STE WILLIAMS

Qualys, a cloud-based security provider, has acquired the software assets of 1Mobility, the Singapore-based company focusing on mobile device management (MDM) data-loss prevention, and compliance enforcement.

1Mobility marks the third acquisition by Qualys in the last year. In 2017, Qualys acquired NetWatcher and Nevis Networks. Taken in total, the three companies add management and mobile capabilities to Qualys’ traditional cloud offerings.

In particular, the addition of 1Mobility features will allow compliance enforcement and assurance across cloud and mobile infrastructures. In addition, the BYOD capabilities of the 1Mobility system will allow Qualys to support management and compliance across a wide variety of devices and the enterprise cloud to which they connect.

The full integration of 1Mobility capabilities into the Qualys Cloud Platform and its Cloud Apps should be complete in 2019.

For more, read here.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/qualys-buys-1mobility-software-assets/d/d-id/1331424?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Department of Defense and HackerOne have announced a new DoD bug bounty program, “Hack the DTS,” which will let vetted white-hat hackers take aim at the Defense Travel System, an enterprise platform used by millions of employees to book work-related travel.

This is the fifth bug bounty challenge the two have created since 2016, when the inaugural Hack the Pentagon program let participants hunt for vulnerabilities in DoD websites, applications, and networks. Hack the DTS opened registration on April 1, 2018 and will conclude on April 29.

“The scale of users, volume of travel booked, and sensitive information it is responsible for maintaining makes DTS both a compelling asset for researcher and a priority for DoD to harden its security,” says Reina Staley, chief of staff and co-founder at Defense Digital Service, who says this program will have the same execution as earlier ones but “inevitably yield unique findings.”

Eligible participants must be US taxpayers and either citizens of, or eligible to work in, the United Kingdom, Canada, Australia, or New Zealand. Proof of citizenship is required to register.

Active US military members and contractors can join the challenge if they’re eligible but can’t receive financial rewards. Anyone who submits a vulnerability report must undergo a security and criminal background check before they are rewarded for their findings, HackerOne reports.

Hack the DTS will invite up to 600 participants. Seventy percent will be chosen based on the HackerOne Reputation System, which builds track records for researchers based on the strength and relevance of earlier reports. Thirty percent will be chosen from a random lottery.

While the DoD’s initial bug bounty initiative first took security experts by surprise, the DoD’s bug bounty programs launched with HackerOne have proven a valuable resource for finding and addressing vulnerabilities. More than 3,000 flaws have been resolved since the 2016 launch of Hack the Pentagon, with ensuing programs leading to more flaws discovered and larger bounties.

“The quick, positive reception of the program has been a major win,” says Staley. “Inviting hackers to uncover vulnerabilities in DoD assets sounds counterintuitive to traditional government security practice, but the value of crowdsourcing external talent has been clear in every challenge we’ve run to date.”

The first Hack the Air Force program resulted in 207 valid reports and $130,000 rewarded to hackers for their findings. The second yielded 106 valid vulnerabilities and $103,883 paid to participants, including a single award of $12,500 for a code execution vulnerability on an Air Force Portal host system. Hack the Army in December 2018 surfaced 118 valid flaws.

While Hack the Pentagon was primarily created as a means for people to help with national security without pursuing a government career, Staley notes the program has helped find talent. A contributor to the program will join the DDS for a summer internship prior to starting college in the fall.

Related Content:

• Destructive and False Flag Cyberattacks to Escalate
• Fixing Hacks Has Deadly Impact on Hospitals
• Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch
• Privacy: Do We Need a National Data Breach Disclosure Law?

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/hack-the-defense-travel-system-dod-extends-its-bug-bounty-program/d/d-id/1331428?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s a fundamental push and pull between business and security that has introduced friction over the years. With data breaches commonplace, security requirements have continued to grow in scope and, in many cases, have slowed the ability of businesses to release to market faster. Business leaders often view security as a necessity in a world of frequent data breaches, and they have learned to (or are forced to) tolerate an ever-growing list of security requirements. But why is the validation and vetting of security requirements so slow, and does it have to be?

Circumventing Security and IT
A lack of agility and responsiveness to the business ultimately gave rise to software-as-a-service (SaaS) applications that were fast and simple to deploy. Small, departmental SaaS footprints expanded enterprise-wide and eventually evolved into cross-functional application and services platforms. To a certain degree, shortcomings and delays in application deployments also gave rise to “shadow IT” — a complete circumvention of the security process.

This trend of embracing simplicity and speed has progressed into the consumerization of the infrastructure, as shown by the continued growth of infrastructure-as-a-service (IaaS) offerings such as Amazon Web Services and Microsoft Azure. With the increased adoption and simplicity of cloud deployment, the barrier to entry to spin up and deploy services has dropped dramatically, and this has increased the security gap in visibility and controls for these types of deployments.

A recent survey from RightScale on cloud adoption revealed that less than half of application or business owners plan to delegate authority to central IT for the selection of public cloud services, which supports the notion that business leaders are opting for the easiest path forward when it comes to application deployment. The flip-side of this equation is that close to half of enterprises also report slowing their cloud adoption due to a lack of security knowledge and skills according to a 2016 survey from Intel. The disparity in these perspectives on cloud authority and the ability to adopt cloud between business owners and security shows the lack of alignment on a common cloud delivery and security model.

Shifting Gears for Security
There are a number of best practices and solutions that you can embrace to accelerate security and your business. Below is a fundamental recommendation around DevOps, but also some approaches that have the potential to revolutionize application and data security while speeding things up at the same time.

1. Integrate DevOps and Security 
In its current form, security teams cannot keep pace with the existing reviews and gates for production release, and in many cases, they are running significantly behind on approvals. One Fortune 500 company I spoke with had a backlog of over 800 inbound requests from the business awaiting review. With over 80% of enterprises adopting DevOps and 30% going to a company-wide DevOps strategy, according to the RightScale survey, the pace of development and release will only accelerate.

The answer to speeding things up lies in changing the security validation process and drastically rethinking architectural and technology strategies. Some practitioners refer to these development process changes as “shifting left” — a more proactive approach that builds security into development and testing cycles earlier and continuing throughout the overall process. While integrating security practices into the overall development process provides some significant optimization and should be implemented, this only affects a portion of the application development and deployment strategy.

2. Implement a Secure Computing Layer
Secure computing solutions come in different forms and provide a common method to enable secure application processing and computation on data that either eliminates exposure of data in the clear or limits the execution and memory space to a trusted computing base. With the former method, there have been innovations in cryptography and compute methodologies that facilitate computation on encrypted data while in use. These newest methods do not utilize or attempt to utilize homomorphic encryption (which is still a long way from being a reality). More importantly, they are not subject to side-channel memory attacks (like Meltdown and Spectre) and do not require application code-level modifications, which can help facilitate the migration of more workloads to cloud infrastructure environments and still mitigate security risks.

Another secure computing method utilizes enclave technologies, such as specialized processors that isolate applications and code execution to prevent them from being hacked or compromised. The Apple iPhone’s Secure Enclave storage of fingerprints and face IDs is a common implementation of this technology, and there are ongoing efforts to extend enclave capabilities to more traditional applications. This technique relies on specialized processors to isolate system memory and restrict access to an application’s execution environment. While the methodology has been evolving for quite some time and shows some promise, it does require code-level modifications and depends on hardware, making it less adaptable for cloud workloads in the shorter term.

3. Utilize Advanced Application Access Control Frameworks
The dynamic nature of today’s computing environment, especially in cloud and hybrid environments, requires a different access control model that goes beyond traditional network access control lists. The heavy utilization of containers, microservices, and API-based calls means that security needs to better understand the overall access model and leverage alternate ways to authenticate users, applications, and service calls.

There are emerging, policy-driven approaches that establish access profiles based on explicit identifiers and attribution to build a more dynamic access and authorization security model. These access frameworks ultimately reduce the amount of work involved in architecture reviews and provide the flexibility to remain secure when the infrastructure changes or moves.

It’s not news that businesses are trying to leverage technology infrastructure that can move faster. By circumventing the traditional security requirements review and validation process, and inventing a new one with alternative technological approaches, security can also move faster and accelerate the business.

Related Content:

• 6 Questions to Ask Your Cloud Provider Right Now
• Is Application Security Dead?
• How Serverless Computing Reshapes Security

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Ameesh Divatia is Co-Founder CEO of Baffle, Inc., which provides encryption as a service. He has a proven track record of turning technologies that are difficult to build into successful businesses, selling three companies for more than $425 million combined in the service … View Full Bio

Article source: https://www.darkreading.com/cloud/is-security-accelerating-your-business/a/d-id/1331387?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Elvira Koneva via Shutterstock

Kelly Jackson Higgins contributed to this article.

Cybersecurity doesn’t have enough people.

The industry is expected to have 1.8 million unfilled positions by 2020, a 20% increase from 2015 and signs of a skill shortage continue to plague the industry. Businesses don’t have enough security professionals in-house, and many lack the necessary skillsets.

Gender inequality pervades the male-dominated tech space, meanwhile, where only 49% of female employees feel both genders are treated equally, according to a new report from Indeed. The lack of diversity extends into cybersecurity, where women make up only 11% of the workforce, reports (ISC)². There is no clear-cut answer for the massive gender gap, but a number of factors seem to be at play. Consider salary, for instance: women earn lower salaries than their male counterparts in cybersecurity and women who identify as minorities make even less.

In an effort to celebrate and shine a light on some of the work women are doing in cybersecurity, Dark Reading is publishing a series of articles that identify women who may not be as well-known in the industry (yet), but who are making key contributions. This first installment includes ten women in various sectors of cybersecurity, who were selected based on recommendations and research. The list is in no particular order.

This is just the first in a series on women you may not know about, but whose work you might see more of in the future. If you know someone who fits the bill, please send us their names and any information about them and their work, to [email protected] We expect to see the list get much longer.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/10-women-in-security-you-may-not-know-but-should/d/d-id/1331410?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Yevgeniy Nikulin, the Russian hacker accused of being responsible for breaching DropBox and the 2012 LinkedIn attack that saw 117 million passwords stolen, has been extradited to the US in a process that has implications for the larger relationship between the US and Russia.

Detained in the Czech Republic since October 2016, Nikulin had requested asylum there after warrants for his arrest were issued by both Russia and the US. The Czech government denied his bid for asylum and turned him over the USm where he appeared in a federal courtroom on Friday morning.

During his initial court appearance in San Francisco, Nikulin’s attorney told the judge that his client has severe medical issues that require immediate attention. A medical evaluation has been ordered by the court.

Russia’s government has expressed its displeasure with the decision to turn him over to the US, saying that the Czech government reached its conclusion without considering all the available facts.

According to a report on CNN, the Czech minister of justice made the decision after considering the seriousness of the charges leveled by the US and Russia and the two countries’ intensity of desire to extradite and prosecute Nikulin.

For more, read here and here.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/accused-linkedin-dropbox-hacker-appears-in-us-court-after-diplomatic-battle/d/d-id/1331413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft has rushed out an out-of-cycle security patch to address problems created by what were supposed to be fixes for the Meltdown vulnerability that it had previously issued for 64-bit Windows 7 and Windows Server 2008 systems.

In an advisory Thursday, the company urged anyone running Windows 7 for x64 systems or Windows Server 2008 R2 for x64-based systems to immediately install the new update. The advice applies to all organizations and users that have installed any of Microsoft’s security updates during or after January 2018.

The update for CVE-2018-1038 stems from a warning by Swedish penetration tester Ulf Frisk that Microsoft’s Meltdown patch for Windows 7 and Windows Server 2008 created a bigger hole than the one the patch was designed to fix.

The patch basically allowed any running process on these systems to read the complete contents in memory and to write to it as well. “Exploitation was just a matter of read and write to already mapped in-process virtual memory,” Frisk said. “No fancy APIs or syscalls required — just standard read and write.” The problem stemmed from a permission bit in a key memory table being set in “user” mode rather than “supervisor” mode.

“This made the page tables available to user-mode code in every process,” rather than only by the kernel itself, Frisk said.

Chris Goetti, director of product management at Ivanti, says the vulnerability created by the Microsoft patch is pretty significant and something that needs to be addressed with haste, if possible.

“When Microsoft issued a fix for Windows 7 and Windows Server 2008, they made a mistake and ended up opening up read and write access in RAM so anybody could access anything in memory and write to it,” he says. “It is a significant vulnerability and leaves those systems pretty much exposed” without the update.

At this point, those with affected systems should test the new patch quickly and roll it out. Another option for those that don’t have the time to test the new patch will be to roll back the March update and wait for Microsoft’s April update, which is due April 11.

“We are close to the April update,” Goetti says. “Our guidance is to either apply the new update or roll back the March update,” for Windows 7 x64-bit systems and Windows Server 2008 x64-bit systems, he says.

Organizations should not make the mistake of assuming the issue is related to Meltdown/Spectre and wait for things to settle down, cautions Jack Danahy, CTO and co-founder of Barkly. “This is an easy-to-exploit zero-day vulnerability and a much more probable attack vector that the original problem that Microsoft was trying to correct.”

Unlike problems created by Spectre and Meltdown, “this isn’t just a cleanup exercise. Microsoft accidentally distributed a new zero-day vulnerability of their own design.”

The error is an example of the kind of issues that can crop up when things are rushed, he says. Fixing bugs is akin to serious software development, and it creates the same opportunities for mistakes, Danahy notes.

“I think that this will only serve to further deteriorate organizational willingness to apply patches automatically and without their own testing,” he says. “I’m personally hoping that everyone deploys this patch to CVE-2018-1038, because this vulnerability is so easy to exploit that there are already exploit toolkits integrating it.”

Related Content:

• Survey Suggests Many Are Still Waiting for Spectre, Meltdown Windows Updates
• Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities
• Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaw

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/microsoft-rushes-out-fix-for-major-hole-caused-by-previous-meltdown-patch/d/d-id/1331415?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Financial organizations are no strangers to regulation, but when it comes to cybersecurity, new mandates keep cropping up, and for good reason. According to a study from Accenture and the Ponemon Institute, the global financial services sector has experienced a 40% increase in the cost of cyberattacks during the past three years. Cyber heists against a string of banks (such as $81 million stolen from the Bangladesh central bank and $6 million from the Russian bank) and high-profile data breaches of well-known global financial organizations have demonstrated that financial companies are top targets for cybercriminals.

With threats more complex than ever, and with more data to protect and more technologies touching that data, more cyber regulation is bound to happen. One of the most recent mandates is the New York State Department of Financial Services (NYS DFS) Cybersecurity Regulation. While the mandate first took effect March 1, 2017, important deadlines arrived on February 15 and March 1, 2018, including the requirement for a senior officer to certify that their organization is in compliance with the initial set of mandates. It’s the first cyber regulation of its kind requiring that a specific individual attest to compliance.

The NYS DFS Cybersecurity Regulation is meant to help financial organizations establish a risk-based security program. Most provisions include the phrase “based upon the covered entity’s risk assessment…” Requirements include hiring a chief information security officer (CISO), implementing multifactor authentication, performing continuous monitoring or annual penetration testing, providing notification within 72 hours of a breach occurring, monitoring for anomalous behavior, and more.

The regulation is mandatory for large global financial organizations that have operations in New York state and smaller organizations that have as few as 10 employees, with a $5 million gross revenue and $10+ million in total assets. As of March 1, covered financial institutions are on the hook for all but the few of the regulation’s mandates that do not take effect until September 2018 or March 2019.

As they work to meet the NYS DFS compliance mandates, many of those same financial organizations are also working to comply with the upcoming EU General Data Protection Regulation (GDPR), which takes effect May 25 and affects any company that collects data on EU citizens, as well as the SWIFT Customer Security Controls Framework, which took effect January 2018 and requires banks that use the SWIFT global messaging platform to implement controls on SWIFT-connected infrastructure, such as multifactor authentication, continuous monitoring, and anomalous behavior detection. Each mandate comes with its own set of penalties including hefty fines (noncompliance with the GDPR could lead to a fine of up to 4% of global annual turnover).

The layering of mandates along with increasing penalties sends a message to financial organizations: dedicate budget, time, and resources to protecting your most-valued assets. The good news is that the message has resonated among many large financial organizations. Most global banks we have worked with already have established cybersecurity programs that fulfill many of the required mandates in part or whole. They have CISOs with policies, training programs, processes, tools, and technologies rolled out to handle access controls, authentication, data protection, vulnerability management, third-party risk management, and other important cyber requirements. 

Biggest Challenge
The greatest challenge for these banks is taming the cyber beast that results from their size and complexity. Most have a cacophony of tools, vendors, and processes, resulting in uneven protection and a lack of visibility into their assets and the cyber risks that may affect them. This is enough to give any board member or senior officer pause when certifying that their organization is in compliance with the NYS DFS mandate.

The good news is that most are moving quickly to improve. To manage their risk and comply with regulations like the NYS DFS Cybersecurity Regulation, most large financial services organizations are performing risk assessments as part of an overall risk-based approach and are deploying cyber-risk and user behavior analytics tools and processes to improve how they protect themselves from external and internal threats. The additional benefit is that these organizations will be able to sign their NYS DFS Cybersecurity Regulation certifications with a more complete knowledge and increased confidence.

Midsize and smaller financial organizations, however, may struggle to comply with the many mandates. They typically have less-mature security programs, lower budgets, and fewer resources. For those banks and any others working toward compliance, a good place to start is to assign an executive responsible for cybersecurity. Using their own experience or that of a third party, they will conduct a comprehensive risk assessment. A risk assessment will include identifying which assets matter most to the organization, those assets that if compromised would affect the organization the most, and a plan to bring the organization up to industry standards and in compliance with the NYS DFS mandate.

The actual covered entities themselves are not the only ones that need to pay attention. Increasingly, regulators are explicitly holding covered entities accountable, regardless of the fact that a third-party service provider may be responsible for a violation. That means that third-party service providers will need to provide the same level of compliance as the entities themselves, regardless of their own location or industry. For example, even those companies operating outside of New York state need to understand and comply with the regulations under which their NYS financial clients are obligated, and those operating outside the EU need to comply with GDPR.

Prioritizing the “crown jewels” of the organization is inherent to adopting a risk-based approach, which is the focus of the NYS DFS mandate. By focusing their programs on the areas of greatest risk, organizations will make the most of their limited resources while protecting the assets that are the most important for the company to be successful.

Related Content:

• 9 Banking Trojans Trends
• A Data Protection Officer’s Guide to the GDPR Galaxy
• It’s Not What You Know, It’s What You Can Prove That Matters to Investigators

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Steven Grossman is VP of Strategy at Bay Dynamics, a cyber-risk analytics company. He has more than 20 years of management consulting, software, and industry experience working with technology, security, and business executives, driving solutions to their most critical and … View Full Bio

Article source: https://www.darkreading.com/risk/compliance/the-cybersecurity-mandates-keep-on-coming/a/d-id/1331366?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple