Year: 2014

Posted on

Cloud Security By The Numbers


As IT executives and business leaders finally get their arms around analyses of the business opportunities versus the security risks of cloud adoption, the industry is increasingly quantifying the friction between the two. We’ve put together some numbers to show perception over some of the hot-button issues, as well as current progress toward smoothing the way for secure cloud transformations.

Quantifying the perceptions around cloud security practices.

Security Still Trumps All Other Concerns

According to a recent Informationweek Reports survey, security and data resiliency issues make up four of the top 10 concerns held by IT over cloud adoption. And sitting atop that list is the concern of security defects in the cloud technology itself.

Source: InformationWeek

 
Cloud Breach Odds

IT pros seem to be split nearly right down the middle as to whether using cloud services increases the risk of a data breach. Approximately 51% say sending data to the cloud increases or significantly increases that risk.

Source: Netskope

 
Confident With Cloud Security

Meanwhile, even more line of business leaders are confident in the security of the cloud. In fact, more than a third even believe it actually improves security, according to a survey of nearly 600 Harvard Business Review readers.

Source: Verizon

 
Raising The Stakes On Breach Risk

However, the use of the cloud does raise the stakes for breach impact. According to a recent Ponemon Institute report, the use of SaaS increases the financial impact of a breach by a factor of 1.5 times a normal breach of data from on-premises infrastructure.

Source: Netskope

 
Cloud Encryption Lags

The added impact of potential risk from a cloud breach is further exacerbated by lackluster cloud encryption practices. The percentage of organizations that use encryption to secure sensitive data in the cloud hovers at only about 1/3 worldwide.

Source: Safenet

 
Cloud Fogs Up Policy Visibility

And the truth is that most security organizations still struggle to extend corporate data governance policies to the public cloud, and they have a hard time maintaining visibility into security policy across a hybrid cloud infrastructure.

Source: Algosec

 
Cloud Enforcement Gap

That’s probably why they can’t seem to enforce cloud policies very well. According to a report by Skyhigh Networks, there’s a perception gap in how well companies are blocking unauthorized use and uploading to cloud apps compared to their intended policy enforcement actions.

Source: Skyhigh Networks

 
How Big Of A Shadow IT Problem Do You Really Have?

A survey conducted by the Cloud Security Alliance on behalf of Netskope also found that IT departments may be underestimating the number of cloud apps used across the business. More than half of these departments believe the business is running 10 or fewer cloud service apps. Meanwhile, compared to data from Skyhigh Networks, the average number is closer to 800.

Source: Cloud Security Alliance

 
Security Team MIA In Cloud Buys

Many of the struggles IT faces in the cloud can be summed up here, according to a Ponemon Institute study: Just 9% of IT security organizations are always involved in decisions regarding cloud procurement. Worse, 47% are rarely or never involved.

Source: SafeNet

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

[Dark Reading]

Posted on

9 Core Capabilities That Define An ICS Security Platform

Securing industrial control system (ICS) networks is crucial in this age of advanced persistent threats. Stuxnet changed the game for ICS a few years ago, and in 2014 it changed again with the Havex RAT variant, which used techniques way more innovative than any threat we had yet seen targeting this industry.

With these threats in mind, Mario Chiock, a leading cybersecurity and disruptive technology executive adviser, and I got to thinking about what core capabilities really need to go into an ICS security platform. Naturally, that discussion led to the development of a full list of recommendations, which we’re pleased to share with you in a new paper.

Click here to access your copy of “Defining the 21st Century Cybersecurity Protection Platform for ICS.”

For more

[Palo Alto Networks Blog]

Posted on

A Look at the Fourth Annual IT Audit Benchmarking Study

This week, Protiviti and ISACA issued results of the fourth annual IT Audit Benchmarking Study. The organizations surveyed 1,330 IT audit leaders across the globe, including chief audit executives, IT audit vice presidents and directors, who answered questions in five categories:

  • Today’s Top Technology Challenges
  • IT Audit in Relation to the Internal Audit Department
  • Assessing IT Risks
  • Audit Plan
  • Skills and Capabilities

The survey found that, although organizations have made strides in establishing best practices for the IT audit function, many are struggling to keep pace with global IT risks amid rapidly changing technology environments.

“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organizations, and audit committees in particular, to become more engaged in the IT audit function,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader. “We see some positive trends in our results, notably in the number of designated IT audit directors and their regular attendance at audit committee meetings. However, we also see significant gaps to be addressed, including the frequency with which IT audit risk assessments are conducted.”

Top Technology Challenges
The survey also revealed the top 10 technology challenges that respondents say their organizations face today:

  1. IT security and privacy/cybersecurity
  2. Resource/staffing/skills challenges
  3. Emerging technology and infrastructure changes: transformation, innovation, disruption
  4. Regulatory compliance
  5. Budgets and controlling costs
  6. IT governance and risk management
  7. Big data and analytics
  8. Vendor, third-party and outsourcing risks
  9. Cloud computing/ virtualization
  10. Bridging IT and the business

Establishing Organizationwide Support for IT Audit
The IT Audit Benchmarking Study found that more than half of the largest public companies surveyed have a designated IT audit director or equivalent position within their organizations, and 48 percent reported that these individuals regularly attend audit committee meetings – a number that has doubled over the past three years. Additionally, respondents indicated that their audit committees have increased their involvement in the IT risk assessment process, with 20 percent reporting significant involvement as compared to 14 percent in 2013.

The increased resources and attention to IT audit is a positive sign that companies of all sizes around the world are recognizing the significant benefits of this critical function.

Small Gains in IT Audit Risk Assessments
The ISACA/Protiviti survey also reveals a modest uptick in the number of organizations that update their IT audit risk assessment on a continual basis. However, this number still remains low—around 15 percent—for even the largest companies.

Additional Highlights
Other research findings of note include:

  • Globally, respondents cited COBIT as the most accepted industry framework on which the IT audit risk assessment is based, followed by COSO, ISO and SOGP. In practice, organizations may utilize a combination of these frameworks to complete their risk assessments.
  • Across every region and size of respondent organization, lack of resources ranks as the top reason why companies are using outside resources to augment their IT audit skills – and in fact, the percentages are very consistent. These findings are also in line with the top technology challenges outlined above.

I encourage you to view the full results at www.isaca.org/2014ITauditstudy.

Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President

[ISACA]

Posted on

Palo Alto Networks 2015 Predictions: Threat Prevention

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.) 

I know this is a cliché statement, but this year has flown by at the speed of light. I love looking to the future and I can’t wait to see how next year will shape up. Looking back on a few key trends in threat prevention for 2014, I can provide some insight into what awaits us in 2015. Here are three trends that stuck out as important indicators of what’s to come in the next year.

1. Attackers will use more legitimate and convoluted means to launch widespread attacks.

You’ve likely seen the word “malvertising” tossed around. This attack method has been around for a few years, and Yahoo! and AOL were both targets in September and October of this year, earning attackers thousands of dollars per day.

But the use of malvertising as an attack method is a shift from the kind of dark-corner trickery seen in spear phishing and packet sniffing to a technique that leverages a legitimate business process to do all the hard work normally involved in delivering malware. The process gives the attacker access to potentially millions of users with minimal effort. All the attacker has to do is design the malvertisement code.

We’ll be seeing a lot more of these types of malware delivery methods. Not just malvertising campaigns, but also the use of bona fide business procedures to deliver malware and amplify results. Widely-used business channels with little to no security are tempting targets for attackers; they provide a constant stream of unsuspecting targets and feature lots of moving parts that make it impossible to track down the attackers. It will require careful coordination to make these channels more secure.

2. Application security is getting better all the time. However, we will continue to see a steady stream of zero-days, mostly related to legacy code.

Secure coding practices have become a part of the software developer’s everyday life. In the past few years, we’ve seen more application security and development teams turn to static and dynamic analysis to catch code and business logic vulnerabilities and fix them before the application is released or updates are pushed.

Customers are starting to build time-to-fix clauses with monetary penalties into their contracts with vendors. If anything is clear in the B2B universe, it’s that vulnerabilities affect application integrity, which affects customer trust, which affects revenue. It’s easier and much cheaper to fix vulnerabilities during the early development cycle than once an application has reached production or even QA.

However, this also means that legacy code is much more expensive to fix, even if a vulnerability has not yet been exploited in the wild. Along with the fact that black hat hackers are continuing to get more creative, this is the reason why the number of CVEs in 2015 will remain at least equal to if not greater than the number reported in 2014.

*CVE information for years 2010 through 2013 taken from Secunia <http://secunia.com/vulnerability-review/vulnerability_update_all.html>

*CVE information for 2014 taken from <https://cve.mitre.org/&gt;

3. IPS functionality and firewall functionality will meld more than it already has.

As the enterprise market sees the benefits of a true platform-based approach to security, I suspect we’ll see more vendors phasing out stand-alone and UTM security solutions. What better way to truly bolster the way IPS handles security than by including other defensive techniques like decryption, decompression, application-ID, user-ID, data-loss prevention, and sandboxing?

The market’s move from traditional IPS to Next-Generation IPS to NGFW + NGIPS already started, but there’s more innovating to be done to supply security that keeps up with what the bad guys are doing. There’ll be more appeal than ever for a single, integrated platform that “does it all,” doesn’t require users to take a performance hit, and can be used anywhere from data centers to the cloud.

So, who else is excited for 2015?

Threat prevention is among many focus topics at Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

[Palo Alto Networks Blog]

Posted on

Risk Management That Embraces Privacy Can Strengthen Security

It is hard to imagine a world in which we didn’t use the Internet at work. 15 years ago, it was a luxury. Today, Internet use at work is mission-critical. We’ve evolved from casually getting online to search for basic information about a company to doing such critical things as accessing webmail, posting to and monitoring social media and transferring and storing files in the cloud.

Unfettered Internet access at work has empowered us to defy geographical and time constraints to communicate with colleagues, vendors and customers located around the globe, develop content and code, and share real-time 24 x 7. It also allows us to shop, gamble, chat with friends, check bank balances and pay bills at work and generally “cyber loaf” on the company network, to the tune of US $178 billion in lost productivity annually, according to U.S. security company Websense. According to IDC, 30 to 40% of Internet access is now spent on non-work related browsing, and 60% of all online purchases are made during working hours.

Declining productivity is not the only fallout of these trends. Employee personal online activity is becoming a major cyber threat vector, with 90% of fully undetected malware now being delivered via web browsing.

The prevalence of smartphones and social media and our evolution into an “always on” society have further blurred the lines between personal and professional lives, bringing our privacy into question and leaving lawmakers dumbfounded as to how to govern personal privacy in light of these changes.

Absent legislation that helps companies navigate this new reality, in an effort to curb employees’ increasing amount of personal time they spend online at work, some companies have implemented monitoring systems that leave employees feeling watched and mistrusted, without really solving the problem of protecting the company network.

The good news is that incorporating individual protection into your risk management strategy can actually make your organizationMORE secure. By championing employee privacy, you can empower individuals to become personally accountable for their decisions online and engage them in protecting the organization. You can achieve this by separating personal and work assets and providing employees a private portal to conduct their personal online business at work. By isolating personal browsing from the corporate network, employees can surf and communicate freely and securely, while corporate assets are shielded from employee activity.

David Melnick, CEO, WebLife, dave@weblifebalance.com

David will discuss this concept at ISACA’s North America Information Security and Risk Management (North America ISRM) Conference later this month in his presentation titled “Employee Privacy versus Organizational Security.”

[ISACA]

English
English
Exit mobile version