STE WILLIAMS

Third-party risks are quickly mounting for enterprise organizations if the number of data breaches and total number of records exposed as a result are any indication.

In a recent analysis of data pertaining to security breaches in 2019, Risk Based Security uncovered a sharp increase in incidents involving companies handling sensitive data for business partners and other clients. The total number of such third-party breaches hit 368 in 2019, up from 328 in 2018 and 273 in 2017 — a 35% increase in two years.

In addition, the number of records exposed in these breaches skyrocketed 273% last year, from just over 1.7 billion in 2018 to 4.8 billion in 2019. On average, some 13 million records were exposed in each third-party breach in 2019, making it easily the worst year ever on record, according to the analysis. Data exposed in these breaches ran the gamut, including names, addresses, dates of birth, Social Security Numbers, credit card numbers, email addresses, and financial data.

Risk Based Security counted a total of 7,098 data breaches in 2019 — a relatively modest increase of 1% over 2018’s 7,035 publicly disclosed data breaches. The breaches in total exposed a staggering 15.1 billion records, which included everything from relatively innocuous transaction logs to PII, financial data, and health records.

“The security landscape is just as challenging as ever,” says Inga Goddijn, executive vice president at Risk Based Security. “Given the trend over the past few years now, expect the number of events to continue to grow while the number of records exposed will be driven in large part by the number of leaky databases and services uncovered.”   

Though the overall number of breaches increased only slightly year-over-year, the number of records exposed in 2019 was some 284% greater than in 2018. But that was largely due to four incidents that alone accounted for some 8.5 billion of the 15.1 billion records in total that were exposed.

Risk Based Security identified the four breaches as involving smart home product company Orvibo; Chinese e-commerce merchant LightInTheBox; email marketing company Verifications.io; and an unknown company managing data for data aggregators including Oxydata and People Data Labs.

All four breaches resulted from data being put into open, misconfigured databases that were then made publicly accessible over the Internet to anyone. Excluding these data breaches, the total number of records exposed last year would still have been higher than the number in 2018, but by a relatively small 1.3 billion records.

Karen Bruner, technical evangelist at container security firm StackRox, says the increase in breaches involving cloud databases and services is the result of poor security hygiene. “All the major cloud providers offer the controls needed to keep the data in their cloud buckets private, but customers need to use them,” Bruner says.

Inexperienced cloud users will sometimes remove all protections when they have trouble accessing the data from applications. That inexperience often goes hand-in-hand with not doing best practices, like scanning their cloud infrastructure for security misconfigurations, she says. “And when security is set up correctly initially, it takes just one customer change to wipe it out and make the bucket contents public,” Bruner adds.

Web Breaches Exposed Most Records
As in previous years, breaches involving external hackers, malicious insiders, and from accidents and negligence outnumbered breaches stemming from other causes. However, Web breaches caused by misconfigured services and failure to follow basic hardening practices resulted in a far greater number of exposed records. For instance, though nearly 5,200 data breaches resulted from hacking, they exposed only about 1.5 billion records as compared to nearly 13.6 billion records from a mere 343 Web breaches.

Sam Rubin, vice president at incident response and risk management firm Crypsis Group, says the Risk Based Security report highlights the challenges posed by the growing complexity and attack surface of modern IT environments.

“The cloud is highly enabling, yet with so many cloud providers in the typical enterprise mix, most IT teams have multiple shared responsibility models to manage,” he says.

Smaller organizations are as likely as enterprises to use cloud providers, yet they are more challenged with the staffing needed to manage cloud security best practices. Large enterprises have more qualified staff but tend to have a more expansive multicloud terrain to navigate, he says. “And unfortunately, cloud is only one challenge companies must address,” Rubin says.

Related Content:

• More Than 20 Data Breaches Reported Per Day in First Half of 2019
• Waking Up to Third-Party Security Risk
• Third-Party Features Leave Websites More Vulnerable to Attack
• 7 Biggest Cloud Security Blind Spots

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Chaos Order: The Keys to Quantum-Proof Encryption“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/third-party-breaches---and-the-number-of-records-exposed---increased-sharply-in-2019/d/d-id/1337037?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Question: What are some foundational ways to protect my global supply chain?  

Rick Holland, CISO, Digital Shadows: Assessing supply chains is one of the more challenging third-party risk management endeavors organizations can take on. A global company can easily have more than 1,000 firms in its supply chain. In the age of digital transformation, much of the supply chain consists of SaaS providers that are easier to replace than the traditional on-premises vendor. The result is a transient supply chain that continually evolves. To add even more complexity, the more mergers and acquisitions activity a firm undertakes, the more complicated its supply chain becomes. All of these factors make supply chain risk management a daunting task.

Two common deficiencies of cybersecurity supply chain programs are a lack of understanding of the types of data and access the third party possesses, as well as a prioritized list of suppliers. This is why security teams need to have robust processes in place that include both the lines of business that leverage supply chain providers and the procurement teams that handle the logistics of assessing and onboarding the vendors. The security and privacy teams must have questions that can be inserted into assessments. They should include items that give insights into what data a third party has access to, where that data resides, and who has access to it. Once an organization understands the criticality of the data a third party has access to, it can then prioritize the risk around a supplier based on the classification of that data.

With today’s technology and complexity, it isn’t pragmatic for a cybersecurity supply chain program to monitor “all the things.” However, it becomes more feasible with a prioritized list of vendors that have data or access to data that could represent a material risk to the business if stolen or abused.  

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-are-some-basic-ways-to-protect-my-global-supply-chain/b/d-id/1337015?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Although cybersecurity technologies continue evolving to address current threats, many data breaches remain undiscovered for months or even years. For instance, in one of the biggest data breaches discovered in 2018, which affected 500 million customers of the Marriott Hotel Group, hackers went undetected for four years.

How can your organization detect threats faster and reduce the chances of a breach? Unfortunately, there isn’t one solution. But we can analyze the root causes of known breaches and learn from them. In this column, we’ll examine five common errors that make it easier for attackers to linger in an IT network undiscovered and advice on how to mitigate the risks.

Error 1: Siloed security systems
During their evolution, large companies often undergo multiple mergers and acquisitions. This strategy can boost stock prices, but it can also increase both IT system complexity and data security risks. Notably, the Marriott data breach originally occurred in the reservation system of Starwood, a chain that the hotel giant acquired in 2016. Rather than unifying security controls and improving the detection capabilities of its newly acquired business right after the deal, Marriott appears to have neglected to take action, wasting two years until it discovered the data leak in November 2018.

To avoid this error, organizations should regularly review their IT systems and IT risks, especially during and after a merger or acquisition. In particular, they should discover and classify all sensitive data across their on-premises and cloud storage and take steps to ensure that those files are not overexposed and that they reside only in dedicated safe locations with proper access controls. Organizations should also update their security policies, unify them, and apply them across the entire IT infrastructure. Cross-system software solutions can make this security monitoring easier.

Error 2: Lack of accountability
Many corporations have a complex management structure that leads to poor accountability and lack of visibility into IT security policy development and execution. The infamous Equifax data breach, which remained undetected for 76 days, was made possible by an expired security certificate. A Congressional investigation found that the absence of clear lines of responsibility in Equifax’s IT management structure had kept the company from implementing security initiatives in a timely manner, which had led to more than 300 security certificates expiring.

The best way to avoid this error is to have one person responsible for the development and implementation of information security policies. In most cases, it is the chief information security officer (CISO). The CISO should develop clear policies with zones of responsibility and provide IT teams with clear workflows for the security issues for which they are accountable. Another tip is to automate patching, which mitigates the risk that overburdened IT teams will fail to make manual updates promptly. Many experts believe this strategy could have prevented the Equifax data breach.

Error 3: Lack of support from the CEO
If a company’s leader does not consider security to be a business goal, IT security teams will likely lack vital strategic direction and resources, including both adequate staffing and modern technologies. As a result, they cannot prioritize security efforts and proactively respond to evolving threats; instead, they are overwhelmed with routine troubleshooting.

Every CEO should recognize that data protection is a crucial business goal and establish a leadership-driven security approach. Regular meetings with the CISO are a must, as are metrics that evaluate the effectiveness of the cybersecurity strategy. Equally important is enabling the IT team to focus on issues that are critical to the safety of the business by investing in modern solutions that automate most security processes and can be scaled up easily as the business grows.

Error 4: Inefficient cybersecurity strategy
Some organizations spend vast sums of money on technologies in an effort to cover all IT risks. However, unless they conduct a thorough risk assessment, they might well have spent their money in vain. For example, a company might spend a lot of money to store and protect its data, including stale data, but miss an unauthorized access to its customer database.

Security efforts should be prioritized. Start with an IT asset inventory that will help to you identify and classify your most crucial information assets, such as data that falls under the General Data Protection Regulation (GDPR). Using that information, develop security policies to appropriately protect data with each level of sensitivity and an effective incident response plan. Last but not least, it’s important to set up alerts so you can respond quickly to suspicious activity.

Error 5: No actionable incident response plan
A recent Netwrix study shows that only 17% of organizations test their incident response plans. The remaining 83% have no guarantee that their plan will work out in real life; in case of an incident, they might waste precious time and fail to notify customers and authorities properly.

Initiating a pseudo-cyberattack as a part of penetration testing is a good idea. This will help to determine if your draft plan is effective and ensure that everyone knows exactly what to do if an incident occurs. The results of the test should be used to improve the plan and develop regular practice runs for employees.

Conclusion
The only way for organizations to avoid long-lasting data breaches is to ensure that their cybersecurity strategy is an ongoing focus rather than a one-off exercise that’s soon forgotten. A forward-thinking business leader should manage cybersecurity risks on an equal footing with all other business risks and treat cybersecurity as an organizationwide issue. Creating a security-centric culture requires a joint effort by various departments that involves technology, processes, and people. With centralized IT governance and a bird’s-eye view of the IT infrastructure, businesses can be far more confident that unauthorized activity will be detected and terminated quickly.

Related Content:

• Lessons Learned from 7 Big Breaches in 2019
• Embracing a Prevention Mindset to Protect Critical Infrastructure
• Threat Hunting Is Not for Everyone
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “From 1s 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide“

Matt Middleton-Leal is General Manager and Chief Security Strategist is at Netwrix, a software company that enables information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides. Matt … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/5-common-errors-that-allow-attackers-to-go-undetected/a/d-id/1336955?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Last year, all four wireless carriers began offering 5G, and people couldn’t be happier. While some may have to wait until devices and infrastructure fully catch up with demand, the promise of being able to communicate and download at speeds of up to 10Gbps has users and companies eagerly anticipating a very speedy future.

5G promises super-high bandwidth and throughput and ultra low-level latency communication that are up to 20 times faster than 4G LTE. 5G can reach speeds of 20GB per second, while 4G LTE maxes out at 1GB per second. While this is a nice-to-have in many situations, businesses are looking forward to 5G adoption to power more Internet of Things (IoT) devices and enable their employees to perform tasks very quickly.

“This is the first time we’ve had this type of functionality all at once,” said Dmitry Kurbatov, chief technology officer at Positive Technologies, a security solutions provider. “LTE provided huge bandwidth, but the modems used for LTE consumed too much power to be used for more powerful IoT devices. The same is true of 2G: It provided great covering for the network and was accessible everywhere, but the connection speed wasn’t good enough for a satisfactory experience.”

With the increased spectrum and ability to segment networks, enterprises are likely to start using 5G more and more. Not only will it provide opportunities for coverage that WiFi may not have provided, but it could potentially replace WiFi or Bluetooth in some situations.

While all of this sounds great, it’s important to stop and consider the security ramifications. Done right, 5G can actually be the most secure cellular technology to date. 5G encrypts more data, and because it’s based on software and runs in the cloud, it’s easier to monitor.

But it’s not that simple. There is a greater risk of attacks on both IoT and mobile devices, simply because there will be so many more of them. With such fast speeds, employees are likely to choose 5G for their mobile devices instead of WiFi, and employers will use 5G for their IoT sensors.

Read the full article here on Data Center Knowledge.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/5g-adoption-should-change-how-organizations-approach-security/d/d-id/1337030?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What is your information security program defending?

This is a deceivingly difficult question for most. When I ask this at typical organizations, the answer is often disheartening. The standard response is “everything.” The word everything causes my skepticism radar to start chirping like a Chernobyl Geiger counter.

The claim being made here is that all of the systems and all of the data created and stored by the organization are defended. These companies, and the “everything” claim, do not make distinctions between high and low levels of protection. To lump all systems and data into one category causes equality across the board, which is a recipe for inefficiency at best and disaster at worst.

Fredrick the Great said, “He who attempts to defend everything, defends nothing.” If we attempt to defend everything, this means that we are not prioritizing. In this scenario, the same security controls and effort to defend a critical system storing the organization’s crown jewels are going to also apply on a noncritical system. This would lead to either underprotecting a critical system, overprotecting a noncritical system, or potentially both.

The concept of opportunity costs is important here since we all have limited resources. No department is given a blank check for all the tools, training, and expert staff that one could desire. The opposite is more likely to be the case, where departments are being asked to do more with less.

In a reality with limited resources, every dollar spent on a tool also represents a dollar that could have been spent on a different one. Every staff member hired with a particular skill represents a candidate that got passed on who had a different expertise. Every hour spent researching a solution is an hour that could have been dedicated to various other projects.

Opportunity costs are why prioritization needs to occur. Without it, an organization is guessing as to what to protect and how best to defend assets. This prioritization begins with an asset inventory.

Collect Everything
What constitutes an effective asset inventory from which to prioritize information security? In a word, details. “No details” means no value. An inventory is a listing of detailed attributes that can serve as an authoritative and consolidated resource. It is the one-stop shop for everything that is relevant to information security regarding an asset.

It must also be detailed in the sense that it must be all-inclusive. It’s every system that touches your network or handles sensitive information. It’s everything that’s wired, wireless, or even capable of either of those. It’s printers, IP phones, kiosks, marquees, and Internet of Things devices. It’s bare-metal hypervisors like ESXi. It’s firewalls, routers, wireless access points, and switches. It’s everything.

Understand Everything
Once all the assets are inventoried and information about them is collected, we begin to understand the big picture. Most of the asset details in an inventory play a supporting role to the system’s criticality ranking. This ranking is derived from attributes, such as the purpose of the system, type of data it generates and stores, user community, and business function it supports. From this criticality attribute, the security controls to protect it can be determined in order to bring the risks in line with the business’s risk tolerance.

Integration
Now we return to the asset inventory to reconcile those determined controls and provide assurances that they are in place and working as expected. Confidence in the functioning of a security program cannot exist without a complete asset inventory.

The various tools in the environment are typically tuned to determine what is working. Asset management, on the other hand, is used to determine what is not working. Assurance is a significant function of information security. Move past the assumptions that something should be working as advertised to a place of objective confidence that it is working.

A quality asset inventory allows a reconciliation process to occur. Comparing each tool’s list of registered systems with an authoritative and all-inclusive inventory provides a clear and objective list of discrepancies. One can, at that point, put aside assumptions and actually know which systems are being protected or monitored by a tool — also, more importantly, which systems are missing and thus unprotected.

A Neglected Control
It is very rare that I see an organization with an accurate inventory. Why is this foundational control so often ignored?

For one, there isn’t a tool to automate the process. We’re conditioned to searching for a tool to solve our problems. A nail needs a hammer and a squeaky wheel needs oil. Asset inventory tools are basically repackaged spreadsheets. None readily automates a method to collect the type of information needed to understand the security posture of an asset and to ensure that each one has the controls that it should have.

It’s also an indirect control. While firewalls and anti-malware tools can directly show the bad that they protect you from, asset management is a control that provides the assurances that your other controls are actually functioning as expected. It’s not just a “helper” control, though, but more of a foundational control on which to build the entire program.

Asset management isn’t sexy. It doesn’t result in pretty graphs or quality filler for PowerPoint slides. Quite the opposite — it highlights the gaps in a security program. Asset management presents information that can be difficult to swallow. However, it will also help you achieve the next maturity level in your security program.

Related Content:

• 7 Ways SMBs Can Secure Their Websites
• Why You Need a Global View of IT Assets
• Which Security Metrics Should I Use?
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “From 1s 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide“

Kevin Kurzawa has a background in a variety of environments, with each having its own unique business drivers. His experiences in IT and information security have ranged from Department of Defense contractors large and small (including Lockheed and Harris) to traditional … View Full Bio

Article source: https://www.darkreading.com/risk/stop-defending-everything/a/d-id/1336973?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple