STE WILLIAMS

Federal agencies and organizations don’t fully understand the cost implications of Meltdown and Spectre, says Gus Hunt, former CTO of the CIA and current managing director for Accenture Federal Services. Resolving the issues may take more time and money than anticipated.

Addressing these flaws should be top of mind for agencies and businesses, because the breadth of impact will drive the complexity of fixing the problem, Hunt continues. If patches affect performance as much as experts report, long-term effects will be significant. This is especially true for the government, which he calls the largest buyer of IT and IT services.

“From a budgetary perspective, if my performance impact is 30%, nobody has budgeted for the cost of additional hardware and capacity so [agencies] can provide services at a level people will expect,” he explains.

The tech industry has been quick to produce solutions for Meltdown and Spectre, he says. This is especially true for cloud providers, which “were most adversely affected.” However, it’s still too early to gauge the true measurable impact of these flaws.

“What worries me most is this gives an open window for the emergence of building and delivering effective exploits,” he points out. “Adversaries out there are working like mad to figure out how to take advantage of this.”

On a broader level, Hunt speaks to the quickly evolving sophistication of today’s attackers and the growing threat to federal organizations. Attackers “adopt and reuse things with remarkable speed,” he says. The moment anything is released in the wild, their knowledge is elevated. He points to the consistent, and increasingly effective, use of ransomware as an example.

“The goal for the federal government space, fundamentally it’s data and control,” Hunt says of modern cybercriminals. “Those are the two big things attackers want.”

The greatest threat to today’s government is nation-state actors intent on gaining an advantage through stealing data and information, and hiding inside systems so they can eventually leverage their power and take control of systems. For attackers targeting federal victims, the promise of system control is far more appealing than citizens’ data, he points out.

Nation-states and advanced criminals have become vertically specialized, Hunt says. If they want to spear-phish someone in the government, they’ll spend a lot of time and money figuring out exactly who to target and how to collect information on them to launch a successful attack.

Shifting cybersecurity strategies

Hunt explains what he calls the Cyber Moonshot, a strategic concept comparing cybersecurity with the once seemingly-impossible goal of landing on the moon. The idea argues achieving security will take many of the same leadership and organizational steps: leadership, a specific call to action, and a sustained investment.

“If you really look at it, our approach to solving cybersecurity has really been a piecemeal, patchwork-quilt approach of slapping something in place,” he explains. “We haven’t really taken a strategic, coherent focus to drive it across the board.”

Prior to landing on the moon, humans had the tech they needed but hadn’t put it all together to solve the problem. Hunt says today’s security industry is similar. “We get how things happen, we get what goes on, and we have a variety of solutions in place … but we haven’t acted together to apply them in a way that changes the game,” he says.

However, there is a key difference between the two: the moon landing was a finite goal. Cybersecurity threats, practices, and technology, on the other hand, are constantly evolving.

“Absolute security is absolutely impossible,” Hunt admits. “There’s always going to be a vulnerability someplace; Meltdown and Spectre are classic examples of that.”

Related Content:

• Dutch Intel Agency Reportedly Helped US Attribute DNC Hack to Russia
• Endpoint and Mobile Top Security Spending at 57% of Businesses
• Ransomware Detections Up 90% for Businesses in 2017
• Intel CEO: New Products that Tackle Meltdown, Spectre Threats Coming this Year

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/former-cia-cto-talks-meltdown-and-spectre-cost-federal-threats/d/d-id/1330923?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nearly five years ago, a study conducted by the MIT Sloan Management Review found that the vast majority of business managers surveyed believed that “achieving digital transformation” – the process of virtualizing operations and migrating toward the cloud – was critical to their organizations. Yet the same report showed that 63% of respondents believed their organization was too slow to embrace technological change, primarily due to a lack of communication about the strategic benefits of cloud adoption.

While in recent years the adoption of cloud-based communication and productivity tools has picked up among businesses — hybrid cloud adoption increased from 19% to 57% of organizations surveyed in a recent McAfee cloud trends report — many companies are stillskeptical about embracing cloud-based cybersecurity solutions, even as the benefits of cloud services are becoming more widely acknowledged. Still, misconceptions remain. Here are three key objections, and how to dispel them. 

Objection One: My Data Will Be Safer On-Premises.
When the servers that manage company data move from an on-premises data center into a cloud environment, security teams often feel a loss of control due to their lack of physical proximity to sensitive corporate data. Consequently, before blindly trusting a cloud provider, companies need to vet a potential cloud’s security posture by asking probing questions, for example:

• What compliance certifications has the cloud earned?
• Can cloud provider meet industry compliance regulations?
• What is the disaster recovery plan at the data center?
• How is individual customer data isolated?
• What encryption policies does the cloud employ?

Every data center and cloud provider should have clear answers to these questions before they are even considered. Even then, security teams should be mindful of the specific requirements of their own organizations and make sure the cloud services they need are available to them.

Objection Two: Do I Have To Go All In On Cloud?
Organizations don’t need to look at cloud in an either/or context. The next generation of cloud security platforms decouple the physical from the cloud, enabling organizations to meet regulatory compliance for data isolation while leveraging the cloud for remote sites and mobile users without increasing resource overhead.

In this context, organizations can leverage as much or as little cloud as they’d like. If they need certain traffic and data isolated to headquarters, organizations can direct that information through local appliances rather than redirect them to cloud-based solutions. Mixing-and-matching cloud-delivered and appliance-based security tools is also a boon for remote workers, as traffic that doesn’t need to necessarily be backhauled to an appliance at headquarters will experience less latency when processed directly through the cloud. Flexibility is at the core of these tools by not restricting customers to solutions that might be an ill fit.

Objection Three: Migration Will Be Too Disruptive
The truth is, the foundational infrastructure of the cloud is quite mature, having been developed and improved upon since the dawn of the Internet. We simply now call it the cloud, and the benefits of adoption have taken a while to funnel up to critical business decision makers. Teams need to simply do their research and find the least disruptive cloud security solution for their business – one that can scale to their needs appropriately and can be implemented seamlessly rather than upend an entire network infrastructure. 

Paul Martini is the CEO, co-founder and chief architect of iboss, where he pioneered the award-winning iboss Distributed Gateway Platform, a web gateway as a service. Paul has been recognized for his leadership and innovation, receiving the Ernst Young Entrepreneur of The … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/iboss/selling-cloud-based-cybersecurity-to-a-skeptic-/a/d-id/1330895?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The security world has been rocked by Meltdown and Spectre, two critical hardware security exploits affecting every device from smartphones to desktops to cloud servers. One lesson to learn here is that hardware security alone is not a panacea.

Memory isolation is arguably the most important security feature in modern computer architecture. For example, a malware-infested game should not be able to get access to your banking app’s login and password. These exploits demonstrate that isolation is now fundamentally broken.

Meltdown and Spectre did not come out of thin air. They are based on a long line of research on micro-architectural attacks that have been going on for over 15 years. There have been dozens of researchers doing work in this space that have led to this result. But, unless you were a part of that community, or paying very close attention, you probably had no idea that something like this was even possible.

How do these attacks work? Modern CPUs are designed to run faster using a technique called speculative execution. In this technique, the CPU looks a few steps ahead to predict what memory it might need to access and grabs that memory ahead of time, so that it is ready to go when a downstream instruction finally executes. Meltdown and Spectre effectively allow one program to read the contents of another program’s memory.

The problem is that the only direct fix for these vulnerabilities is replacing the CPU. Not only would that be exorbitantly expensive, but almost every modern CPU has this flaw, so it’s not even a viable option. We may have to wait for completely redesigned CPU architectures before we have systems fundamentally secure against Meltdown and Spectre.

The good news is that there is a workaround to patch the operating system to compensate for this hardware vulnerability, but don’t breathe a sigh of relief quite yet. First, it’s been reported that these workarounds can result in as much as a 30% impact on performance depending on the program. Second, this affects pretty much every computer and many smartphones and tablets out there, so companies are scrambling to understand their risk exposure, which of their systems are most vulnerable, and how to feasibly deploy patches in any reasonable amount of time.

The Case for Software Security
Most of us take for granted that the safest design principle is to put the most important security functionality under the control of hardware. This includes relying on the OS kernel to be isolated from user programs, relying on hardware roots of trust to bootstrap the security of your system, or pushing cryptographic keys into hardware, where they are hidden from normal programs.

What Meltdown and Spectre have shown us is that hardware-based security is no panacea. Hardware is vulnerable. It can fail. And when it does, the results are ugly and painful.

But then, you might ask, what is the option? Do everything in software? Isn’t software fundamentally easy to break? The answer is that everything is relative.

While attacking software does not require as much effort, it is certainly not an easy task either. It’s hard enough for a hacker to understand well-documented and designed software, much less software with sophisticated anti-reverse engineering and tamper resistance shields. It can still take thousands of hours to find exploitable software vulnerabilities in such programs, even by the most talented hackers.

Hardware-based security and software-based security sit on two ends of a spectrum. On one end, hardware-based security, is very difficult to break, but once broken, it is catastrophically difficult to fix. On the other end, software-based security, is easier to break, but also much easier to fix.

Not a Binary Choice
This makes for an interesting choice. Is it better to deal with software patches on a regular basis, or put all your chips on hardware and hope there won’t be an expensive catastrophic incident down the road? In the case of Meltdown/Spectre, the solution was to roll out a software fix to a hardware failure. In some sense, we are lucky that that option was available.

The choice need not be binary. From a risk management perspective, software security can be an effective hedge against hardware security failures to cushion disasters like Meltdown and Spectre. This is just another way of applying the age-old security maxim of defense in depth.

Consider the issue of protecting cryptographic keys. The hardware solution is to put keys in secure elements, Trusted Platform Modules or Trusted Execution Environments. We’ve already seen that this kind of hardware can be hacked. An alternative software solution is white-box cryptography, which protects sensitive cryptographic keys by mathematically embedding them within the implementations. Even if a hacker gets to access the code during execution, security properties of white-box cryptography ensure that the keys will still be hidden from the hacker. While it is possible to attack these techniques, it is difficult to achieve. Attackers have had to resort to sophisticated side-channel attacks to be successful. But the security industry has responded with successful countermeasures to defeat these attacks.  

The last thing we want in the security world is to come across a devastating bug and only have partial solutions with potentially substantial performance costs. We need to stop thinking about hardware security as completely impenetrable. Decision makers should seriously consider using software security mechanisms to hedge against catastrophic hardware failures.

Related Content:

• Fallout from Rushed Patching for Meltdown, Spectre
• Meltdown, Spectre Patches, Performance My Neighbor’s Sports Car
• Intel Says to Stop Applying Problematic Spectre, Meltdown Patch
• Meltdown Spectre: Computing’s ‘Unsafe at Any Speed’ Problem

Bill Horne leads Intertrust’s Secure Systems group. He has authored over 50 peer-reviewed publications in the areas of security and machine learning, and holds 33 granted patents and 44 patents pending. Horne holds a B.S. in electrical engineering from the University of … View Full Bio

Article source: https://www.darkreading.com/risk/hardware-security-why-fixing-meltdown-and-spectre-is-so-tough/a/d-id/1330908?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There is a disconnect between businesses’ ideal security practices and their actual strategies. Some 77% of companies cite data-at-rest security tools as the most effective for preventing breaches but fall toward the bottom (40%) of security spending priorities, new data shows.

In its 2018 Data Threat Report, Thales teamed up with 451 Research to poll 1,200 senior security execs around the world. They discovered 94% of respondents use sensitive data in the cloud, big data, IoT, container, blockchain, and/or mobile environments. Forty-four percent say they feel “very” or “extremely” vulnerable to data security threats.

For 57% of businesses, the bulk of security budgets goes toward endpoint and mobile security technologies, followed by analysis and correlation tools (50%). The disconnect extends to encryption, which many cite as important but don’t allocate spending toward encryption tech.

Forty-two percent of respondents use more than 50 SaaS applications, 57% use three or more IaaS vendors, and 53% use three or more PaaS environments. Nearly half (44%) cite encryption as the top tool for increased cloud usage; 35% say it’s a necessary part of big data adoption. Encryption is also cited as the top tool for securing IoT (48%) and container (41%) deployments.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/endpoint-and-mobile-top-security-spending-at-57--of-businesses-/d/d-id/1330915?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Given the expanding threat landscape, security professionals may think that the public at large doesn’t have a good grip on what counts as sensitive information.

But MediaPro’s 2018 Eye On Privacy Report shows that the industry has made some progress.

For example, 89% of US employees rank Social Security numbers as most sensitive on a scale of 1 to 5, with 5 being the most sensitive. And another 76% rank credit card information as most sensitive.

Other evidence that employees are more aware than in the past: 87% chose to correctly store a project proposal for a new client and design specifications for a new product in a locked drawer. And nearly three-quarters of all respondents chose to either destroy an old password hint and an ex-employee’s tax form from three decades ago in a secure shredder.

“While we’ve made progress, I have to wonder about the 11% who didn’t rate a Social Security number as most sensitive,” says Tom Pendergast, chief strategist for security, privacy and compliance at MediaPro. “It would seem to me that the Equifax case from last year would have sufficiently alarmed people.”

In honor of Data Privacy Day on January 28, here are key steps for creating a corporate culture of data privacy, based on interviews with MediaPro’s Pendergast and Russell Schrader, the new executive director of the National Cyber Security Alliance. 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/operations/6-tips-for-building-a-data-privacy-culture-/d/d-id/1330914?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Intel CEO Brian Krzanich told analysts in the company’s earnings call yesterday that Intel will unveil new products “later this year” that mitigate the Meltdown and Spectre vulnerabilities.

“Our near term focus is on delivering high quality mitigations to protect our customers infrastructure from these exploits. We’re working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year,” Krzanich said. 

Intel has been under fire in the wake of recently discovered Meltdown and Spectre  hardware vulnerabilities in most of its modern processors, which allow for so-called side-channel attacks. With Meltdown, sensitive information in the kernel memory is at risk of being accessed nefariously; with Spectre, a user application could read the kernel memory as well as that of another application. The end result: an attacker could read sensitive system memory containing passwords, encryption keys, and emails — and use that information to help craft a local attack.

In a post early this week, Intel called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors after widespread reports of spontaneous rebooting of systems affixed with the new patches. Intel said it plans to issue a fix for the Meltdown-Spectre vulnerabilites.

Meanwhile, Krzanich told analysts on the earnings call: “Security has always been a priority for us and these events reinforce our continuous mission to develop the world’s most secured products. This will be an ongoing journey, but we’re committed to the task and I’m confident we’re up to the challenge. To keep you informed, we’ve created a dedicated website and we’re approaching this work with customer-first urgency. I’ve assigned some of the very best minds at Intel to work through this and we’re making progress.” 

Read more here and from an exerpt from the call transcript, here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/intel-ceo-new-products-that-tackle-meltdown-spectre-threats-coming-this-year/d/d-id/1330920?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple