STE WILLIAMS

What’s the last piece of software you’d expect to spy on you? Maybe your enterprise security suite? Bad news

Enterprise security, analytics, and hardware management tools – the very tools used to keep data safe – are collecting and sharing far more information than customers might think.

So says the team from ExtraHop, an analytics firm that studied the networks of its customers and found that in many cases their security and analytic software was quietly uploading information to servers outside of the customer’s network without their knowledge.

While not naming names, ExtraHop’s report outlines four different use cases where it found enterprise security tools were sending out data without first alerting administrators. These included endpoint security software, device management software for a hospital, surveillance cameras, and security analytics software used by a financial institution.

In each case, ExtraHop said the software was transmitting data off-site. In some cases (such as the hospital’s device management and the financial firm’s analytics tool) there were also potential legal risks from exposing sensitive information to third parties.

“Enterprise organizations put massive volumes of data into the hands of third-party vendors. In some cases, like SaaS applications, it’s explicit that enterprise data will live within a third-party environment,” the ExtraHop report explains.

“With other products, particularly those that live within the enterprise data center or cloud infrastructure, exactly how much data those vendors “phone home” to their own environment for things such as analysis can be a lot less clear.”

The report notes that simply collecting and transmitting data is not in itself illegal or risky behavior, so long as it is done right and with the customer’s knowledge. In these cases, however, the dangerous behavior was clear.

holland

Dutch cheesed off at Microsoft, call for Rexit from Office Online, Mobile apps over Redmond data slurping

READ MORE

The security camera, for example, was found to be transmitting data to an IP address in China that was flagged for hosting malware, and the analytics software may have violated the US Gramm-Leach-Bliley Act by transmitting personally-identifiable information overseas. In another case, staffers found software that had supposedly ended its trial period without purchase was still collecting information for at least two months afterwards.

ExtraHop notes that while there may not be any malicious activity in these cases, they each underscore the need for administrators to keep an eye on what applications are moving data over the network and periodically take stock of the software running and what information it is accessing.

“To be clear, we don’t know why these vendors are phoning home data. The companies are all respected security and IT vendors, and in all likelihood, their phoning home of data was either for a legitimate purpose given their architecture design or the result of a misconfiguration,” the report notes.

“But the fact that large volumes of data are traveling outbound from a customer environment to a vendor without the customer’s knowledge or consent is problematic.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/31/security_suite_data_slurp/

Keep Your Eye on Digital Certificates

X.509 certificates help secure the identity, privacy, and communication between two endpoints, but these digital certificates also have built-in expirations and must be managed.

As every security professional quickly learns, trusted relationships must be managed. And digital certificates – a standardized, encrypted exchange of credentials between two endpoints – are the medium for managing trust online for more than two decades.

Digital certificates aren’t particularly complex from a technical perspective. But they do sport a built-in expiration date that if ignored can bring operations to a screeching halt. While most users manage their certificates manually, a host of products and services have emerged to simplify the task. More on this in a minute.

Digital certificates originally started to keep buyers and sellers in sync in early e-commerce applications. But certificates have evolved in the past few years as essential for all websites, thanks to a change in Google’s search algorithms that give greater preference to URLs using digital certificates. Sites with digital certificates show up in the browser bar as https://; a small green padlock graphic shows up in the URL bar of some Web browsers for TLS-protected sites. Non-certificated sites render their address with plain, old http://.

In addition to Google search changes, the Internet of Things (IoT) is also making the market more active. Digital certificates are increasingly being tapped by organizations to better secure IoT’s galaxies of instrumented, automated endpoints, experts say.

“Every IoT device needs a certificate to pair up with the mothership that [shows] all the rights and protections are there,” notes David Collinson, senior director and analyst at Gartner.

Recent statistics pegged the 2018 global market value of digital certificates at $76.2 million, forecasted to grow about 10% annually to $123.8 million in 2023, according to Research and Markets.

Nuts and Bolts
In a nutshell, digital certificates help organizations ensure identity, privacy, or both. They establish “mutual nonrepudiation”; a sender can’t deny sending a message or transaction, and a receiver can’t deny receiving it. While a would-be user can create his own digital certificate, an individual or an organization more typically applies to a trusted third-party called a certificate authority (CA).

Using the X.509 standard, which is essentially an encryption standard for how Public Key Infrastructure (PKI) information gets formatted and exchanged, the certificate gets issued for a fee with a number of unique criteria, including a serial number, subject (applicant’s name), usage information, as well as public key, associated signature algorithm, and the signature of the issuer.

The certificate also contains “not before” and “not after” fields, which specify how long it’s valid. The maximum term of a digital certificate is 27 months – 825 days, to be exact, though most CAs will limit the term to 24 months to help certificate holders avoid inadvertent expiration.

While digital certificates once used Secure Sockets Layer (SSL) as their communications protocol, that’s since given way to Transport Layer Security (TLS) as the means for two entities to exchange PKI information and verify the integrity of their connection.

Managing Your Certificates
Certificates need to be managed … just ask any Mozilla user. While it’s not clear whether the issue was neglect or something else, the add-ons for the Firefox Web browser were disabled in early May after the supporting digital certificates expired. Mozilla started requiring digital certificates for add-ons in mid-2016. A workaround was issued within a week, but not before Mozilla incurred lots of trouble tickets and grumbling in user forums.

If you’re managing fewer than 100 digital certificates, you can likely use a time-honored management template: the spreadsheet. Some infosec pros get even more basic than that with pen and paper, but a digital document is more easily shared.

“I have a lot of clients with thousands of [endpoints] who do this on a spreadsheet,” says John Pironti, president of security consultancy IP Architects. “They just put them in the calendar with an expire alert.”

If your workload is exponentially larger, a variety of digital certificate management products are available from vendors including Venafi, Webroot, and CyberReason. They make sure certificates are renewed before their expiration dates and promise seamless security and connectivity.

Both Pironti and Collinson warn digital certificate users and the staff who manage them to be vigilant about attacks aimed at endpoints, especially in IoT applications where there are huge volumes of small devices that are also widely distributed.

“They create an inadvertent vulnerability because it puts keying material out to intermediary devices,” Pironti explains. “If an adversary can compromise the device, then they get access to the keying materials.”

And bad actors have proved they’ll then leverage the underlying cryptoware, which leads to scourges like ransomware. It’s one of many tradeoffs associated with encryption organization have to resolve as they deploy it more widely, Pironti warns.

Related Content: 

Image Source: peshkova via Adobe Stock

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/keep-your-eye-on-digital-certificates/b/d-id/1335374?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Watch as ten cops with guns and military camo storm suspected Capital One hacker’s house…

Vid Newly released footage showing cops storming the house of the woman accused of hacking Capital One’s cloud servers to steal 106 million people’s personal information, has again raised questions about the over-militarization of the American police force.

Software engineer Paige Adele Thompson, 33, was cuffed on Monday after the FBI tracked her down to her home address close to Seattle airport and raided it. Her housemates were seemingly unaware of Thompson’s alleged illegal activities and provided footage from a number of security cameras in and around the house to local TV news.

That footage shows an extreme amount of force – with nine or ten men in military outfits and armed with machine guns storming the single-story house. The camouflaged super-plod smashed the glass on two vehicles outside, knocked down the cameras, and caused significant damage in their efforts to arrest Thompson, who was unarmed and went quietly.

The tactics immediately came under fire given that the cops were aware that they were collaring an apparently non-violent alleged hacker. Except…

Except the police later revealed that they have found no less than 20 firearms in the house – including assault rifles and handguns as well as a wide range of related equipment including bumpstocks, scopes, and ammunition. The guns were in a different bedroom to where Thompson, and her computer that she may have used to carry out the hack, were located.

In a bizarre twist, the owner of the house in which Thompson lived with two other housemates, and who is thought to be the owner of the firearms has some alarming prior history. Park Quan, 66, was convicted of possessing explosives in 1983, and of having an unregistered machine gun in 1991. He was reportedly linked to a failed contract killing in which a bomb was attached underneath a pick-up truck but failed to go off.

Quan was charged this week with being a felon in possession of a firearm following Monday’s swoop.

The security footage displays the wrong date and time but clearly shows the same house that Thompson lived in on 28th Avenue, south of Seattle, and despite the video saying it is 2000 at night, it is clearly early in the morning: 0600 according to her housemates.

Bananas pajamas

One of the housemates complained to Ranji Sinha of telly news outlet Kiro7 that he had “woke up to a loud bang and was dragged out the house in my pajamas.” The other housemate – neither of whom wanted to give their names or show their faces on screen – said that the cops had also taken Thompson’s “$10,000 computer” and that she “hadn’t worked for some time.” They say they had no idea what she was up to and when asked about her motivation suggested that “she did it because she could.”

Circa 2015, Thompson, aka “erratic,” worked as an engineer for Amazon Web Services, which hosted Capital One’s cloud storage servers that she allegedly broke into and downloaded the contents of earlier this year.

The Feds claim she left her fingerprints all over the cyber-theft, including using the same VPN service to siphon off the data from Capital One’s AWS S3 buckets and log into her GitHub account, and used her GitHub account – which had the username paigeadelethompson – to post a public Gist explaining how to hack Capital One’s S3 buckets, and linked to her GitLab account, which hosted a copy of her resume complete with full name and home address, from her GitHub profile.

Capital One bank card from Shutterstock

Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants

READ MORE

And, in a jokey private message, Thompson claimed that she had “basically strapped myself with a bomb vest, fucking dropping Capital Ones [sic] dox and admitting it.” Needless to say none of this ended well for her.

The systems engineer has already appeared in court, charged with violating the US Computer Fraud and Abuse Act, and will remain in custody until her next hearing on August 1. She faces up to five years in the clink, and potentially a $250,000 fine, if convicted. She wept in court as these early proceedings unfolded.

In related news, New York’s Attorney General Letitia James said on Tuesday that her office had opened an investigation into the hack.

“Though Capital One’s breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access of consumers’ names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information.

“It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?… We cannot allow hacks of this nature to become every day occurrences.”

Also, Thompson’s Slack messages to pals, obtained by the FBI, list references to data seemingly acquired from other businesses, so this yarn may not end with Capital One. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/30/capitalone_hacker_arrest/

Hack a small airplane? Yes, we CAN (bus) – once we physically break into one, get at its wiring, plug in evil kit…

An investigation into the computer security of small airplanes, the results of which were made public this week, will be sure to generate some flashy headlines. However, there are important caveats.

The probe in question, carried out by Patrick Kiley, a senior security consultant at Rapid7, shows just how easy it is to hack a small plane. Kiley, an amateur pilot, cracked open the avionics – that’s the aircraft’s control and navigation systems – from two aircraft manufacturers who specialize in light aircraft, and studied their Controller Area Network (CAN) bus. This electrical bus is used to shuttle data between the onboard computer systems of the aircraft.

Kiley found that, in many cases, small planes use the CAN bus much in the same way that modern cars do. The control systems use the single bus to relay commands to various hardware components and receive readings from sensors.

“Small aircraft typically maintain the direct mechanical linkage between the flight controls and the flight surface. However, electronic controls for flaps, trim, engine controls, and autopilot systems are becoming more common,” Kiley noted in his dossier.

“This is similar to how most modern automobiles no longer have a physical connection between the throttle and the actuator that causes the engine to accelerate.”

Unlike cars, however, Kiley says there is little in the way of protection from malicious or unauthorized activity on the CAN system for aircraft.

The Rapid7 whitehat was able to tap into the central network of the aircraft and send forged messages to the various control systems. Among the more nefarious tasks he was able to accomplish were changing the altitude and airspeed readings, altering telemetry, disabling or rerouting the autopilot, and changing engine readings.

Audi TT

Newsflash: Car cyber-security still sucks

READ MORE

Sounds scary, but let’s consider the threat model here. Obviously, being able to do any of those things on an operational aircraft would be very bad. But we’re talking about an attack that requires having direct physical access to the plane and the ability to manipulate its wiring and attach extra hardware, or subvert installed kit. If you have that sort of access there are a thousand other ways to sabotage a plane that don’t require hacking. Also, your airplane should be securely locked up at an airport or air field, rather than left out on the street like your car.

“While the impact of such an attack could be dire, we want to emphasize that this attack requires physical access, something that is highly regulated and controlled in the aviation sector,” Kiley noted.

“While we believe that relying wholly on physical access controls is unwise, such controls do make it much more difficult for an attacker to access the CAN bus and take control of the avionics systems.”

Still, the report is an interesting look into the way modern aircraft navigation and control systems work, and the methods that hackers and tinkerers have to access them. Perhaps not a dire security threat, but an in-depth analysis worth paying attention to.

Those interested in aviation meddling are, however, in for a treat. At next week’s hacking summer camp at DEF CON in Las Vegas there will be an entire village devoted to aviation hacking. Kiley and many others will be on hand to show the ins and outs of aircraft hacking. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/30/hack_airplane_can_bus/

Container Security Is Falling Behind Container Deployments

Organizations are increasingly turning to containers even though they are not as confident in the security of those containers, according to a new survey.

Containers — virtualized applications that are key to DevOps — are maturing as critical parts of enterprise application infrastructures. And even though security strategies are maturing, organizations are still struggling to have security keep up with the other facets of container deployment.

A new report, sponsored by StackRox and based on research by AimPoint Group, shows that more than a third of companies haven’t begun to implement a container security policy yet. While 15% say their company is in the planning stage with its container security strategy, 19% say that they haven’t even gotten that far.

Part of the problem, says StackRox CEO Kamal Shah, is the complexity of the environment into which containers are being deployed. While many people look at containers as a technology for the cloud, Shah says, “We found that 70% are running containers on-prem and 53% are running in hybrid mode, which means running it on-premises as well as on one of the public cloud platforms.”

Companies are turning to containers because the speed of deployment in containers is critical for organizations that are implementing agile or DevOps disciplines. And studies by other researchers show that some container practices, such as downloading and reusing popular pre-existing application images, don’t insulate a company from security issues.

Jerry Gamblin, principal security engineer at Kenna Security, scanned the 1,000 most popular application images and found that over 60% of the top Docker files held a vulnerability with at least a moderate risk score, and over 20% of the files contained at least one vulnerability that would be considered high risk. [Note: A container is a virtualized application running on a system. An image is the file containing that application and its configuration files before it is launched.]

When looking at the source of vulnerabilities, the StackRox report says that poor deployment is the principal problem. According to the report, 60% of executives say that misconfigurations create the greatest security risks.

“The challenge in this new world is that there are a lot of options, a lot of controls that you have to configure, and there are a lot of configuration options,” Shah says. “On top of that, what makes matters worse is that a lot of the controls that exist are not enabled by default.”

Those controls are important because 43% of respondents say that runtime is the phase of the container life cycle that worries them the most. Though the report indicates that fixing issues is most cost-effective in building or deployment phases, the lack of a container security strategy hinders many companies in making those fixes.

Procedures and tools are available for better container security, if companies will employ them. Researchers at Alcide conducted surveys of best container practices and found that a handful of processes can make a huge difference in container security. Those best practices include familiar items like regular software updates and secure access, as well as container-specific practices, including namespace isolation (keeping containers completely separate from one another) and automated tools for scanning and setting container configurations.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/container-security-is-falling-behind-container-deployments/d/d-id/1335392?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Capital One breach – 100 million users’ data stolen

Global financial services company Capital One has just announced a massive data breach:

The breach notification starts in general terms:

Capital One Financial Corporation announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

The company continues:

Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.

We don’t know whether it was an unpatched security flaw, an incorrectly configured access control setting, or some other cybersecurity issue.

The breach is notable more for what was taken than what wasn’t, covering:

  • 100,000,000 users in the USA
  • 6,000,000 users in Canada
  • Any consumer or small business who applied for a credit card in the past 14 years (2005 to early 2019).
  • Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, income.

Some customers also had the following information lifted:

  • Credit scores, credit limits, balances, payment history, contact information and more.
  • Social security numbers (SSNs).
  • Bank account numbers linked to credit cards.

The silver lining is that the majority of customers didn’t lose SSNs in the breach – Capital One says that only 140,000 SSNs and 80,000 bank account numbers were acquired.

The bad part of that, of course, is that if you’re one of the 140,000 then you’re a bit more exposed than the other 99.9% of breached customers.

What to do?

So far, Capital One isn’t giving any advice on what to do next, or offering any services such as credit monitoring to help you keep track of problems that may arise.

According to reports, a hacker called Paige Thompson has been arrested in relation to this crime, apparently after boasting online about their actions.

Presumably, the speedy arrest is what has led Capital One to say that it doesn’t think the data has been sold on and therefore that the risk is low.

Nevertheless:

  • Keep a careful eye on all your statements. Report suspicious transactions immediately.
  • If you have signed up to a credit reporting service, take the time to read the reports you receive. They’re there to help you spot account problems early on, not merely so you can track them down later!
  • Revisit the Capital One info page in a day or two. The company says that “the investigation is ongoing and analysis is subject to change.”

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/beZiWdZXOZw/

Hacker swipes personal deets of 20,000 peeps from under Los Angeles Police Dept’s nose

Around 20,000 Los Angeles Police Department job-seekers and officers have had their personal data nicked, the force has confirmed.

A total of 17,500 applicants to the force and 2,500 serving officers had their names, dates of birth, parts of their social security numbers, and the email addresses and passwords associated with their applicant accounts stolen by hackers.

Local news outlet NBC LA reported that affected people were told over the weekend.

In a statement, the force said: “Data security is paramount at the Los Angeles Police Department, and we are committed to protecting the privacy of anyone who is associated with our agency.”

A local police trade union demanded that the city authorities “provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence, so that they may restore their credit and/or financial standing”.

The breach was blamed on an unidentified hacker who stole the files then emailed the police IT department with samples.

A decade ago, the police force was tech-savvy enough to question Google’s security knowhow, so it seems unlikely the LAPD managed to leave their data unsecured. Reports indicated that the hacker claimed to have obtained the data directly rather than through a disgruntled insider.

Terence Jackson, CISO of Thycotic (a US infosec outfit, not a psychopath with a lisp) opined in a canned comment: “While details are still unfolding, I think I have more questions than answers at the present time. What system did the perpetrator have access to? How was access monitored? Did she have admin access? How was she able to exfiltrate so many records without triggering any alerts? This is yet another example of why castle and moat security isn’t effective anymore. The threats are already inside.”

In other US hack news, credit card provider Capital One suffered the theft of 100 million customer records yesterday. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/30/lapd_data_breach/

Update LibreOffice now to thwart silent macro viruses – and here’s how pwn those who haven’t patched their suite yet

The Document Foundation has recently patched LibreOffice, its open-source office suite, to fix an issue where documents can be configured to run macros silently on opening.

The code execution vulnerability, reported by Nils Emmerich and assigned CVE-2019-9848, is the result of multiple flaws.

The first is with a feature called LibreLogo which is intended for teaching programming. You type Logo commands into a document and it draws graphics from those instructions with a cursor that looks like a turtle, as a homage to the Logo programming language of yore.

The LibreOffice implementation coverts the Logo commands to Python, which is passed to the Python interpreter for execution without much in the way of safety checks. LibreLogo is an optional component, though installed by default.

The second problem is that built-in macros in LibreOffice are fully trusted — including the macro that runs LibreLogo. Even if you set macro security in LibreOffice to “Very high,” the LibreLogo macro still runs without prompting. The third, and final, problem is that LibreLogo passes arbitrary Python code in the document to the Python interpreter to execute.

The result is that it is trivial to create a document that includes a malicious Python script in its text, which is executed automatically. We created a document that will pop open the Windows Calculator, as per Emmerich’s example, assigned LibreLogo Run to the Open Document event, and attached it to an email to send to a mark. Microsoft’s Outlook helpfully made the document read-only for safety when it was received, but it still obediently ran Calc when the attachment was opened.

LibreOffice running Calc on Windows 10, without any prompt.

LibreOffice running Calc on Windows 10, without any prompt.

The LibreOffice team has fixed the problem by blocking the ability to attach the LibreLogo Run macro to a document event handler. The fix is in version 6.2.5 (released on 20 June 2019).

The Document Foundations' Italo Vignoli presents LibreOffice at its 2018 conference in Tirana, Albania

LibreOffice 6.3 hits beta, with built-in redaction tool for sharing those █████ documents

READ MORE

That said, if you go to the LibreOffice download page version 6.2.5 is recommended only “if you’re a technology enthusiast, early adopter or power user.” Version 6.1.6 is recommended as it is “tested for longer” and the implication is that that is the pick for more cautious users or businesses. Unfortunately it is also still vulnerable, as demonstrated in our quick test.

It was Microsoft Word that made macro viruses famous, one of the best known being Melissa in 1999. Much pain ensued, but Microsoft made many efforts to contain the problem, and in Office 2007 introduced the .docm format for Word documents that contain macros, as well as similar formats for other Office applications. There is no such distinction in ODF (Open Document Format) as used by OpenOffice and LibreOffice. Perhaps there should be.

Users of LibreOffice who set it as the default application for .ODT documents should either upgrade to version 6.2.5 or higher, or remove the LibreLogo component from their installation.®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/30/libreoffice_macro_virus/

CISOs Must Evolve to a Data-First Security Program

Such a program will require effort and reprioritization, but it will let your company fight modern-day threats and protect your most important assets.

Data is the new currency. Businesses will thrive or wither based on their ability to properly handle, protect, and utilize data. And although the importance and potential of data is not in question, the priority of data protection within security programs still has a way to go. 

For far too long, the fundamental thinking around enterprise cybersecurity has circled around external threats. If we build a strong perimeter of firewalls and scrutinize traffic crossing the boundary, then we’ll keep the “good” in and the “bad” out. More modern security programs still have doubled down on external threat actors with endpoint security software, antivirus sandboxes for email attachments, and mobile device management. 

In the past, these investments made sense in order to pursue a defense against general threats and malware from “the outside.” But technology has evolved, and what matters now is different. In today’s world, fueled by rich web applications, corporate interconnectivity, cloud systems, contract workers, and remote access, the notion of “outside” and “inside,” “us” and “them,” is dead. In the world of a CISO who can’t focus on every problem, risk prioritization is king. So, instead of attempting to thinly spread the security focus across a wide array of externally facing infrastructure, we must ask ourselves this question: “What do we fundamentally need to protect most?” The answer is data.

While serving as CISO of Twitter, I instituted a “data-first” security program. The goal of this was simple. From our risk analysis, the item most important to our company was the protection of sensitive data against any form of inappropriate or unauthorized access or manipulation. Since data was the priority, we applied the focus of our security efforts as close to the data as possible and then moved outward. This meant asking questions like: “How is the data protected at rest?” “What services/people can access the data?” and “How do we authenticate the services and detect malice or deviations?”

We asked these questions even though the data was deep inside the internal network. By inverting the traditional security model, we focused on the controls that actually protect the data first. Afterward, we moved outward in “concentric circles” to provide layers of defenses across the entire stack used to access the data (that is, the servers, workstations, humans, etc.).

The reason the data-first security thinking is so important is that the traditional “outside-in” perimeter security approach makes too many assumptions that no longer hold true. If the strength of your security relies on a strong perimeter, then what happens if an internal employee is compromised or goes rogue? Do the attackers have full lateral movement and access to data? If so, then the perimeter security approach is only one security failure away from a massive company data breach.

Because of data protection regulations such as GDPR and the California Data Protection Act, a shift to a data-first security program makes a lot of sense. But this isn’t just a movement driven by compliance. Available data supports the need to shift to a data-first security approach:

  • The “2019 Verizon Data Breach Report shows for one of its measured sectors that “Privilege Misuse and Error by insider account for 30 percent of breaches.”
  • A 2019 data privacy survey conducted by Opinion Matters found that “83 percent of security professionals believe that employees have put customer [personally identifiable information] and business sensitive information at risk of exposure through error.” 
  • The “Insider Threat 2018 Report from Cybersecurity Insiders found that “53 percent [of surveyed organizations] confirmed insider attacks against their organization in the previous 12 months.”

The takeaway here is clear. There is a real threat from within the organization by individuals who are granted some level of trust and access. With this reality in mind, there’s no choice other than to move security as close to the data as possible. 

How to Move to a Data-First Approach
First, a sound security program must have risk modeling and strategic risk prioritization processes in place. Without such components, the security organization will be unable to focus on the most important issues to make meaningful changes. Second, conduct an updated risk prioritization and assessment exercise. Be sure that the value of your data assets and the likelihood of an internal threat are appropriately weighted by statistics discussed above and other information specific to your organization. In this exercise, be sure to explore different potential paths of compromise that lead to data access and consider if existing security controls provide any mitigating protection. 

The likely output of this activity will include new prioritized risks focused on data access controls and visibility of data use. With this new data in hand, reach out to other business leaders to build support for the new focus. As security leaders know, it’s imperative to have allies across the business; security is not a single org activity and requires company support. Finally, as you embark on identifying new security controls, processes, and technology, be sure to maintain your laser focus in the face of other security “fires.” Question whether your and your team’s time is being spent on the highest-priority risks and most valuable activities for your company.

Implementing a data-first security program will require effort and reprioritization, but it will also enable your company to combat modern-day threats and protect your most important assets. In addition, it will also enable flexibility so the business can more easily adopt new technologies knowing that the control structure put in place is based on protecting core assets first, independent of the surrounding technology.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Michael Coates is the CEO and Co-Founder of Altitude Networks. Previously, Michael was the Chief Information Security Officer at Twitter. Michael has also served for six years on the OWASP global board of directors, three of those years as the chairman.Prior to Twitter, … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cisos-must-evolve-to-a-data-first-security-program/a/d-id/1335334?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Suffering SOC Saga Continues

New study exposes low confidence among security professionals in their security operations centers.

More than half of IT and security professionals consider their security operations center (SOC) ineffectual, and the long hours, alert overload, and incomplete visibility into their IT infrastructure has 65% considering quitting their jobs.

The saga of the stressed-out SOC has been well documented over the past few years as organizations have amassed a cache of security tools amid an ever-expanding threat landscape where they don’t have the time, resources, or expertise to fully tap into the tools nor keep up with all of the data they generate. Meantime, nearly 70% of organizations studied in a new report by the Ponemon Institute consider their SOC essential or very important to their security posture.

“There was a general concern or lack of confidence in the SOC being able to achieve its important role because of burnout, the crazy hours people are working, and a whole bunch of reasons,” including lack of visibility into their IT networks, says Larry Ponemon, president of the Ponemon Institute and author of the SOC study.

A recent report from Exabeam, meanwhile, echoed some similar concerns by SOC analysts about their ability to keep up with the attacks coming at them: Their biggest time-suck and pain points were reporting and documentation (33%), alert fatigue (27%), and false positives (24%).

Julian Waits, general manager for security analytics firm Devo, which sponsored the new Ponemon study, says the incomplete visibility of systems and threats is a major issue for SOC analysts. He says some SOC analysts he knows admit they feel defeated: “Going to work each day and knowing you’ve been compromised” yet not knowing just how, he says. “What’s disturbing to me is analysts spend so much time chasing things but the least amount of time thinking strategically.”

According to the Ponemon report, most SOCs are not at all or only somewhat aligned with the business side of the organization, which can leave them out of the loop for business and funding support. Less than one-third of the security budget on average is used for the SOC, and some 4% of organizations say more than half of their budget goes to the SOC.

The result of immature and ineffective SOCs: dangerously long times to resolve and remediate an attack. Some 42% of the SOC analysts say it takes months or years on average to resolve a hack. That mean time to resolution, as it is called, occurs at 22% of organizations in a matter of hours or days. That’s not only costly operationally, but financially. IBM reported in its recent data breach study that for organizations that contain a breach in less than 30 days, the average cost is nearly $1 million less.

“What we’ve seen within our customer base is … that they had an incident that occurred a year ago and they only recently discovered it. Then they began the process of remediation,” Waits says.

Cloud Shines
There was a ray of hope: Some 53% of the organizations say their SOC’s IT infrastructure is mostly cloud-based, or a mix of cloud and on-premises. Around 47% say their infrastructure is on-premises. “I see outsourcing as very sensible. It gives you a greater opportunity for standardizing,” Ponemon says, and it provides easier and more timely access to the latest technologies.

He predicts that most SOCs within the next two to three years will operate mostly in the cloud, via managed security services and outsourcing.

Waites adds that large organizations likely will continue to maintain their own physical SOCs with some cloud-based services but still run and control at least the data side of the operation.

What to Do About It
The report recommends that security leaders nip burnout in the bud by automating workflow as much as possible, and adjusting work schedules and adding more resources. Ponemon also says stronger alignment between the SOC and the business is key: “Often, the needs of the business and the needs of the SOC are in alignment — everyone wants a stronger security posture but not at the expense of an oversubscribed budget. Leaders should create opportunities for leaders of each silo to discuss and prioritize objectives, and better address the turf and silo issues between the SOC and IT security operations,” the Ponemon report says.

Also, ensure that SOC team members have the right tools and they are provided enough visibility into the network to do their jobs and that tools interoperate with their security systems, the report recommends.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/suffering-soc-saga-continues/d/d-id/1335376?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple