invest in additional capabilities. A scant one percent seems to be all set!

Privacy Spending: ‘Significantly’ Increasing for Half
It gets really interesting, however, when we start looking at the financials. Nearly half of all companies surveyed say that their overall spending on managing privacy is significantly increasing, while the other half say their spending on privacy management is becoming slightly larger. That means that across the board, investments in privacy are going up. If we dive even deeper into the numbers we find:

• 83% of US privacy professionals expect GDPR spending to be at least $100,000
• Of those, 17% expect to incur costs over $1 million
• 40% of companies plan to spend at least $500,000 to become GDPR compliant

And the bigger the company, the bigger the investment:

• One in four companies with more than 5,000 employees expect to spend over $1M on GDPR compliance
• One in five companies with 1,000-5,000 employees expect to spend over $1M on GDPR compliance
• One in 10 companies with 500-1,000 employees expect to spend over $1M on GDPR compliance

Security has dominated the industry for 20 years for good reason, but with increasingly strict regulations forcing rigid compliance, privacy is bubbling to the top of IT priorities and budgets. These are certainly significant investments. Given the complexity of privacy management in general, and GDPR compliance in particular, it’s no wonder that privacy professionals need much greater resources to design and deploy processes and technology solutions. This is a clear message that the privacy industry must keep pace with customers’ privacy needs, and provide the solutions and approaches to protect consumers’ data and their companies’ confidential information.   

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content: 

• You Have One Year to Make GDPR Your Biggest Security Victory Ever
• Deciphering the GDPR: What You Need to Know to Prepare Your Organization
• GDPR Doesn’t Need to be GDP-Argh!

 

As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently … View Full Bio

Article source: https://www.darkreading.com/endpoint/the-high-costs-of-gdpr-compliance/a/d-id/1329263?_mc=RSS_DR_EDT

Cloud security firm HyTrust closed $36 million in Series E funding and purchased DataGravity to automate policy enforcement for workload data.

Workload security provider HyTrust has announced it raised $36 million in Series E funding. A portion of this new round of investment will fund the acquisition of data security firm DataGravity, the company said today.

HyTrust will also use its new funds to drive product development, as well as sales and marketing efforts, at a critical time for the cloud security solutions industry. Forrester anticipates the market will grow 28% each year, from $1.5B in 2017 to $3.5B in 2021.

The acquisition will help HyTrust automate security policy enforcement for workload data. It plans to leverage DataGravity’s data discovery and classification expertise to build on its tools for protecting information in the cloud.

“The acquisition will accelerate the expansion of HyTrust’s platform capabilities and capitalize on the high-growth cloud security market,” said HyTrust co-founder and president Eric Chiu. “DataGravity’s data discovery and classification capabilities support HyTrust’s mission to deliver a security policy framework that provides customers with full visibility, insight and enforcement of policy across workloads.”

Terms of the deal were not disclosed, though members of the DataGravity team will be joining HyTrust. DataGravity was founded in 2014 and had raised $92 million in funding.

Read more details about the funding and acquisition.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/hytrust-raises-$36m-buys-datagravity-for-policy-enforcement/d/d-id/1329324?_mc=RSS_DR_EDT

What’s This?

Poor configuration, lack of policies, and permissive behaviors are three factors that can leave your cloud infrastructure vulnerable to ransomware threats.

For enterprises that use the cloud, the key to being protected starts with understanding the layers that make up the components of their cloud stack. These different layers create multiple potential targets, and for the informed, they each represent a piece of the cloud environment that can be secured against potential threats.

Ransomware, for example, doesn’t have to be terribly complex stuff. To be effective, it just needs access. By paying attention to the different pieces of the cloud stack, and addressing their unique security needs, your environment can be far more resistant to ransomware threats.

Identity Management
Besides enforcing secure passwords and multifactor authentication (MFA), apply the “least privilege roles” concept: Only give users access to the least amount of accounts and systems that allow them to be productive. This limits the damage that can be done if an accident is made or a bad actor gets access to the account. 

Secure the Cloud Compute Layer
Take steps to secure your compute layer to ensure availability of systems and data, and to keep bad actors from using your compute power to further spread malware across your business and the Internet. The first step here is to enable secure login by issuing SSH keys issued to individuals.

Use a Jump Host
A jump host is placed in a different security zone and provides the only means of accessing other servers or hosts in your system. It is an extra step that will add a layer of security complexity to keep hackers out of your system. As the single administrative entry point, be sure to take steps to protect this server and maintain strict access controls. Also, be sure to turn on logging so you can audit all activity. But, if this one server gets owned, the jump server will allow you to create a new one with the push of a button.

Create Hypervisor Firewall Rules
The most effective way to manage firewalls is at the hypervisor level because you can restrict or set limits on both ingress and egress traffic. Take care to set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many are reluctant to set up outbound rules, but because ransomware often threatens the leaking of your intellectual property, it is important to ensure you have outbound rules that are explicitly declared.

Only Use Trusted Images
Build your images or templates from scratch or get them from very trusted sources like AWS or Microsoft. Don’t use the ones you find on Stackoverflow or on random message boards or communities. The hackers have gotten clever enough to respond to hot topics and embed malware into packages and templates.

Manage Data Access for Cloud Storage
Identity and Access Policies (IAM) policies and Access Control Lists help you centralize the control of permissions to your storage.  Bucket policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date, IP address, or whether the request was sent with SSL. 

Encrypt, Encrypt, Encrypt
When using public cloud infrastructure, it is imperative that your data is encrypted both in transit and at rest. There are many great encryption tools and services that will help with each. Note that the metadata (the data describing what you’re storing) is often not encrypted, so be sure not to store sensitive information in your cloud storage metadata.

No Delete Rights or MFA for Delete
You can set up roles in your cloud infrastructure that do not allow the user to delete any data. This protects you in case an attacker has gained control of a user’s account. In that case, attackers may be able to access the data, but they can’t delete it, which is usually what is threatened in ransomware attacks. Also, in most cloud storage solutions you can enable a feature that requires the six-digit code and serial number from your MFA token to delete any version of data stored in your storage layer. This means that attackers won’t be able to delete your data if they get access, unless they’ve got your MFA key.

Don’t Allow Services to Call Home to SaaS Systems Like Github
All it takes is for a bad actor to get access to your Git repo, and they can infect and potentially get access to more of your systems the next time one of your systems calls home. A better option is to store your Git or code repositories securely in your own cloud environment.

Our Evident security platform analyzes more than 10 billion events every month, and we see that poor configuration, lack of policies, and permissive behaviors lead to too many openings that are exploitable by ransomware.

For more information on creating an optimal security environment for your cloud environment that will assist in thwarting ransomware through a set of corrective actions and behavioral modifications, click here.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/evidentio/securing-your-cloud-stack-from-ransomware-/a/d-id/1329323?_mc=RSS_DR_EDT