Organizations must concentrate on a prevention-focused security architecture for cloud deployment — designed to stop threats across all potential attack vectors.
The key questions to consider when adopting cloud services include:
1. Who’s really responsible for our data? You. In public cloud environments, as the data owner, you’re responsible for your data — not the cloud service provider (CSP). And although the CSP will secure the underlying infrastructure, the safety of your applications and data is your responsibility. So you need a consistent security posture.
2. Who has access to our applications and data? A role-based access policy can help mitigate the risk of data loss. Although the CSP will have authorisation messages in place, it’s important you decide who should have access and whether additional assurance is required.
3. What happens if there’s a security breach? What kind of support will the CSP give if there’s a breach? It’s important to know this before launching a cloud strategy.
Understanding the risks, and the challenges is a vital first-step as your organization moves to make the most of the cloud. Get your copy of our new whitepaper with BT Security, “Securely Enabling Cloud Adoption” and start your next conversation.
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
This year saw some notable cybersecurity events in the financial services industry, including thefts from a number of SWIFT (Society for Worldwide Interbank Financial Telecommunication) member banks and from malware-infected ATMs in Asia. As we look ahead to 2017, I predict that we’ll see the following cybersecurity trends in the financial services industry.
Sure Things
Growing Adoption of Public Cloud – The financial services industry is the final frontier for public cloud computing. After years of saying it will never happen due to information security concerns, the industry has slowly warmed up to the use of the public cloud. Both Amazon Web Services (AWS) and Microsoft Azure already publicize a number of financial institutions as customers. Many organizations have been testing, evaluating, and conducting proofs-of-concept in 2016 with a critical eye on appropriate cybersecurity practices. A significant number of these institutions will finally adopt the public cloud for computing workloads in 2017. Initially, these may include applications that handle less sensitive data. Although there are still pockets of resistance out there in the financial services industry, they are definitely getting smaller. The appeal of agility, scalability, and cost-benefits offered by public cloud computing is irresistible, especially when security can be architected into the solution instead of bolted on.
Common Use of Multi-Factor Authentication (MFA) – As we saw with the recent fraudulent transactions at several SWIFT member banks, legitimate login and password credentials were somehow stolen and used to initiate fund transfers. This basic authentication technique is prone to compromise and allows account takeover (ATO) attacks. Financial institutions will finally take note and adopt more robust MFA techniques – at least internally for critical applications and sensitive data, and certainly for privileged accounts, such as root, administrator. Although not all MFA techniques are created equally, any form will create another hurdle that the cyber adversary cannot easily clear. MFA techniques are based on presenting evidence – at least two of the following:
Something you know (e.g., login/password, PIN)
Something you possess (e.g., one-time password token, mobile phone)
Something you are (e.g., fingerprint, retina scan)
Long Shots
Broad Implementation of Zero Trust Networks – Forrester Research first introduced the Zero Trust (ZT) model in 2009, but as of the end of 2016, implementations are still not widely seen. Conceptually, the information security value of restricting traffic to only known, legitimate flows between various portions of the network is difficult to refute. Any malicious activity will then be constrained by the nearest segmentation gateway. However, the challenges with the ZT model include: difficulty in completely identifying the legitimate traffic patterns (both initially and in perpetuity); necessary cooperation across multiple disciplines (e.g., IT, security, business); and the potential for business disruptions, especially in brownfield environments. In spite of this, financial institutions will warm up to the idea of ZT for their networks and take some big strides in 2017. This will start off with pockets of network segmentation that limit traffic to/from more sensitive portions of each environment. These efforts will limit the exposure and restrict lateral movement after a compromise. In the end, it will be a question of how far down the ZT path a financial institution will go within its own network.
Blockchain Opens Another Attack Vector – There continues to be significant buzz regarding blockchain technology within the financial sector. Blockchain is certainly bigger than Bitcoin and is a distributed ledger technology that is being considered for payment processing, trade settlement, virtual wallets, etc. In addition to start-ups, traditional financial institutions are actively working to understand this technology and the potential impact on their organizations. Some of the benefits include greater expediency as well as reduced costs for cross-border payments, securities trading, and settlement as a result of cutting out the intermediaries. Other benefits include greater transparency and audit trails for compliance officers, auditors and regulators. Even with the best of intentions in mind, early financial industry adopters of this technology will create another attack vector, despite the inherent mechanisms for cryptography and immutability. Vulnerabilities in nascent implementations of blockchain technology will be discovered by malicious actors who will exploit them in an effort to compromise the security and confidentiality of financial transactions in 2017. This provides a segue to the next prediction.
Better Results from Coopetition – FinTech start-ups continue to challenge financial institutions for a share of their customers’ wallets. FinTech brings lower costs and innovative approaches to a segment of the banking and investing population. However, they often lack brand recognition, access to a large customer base, and experience with regulatory matters. On the other hand, traditional financial institutions clearly have those qualities, but often lack the agility and capacity for innovation. Traditional financial institutions are trying to embrace cloud computing to remove some of the drag, and some have even launched their own (autonomous) FinTech units. Others have embarked on collaborative efforts with FinTech companies as a means to marry the core competencies of both sub-sectors. This approach may very well be the best path to innovative solutions in 2017, which are industrial-grade in terms of scalability, enterprise architecture, cybersecurity, etc. Ultimately, this will provide lower cost financial products or services and improved customer experiences, but with safety, soundness, and regulatory compliance fully baked in.
What are your cybersecurity predictions for the financial services industry? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for EMEA.
Traps is our advanced endpoint protection product and an important part of our next-generation security platform. This award validates our unwavering commitment to innovate and lead with our channel partners.
Not only did we win Product of the Year in Endpoint Security, we swept the category. And the best part: For the first time, the award is based on channel partner feedback, further underscoring the strength of our Traps channel momentum.
CRN’s coveted Products of the Year awards are given to standout products and services that represent “best-of-breed” technological innovation (Traps v3.4) backed by a supportive channel partner program (NextWave Traps Specialization). A panel of CRN editors selected five eligible products as finalists in each of the 17 different product categories. Then, CRN fielded a survey of targeted solution providers comprised of partners representing the finalist vendors. The survey asked the partners to score their experiences in the following three areas:
Technology – product quality and reliability, richness of product features/functionality, technical innovation and compatibility, and ease of integration
Revenue and Profit – demonstrated ability to drive new revenue, resulting profit margins, and demonstrated ability to attach services revenue
Customer Demand – demonstrated ability to meet a market or customer demand; demonstrated ability to create new customer relationships or improve existing ones
Traps not only received the highest overall score in the Endpoint Security category but also received the highest score in all three areas. To sweep such a highly competitive category, based on channel partner feedback in a market that is at an inflection point, is a huge achievement for the entire company.
Palo Alto Networks was built on market disruption. We thrive on making the previously impossible, possible. And we are ready to do it again in the endpoint market. The situation is simple: Legacy antivirus point products can no longer protect against today’s advanced cyberattacks. With Traps our partners can deliver advanced endpoint protection against both known and unknown threats.
If you aren’t already one of the 75 NextWave Traps Specialized partners worldwide, here are a few reasons – from the past month alone – as to why you might want to reconsider:
On October 6, 2016, we introduced a deal registration discount boost for NextWave Traps Specialized partners. Traps Specialized partners will receive a 5 percent boost for standard deal registration pricing and a 3 percent boost for non-standard pricing.
On October 4, 2016, Coalfire Systems confirms that organizations in the financial and healthcare sectors can replace legacy antivirus endpoint products with Traps to help prevent cyber breaches while remaining compliant with PCI and HIPAA/HITECH standards.
Our channel mission is to build an ecosystem of next-generation security innovators with the coverage, capacity and capabilities to elevate our leadership position in the security market. Channel partner recognition of our Next-Generation Security Platform for its superior technology is a key initial step to achieving our channel mission.
A special thank you to our partners for recognizing our efforts in both the Endpoint Security and Security-Network categories. Let’s use this recognition to our advantage and continue to break away together.
The conference showcased the strong leadership of the Japanese government to provide a thought-provoking and multi-stakeholder platform that allows leaders in academia, business, and government to network with each other, build trust, and discuss innovations such as artificial intelligence and connected cars and cyberthreat intelligence in an open and frank manner. Japanese Chief Cabinet Secretary Yoshihide Suga was on hand for closing remarks, which underscored the government’s interest in the gathering.
This is a watershed moment for Japan. While Europe and the United States have regular cybersecurity conferences addressing both technical and strategic audiences, such as DefCon and NATO Conference on Cyber Conflict, Japan has not had such a high-level, cybersecurity-focused conference, due to the lack of interest in cybersecurity until the first Cyber3 Conference was held in Okinawa in early November 2015. The atmosphere changed drastically after September 2013, when Tokyo was chosen to host the Summer Olympic and Paralympic Games 2020. The clear deadline and mission to make the games successful sparked the Japanese to craft cybersecurity policies, invest more in cybersecurity human resources development, and move forward the public-private partnerships for information sharing and global collaboration. That is why some of the Cyber3 speakers were surprised to find out during the two-day conference how passionate the Japanese are about ensuring security for Tokyo 2020 and promoting cyberthreat information sharing.
The Japanese government hosted the G7 Ise-Shima Summit in May 2016 and included cybersecurity as a standalone topic for the first time in G7 discussions. The two consecutive Cyber3 Conferences and G7 Ise-Shima Summit’s cybersecurity documents prove the Japanese government’s firm determination to play a leading role in cybersecurity policymaking, thought leadership discussions and global cooperation.
Palo Alto Networks representatives participated in this important conference as a sponsor and as speakers and shared insights regarding automated cyberattack prevention, cyberthreat information sharing, and business risk management. Rick Howard, Chief Security Officer at Palo Alto Networks, was on the “Threat Intelligence, Information Sharing” panel and pointed out that cyberthreat information sharing has not previously worked well because security vendors monetize and compete on their information. However, cyberattacks are increasing and becoming more complicated. To improve cyber defense overall to protect users, security vendors have to pursue a collective defense. That’s why Palo Alto Networks, Fortinet, Symantec, and McAfee launched the Cyber Threat Alliance (CTA) two years ago – an example of vendors that compete directly in the market but, when it comes to shared threat intelligence, have agreed to work together for the greater good of protecting individuals, businesses and governments. U.S. President Barack Obama referred to CTA as a successful example of information sharing during the White House Cybersecurity Summit at Stanford University in February 2015.
Ryan Gillis, Vice President of Cybersecurity Strategy and Global Policy at Palo Alto Networks, moderated the “Human Resources Development” panel. First, Yasuhiko Taniwaki, Director-General of the Global ICT Strategy Bureau, Japanese Ministry of Internal Affairs and Communications, stated that the Japanese government included cybersecurity human resources development in its Cybersecurity Strategy in 2015, as Japan faces a shortage of cybersecurity talent. In July 2014, the Japanese Information-Technology Promotion Agency found that Japan has 230,000 cybersecurity professionals, and that 140,000 of them need further training; it also found that there is a shortfall of 22,000 professionals. Taniwaki encouraged academia, the government, and industries to work together to tackle the manpower challenge and pointed out that people who can bridge business leadership and IT engineers are in dire need. The Japanese government plans to create a human resources development plan by March 2017.
I appeared on a panel titled “Current and Future World, Government, and Organizations Changed by Cyber.” I reiterated the importance of a multi-stakeholder approach, which is the philosophy of Cyber3. Since the damage caused by cyberattacks is not necessarily constrained within a certain sector, a traditional stovepipe approach to combating them no longer works. We must overcome silos and work together beyond the border of organizations, sectors and nations. Several countries in the world are facing political dynamics and administration changes. Cybersecurity, however, is a bi-partisan issue and opportunity – a business and consumer enabler, not just a cost center. We should take advantage of the convenience brought by ICT and ensure security. Cybersecurity is everybody’s problem – individual, company, government, or university. At the same time, cybersecurity enriches our lives and I hope Tokyo 2020 changes our mindset under the tight deadline and creates a positive prototype of multi-stakeholder efforts to increase resiliency.
Noboru Nakatani, Executive Director of Interpol Global Complex for Innovation, pointed out a stark contrast between Japanese and non-Japanese perspectives on cybersecurity. The Japanese tend to frame breaches as information leaks and blame the insufficient cyber defense on the victim organizations. On the other hand, Americans and Europeans tend to frame breaches as hacks and often focus on how to prevent future successful cyberattacks by attackers. The trend is reflected in how the media reports cyber incidents.
Situational awareness supported by full visibility and cyberthreat information would help shift such a mindset. During the Day 2 luncheon, Rumi Horio, Security Consultant, Palo Alto Networks K.K., cited an anecdote of several blind men who touched different parts of an elephant and thought it was a fan, rope or something else. Japanese organizations are inclined to count the number of cyberattacks rather than seek methods to reduce the attack surface and prevent attackers from achieving their goals by cyberattacks. She argued that it is time to take a proactive approach rather than being reactive to damages.
Cyber3 was an insightful cybersecurity conference for mutual learning and finding new ways of partnering and collaborating to take actions based on lessons learned together. Palo Alto Networks appreciates the opportunity to have been able to sponsor and participate in the conference in 2016 and 2015. We look forward to continuing to work with the Japanese government and global thought leaders.
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
2016 was the year of ransomware in cybersecurity, and it was especially impactful in healthcare. In this blog post, I’ll lay out a few predictions about the type of threats that the healthcare industry will face in 2017.
Sure Things
1. Ransomware Will Continue to Target Healthcare
I suppose this is an obvious one. Many hospitals were impacted by ransomware this past year. Hospitals in California, Indiana and Kentucky were hit especially hard by ransomware variants that target servers, as opposed to user PCs. A hospital in Washington was impacted to the point where it had to redirect patients to other facilities in order to maintain adequate quality of care.
The bad guys have turned to ransomware as their go-to choice of attack because the Bitcoin payments are anonymous and, as a business model, it is an effective way to get paid without getting caught by the police. They target healthcare because the attack vector for the highly effective SAMSA ransomware variant is through unpatched JBOSS application servers in the DMZ (the internet-facing area of a network). Hospitals that have many of these servers and are being successfully exploited in increasing numbers.
With any luck, the word has been spread well enough to healthcare organizations so that JBOSS vulnerabilities have been patched or at least mitigated. However, we haven’t seen the last of this trend. Ransomware will continue to target healthcare throughout 2017 through the standard areas of attack: web-based drive-by downloads, malicious email attachments or links, and unpatched servers in the DMZ.
2. Accidental Oversharing in SaaS Apps Will Increase, Resulting in Losses of Patient Data
Medical staff love to use cloud file-sharing SaaS apps, like Box, Dropbox and Google Drive, because they fill a gap in many healthcare organizations: easy file sharing. The problem with the public versions of these services is that it’s up to the user to control who has access to the files, and it’s quite easy to accidentally configure a file containing protected health information (PHI) to be shared with the entire internet public. Enterprise versions of Box, for example, enable administrators the ability to restrict public access, but many healthcare organizations don’t block the free versions.
I wrote a blog post earlier this year on the topic of SaaS security, along with some recommendations for mitigating the risk. Until healthcare organizations provide a sanctioned method for file sharing, both within and external to their organizations, and proactively block unsanctioned file-sharing websites, we are likely to see losses of patient data due to accidental oversharing.
Long Shots
1. A Cyberattack on a Medical Device Will Cause the First Confirmed Injury to a Patient
Many medical devices used in medical facilities today lack basic security. Often, medical devices lack endpoint protection, and regular patching, functioning on outdated operating systems, like Windows XP. For these reasons, they are prime targets for malware and cyberattacks.
There has been only one confirmed FDA order to pull a specific medical device out of hospitals. I believe the reason we have only seen one is due to insufficient research on and awareness of the problem. There hasn’t been much research because medical devices are expensive and there is no financial incentive to perform the sort of security research required to find and fix medical device vulnerabilities.
Attackers motivated by money have used ransomware due to the quick payout and anonymity, but there’s a type of attacker who is in the “I did it because I could” crowd. These adversaries hack for fun. To date there have been no confirmed cases of physical harm to patients due to a cyberattack on a medical device, but I believe that it’s only a matter of time before a bad actor takes advantage of the most vulnerable area of hospital networks – medical devices – and wants to make a statement.
What are your cybersecurity predictions for the healthcare industry? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for financial services.
