Category: IT

Our Latest Research Reveals Opportunities and Threats As Business-Critical Data Moves to the Cloud

By Cameron Coles, Sr. Product Marketing Manager, Skyhigh Networks

 

Most employees are honest, trustworthy people that would not steal from their employer or intentionally take sensitive, private information from their job and sell it. But many well-meaning employees are taken advantage of by attackers to steal data, and it can cost their employer (and customers) millions.

Unintentional insider threats can cost a U.S. company as much as $1.5 million, according to a report from the Ponemon Institute. The Verizon 2015 Data Breach Investigations Report noted that most of the thousands of data breaches and security incidents studied involved stolen user credentials.

This predicament is understandable – most employees don’t fully understand the importance of the role they play in ensuring the security of their organization – but there are simple measures everyone can take to ensure they don’t become the open door into the network. Here are five tips on how not to become an insider threat:

Be mindful of devices with company data on them
It’s a new world out there, and most of us have some sort of company data on portable devices. Whether you get work-related emails on your smartphone, use company laptops out of the office, access cloud-based IT solutions or just log into company systems remotely, be careful not to let this information fall into the wrong hands.

Try not to store unnecessary sensitive data on your mobile devices, and be wary of what external networks you connect to. Malware can be used to steal login credentials or compromise the corporate network if you return to the office with the infected device.

Lastly, don’t forget devices can be stolen or lost. Keep track of your devices, promptly report any device containing company data to your IT group, use a password and secure them, which leads to the next tip.

Encrypt data at rest
Most people only think about encryption when they are transferring data to a third party, but data that is sitting unused in storage is also at risk. From the perspective of an employee, this most often takes place when sensitive items are stored on mobile devices, personal computers or data storage devices such as external hard drives and thumb drives.

Encryption ensures that even if data falls into someone else’s hands, they won’t be able to access it. Most phones and mobile devices have the ability to encrypt data stored on them. Here is some information on encrypting iOS and Android devices.

Encrypting external hard drives and thumb drives is a little more difficult. Though there are several third-party applications to encrypt storage drives, if you are running Windows Vista or later, Microsoft BitLocker is a good solution. For more information on BitLocker and installation instructions, click here.

Of course, the effectiveness of encryption is highly dependent upon the strength of the key and the key management processes…

Use good password practices
You wouldn’t put your valuables in a safe but leave the door open, would you? Likewise, you wouldn’t use the same key for your car, safe, safety deposit box, etc. Your sensitive data is only as safe as the password you use to protect it.

You should use passwords that are at least 10 characters long, though the longer the better, with complexity: it should contain a mixture of uppercase, lowercase and special characters as well as numerals. Change your password often, and use a unique password for every site, system and application. If you use only one password for everything and a website you use suffers a data breach that includes user passwords, all of your accounts are as good as compromised.

Of course, it is difficult to memorize and manage so many unique passwords, but there is a solution. You can use secure password managers to generate unique passwords and keep track of them, requiring you to only remember the one password used to secure the manager. You can also employ two-factor authentication for your most sensitive accounts (your password vault, for example), which will require you to input a unique ID that is sent to your phone every time you log in, drastically reducing the likelihood of compromise.

For more information on using secure password managers and two-factor authentication, click here.

Beware of social engineering
“Social engineering” is just a fancy way of saying an attacker utilizes tactics from traditional scams in conjunction with a cyber-attack, and it is a common practice. Social Engineering attacks the human component of the security system. The most common example of this today is phishing, in which an attacker crafts an email that appears legitimate but aims to trick the recipient into divulging sensitive details such as passwords or installing malware on their machine. A more targeted approach is called “spear phishing” wherein the attacker creates an email targeting a specific person, perhaps even you.

Very few of us are truly “off the grid”; we all have information available about us online. In a matter of minutes, an attacker can find out what you do and discover your workplace responsibilities. They can then use that information against you. For instance, an attacker may identify a company’s CEO or other C-level executive and then send a fraudulent email that appears to be from that CEO to you, a company finance manager. The attacker claims they need an urgent wire transfer to close a deal or secure a service. The wire information will likely contain a legitimate vendor but a fake SWIFT code that routes the money to the criminal. Most people don’t question emails that appear to come from a company executive, or another associate, but that mistake could cost your company thousands or even millions.

Social engineering doesn’t have to be digital. Some of the largest breaches over the past few years involved an attacker using the telephone to speak with a company employee posing as a member of IT or other organization insider and convincing them to divulge passwords and other access information. Legitimate IT support staff will never ask you to divulge your passwords! Be wary of strange phone calls. If someone seems suspicious, clear it with a company security professional before you give them any information or ask the caller to hang up so you can call them on an official company phone number.

Ensure you don’t have unnecessary access privileges
This may sound like a strange tip, but most employees don’t need access to every resource on their company’s network, and limiting access to sensitive systems to only those who need it can drastically reduce the reach of a potential data breach. This is called the “principle of least privilege.”

Though access privileges are typically managed by IT Security, they do not always know everything different employees need access to, and maintaining proper access control can be difficult. If you discover you have access to data or systems that you don’t require as part of your job, you should notify your organization’s security team. This is especially true if the data or systems contain sensitive information such as customer payment information or personally identifiable information (PII).

While there is no cyber security “silver bullet” to prevent breaches, remaining aware of common security practices can help prevent attackers from using you as a way into your employer’s network. Just like you brush your teeth every morning, these practices are essential to maintaining your “cyber security hygiene.”

Andrew Wild, Chief Information Security Officer, Lancope

This post is part of a series for National Cyber Security Awareness Month, which aims to educate Internet users on how to stay safe online.

[Cloud Security Alliance Blog]

Within the CSA Internet of Things (IoT) Working Group, we are researching various topics related to securing IoT implementations within an enterprise. One of the more interesting aspects to consider on this subject is the role that consumer IoT devices play in regards to enterprise security.

News of exploits against consumer IoT devices is common, and research into vulnerabilities related to poor development and configuration choices continues. Rapid7 recently published a significant research report on baby monitor exposure and vulnerabilities, which showed that many leading brands are still highly vulnerable. Download their report.

Another interesting aspect of consumer IoT security is the apparent inability to rely upon the consumer to safeguard the underlying network that IoT devices use to communicate. Consumers are often proponents of usability over security, and in the past some consumer IoT device makers have purposefully chosen to value usability over security. This is somewhat understandable, as most people would prefer not to have to configure unique security credentials for each IoT device that operates within their home. Of concern though is that adding new (non-secure) points of connection into the home provides an ability for malicious parties to gain access to other computing resources in the home – potentially leaving sensitive data such as passwords exposed. This is concerning for an enterprise security practitioner because many people choose to use the same passwords to protect both corporate and personal information and application access.

What’s interesting also is that consumer IoT devices do not always stay within the home. A report this year by OpenDNS provided a great deal of data that showed that IoT devices, or the associated applications installed on staff computers, were often found to be communicating with services over the internet from the Corporate network. In some cases, Smart TVs were brought into the enterprise, and these devices were pre-configured to talk with service addresses/ports on the internet. In other cases, fitness trackers were associated with applications that were loaded onto laptops or mobile phones, and then those applications began communication with the manufacturer through the corporate network. Read the OpenDNS report.

At this point, education is likely the best defense against the exposures that consumer IoT devices introduce to the enterprise. Security staff should be educated to identify when inappropriate devices and software is being used on the network, and all staff should be educated on the need to secure their connected home systems as part of a larger effort to keep data secure.

Join the CSA IoT Working Group.

By Brian Russell, Co-Chair, CSA IoT Working Group
Brian Russell is the Chief Engineer/CyberSecurity for Leidos.

[Cloud Security Alliance Blog]

What is the cloud and why should I go there?
The transition to cloud services offers major opportunities for your organisation. Significant scalability, flexibility and cost-efficiency can all be achieved through the adoption of cloud-based solutions. Migrating to the cloud can be a scary prospect for many organizations. In fact, the question is often asked: What actually is cloud computing, and why do I need to go there? Drawing on our consultants’ wealth of knowledge, we have put together a comprehensive definition of cloud computing, outlining how to get the best out of this new technology.

Cloud Computing Defined
On Demand Self Service
At the touch of a button your cloud environment should be there for you. For example, if your IT team were to come under pressure to add or change software, platforms or infrastructure and make them available to your users, they should be able to make these additions instantly. It’s an instant access environment provision.

Ubiquitous Network Access
This is the beauty of cloud – you can access it from anywhere via the Internet. You don’t need any specialized ingress point into your environment; it’s readily accessible for anyone with Internet access. You can access it anytime, from anywhere. This benefit is crucial to all aspects of your organization. All your team needs is an Internet connection and they can log in and use all their enterprise applications and systems, including all their data and resources from any location. This can be vital for remote workers, such as salespeople on the road who are trying to close that quarter-defining sale.

There are risks with this of course; companies need to keep control of who has access to the cloud and what data they are able to access. The benefits that come from having ease of access also create risks. Our experts regularly work with organizations to define the criticality of their data and then categorize it, based on their requirements. It’s important to apply controls to your environment to ensure the right people are accessing the right data.

Location Transparent Resource Pooling
The cloud allows you to pool your resources, so an organization can exploit its assets 24 hours a day. By pooling your resources in a cloud you can utilize your software, platforms and infrastructure through shared services, allowing your users to get the most out of your assets. Pooling strategies include the likes of data storage services, processing services and bandwidth provision services. This provides huge economies of scale for organisations and provides the means to really embrace the global office. As your workforce shuts down for the day on one side of the world, your team on the other side can get up and continue working from the same platforms, applications and infrastructure. The cloud allows you to sweat your assets from anywhere.

Rapid Elasticity
The beauty of being in the cloud is the ability to scale up and scale down your infrastructure at a moment’s notice. The ability to auto-scale in the cloud eliminates much of the risk associated with scoping requirements for technology projects. With traditional environments on premise, if you under-scope the design for an environment and the demands on it prove higher than expected, you lose revenue. Conversely, if you over-scope and sales are lower than expected, you increase costs unnecessarily. The ability to scale your infrastructure at will allows you to design environments with a degree of confidence not available with traditional models.

Once again, this benefit comes with its own risks. It’s imperative that this is monitored on a regular basis. The ease of scaling up and down environments brings financial rewards but also heightens the risk. If an environment is scaled up to meet peak demand and left as such when it’s not needed, this can have negative implications.

Proper, consistent management of this service is the key to success.

Measured Pay Per Use
When in the cloud, you only pay for what you use. This means you can offset your operational savings against your capital expenditure and truly reap the financial benefits. Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. In addition, this allows for a much more predictable and closely-controlled method of financial accounting, moving from Cap-Ex to Op-Ex budgeting.

Ross Spelman, Group Technical Services Manager, Espion

[Cloud Security Alliance Blog]

For National Cyber Security Awareness month there a couple of relatively easy-to-do things that I highly recommend if you want to improve your personal cyber safety. These important protections are easily available but not well documented.

One of the biggest cyber security problems impacting users today is the reuse of easy to guess passwords across multiple sites. All it takes is for one site to be compromised and the hackers can then use your password to log into others. This process is often automated and run against all sites. To help combat that ensure that you have a *unique*! password for each site. No one can remember multiple unique complex passwords so invest in using a tool like roboform or 1password to manage these passwords and keep them safe. Once you have installed a good password manager go back to each site you use and replace your common password of “petname123″ and let the password manager create a long and complex password for you like “yott2&uv0ugs7.” Save that password and go on to change the next one. Set a complex password that you DO remember for your password manager. It’s only one and it can be recalled from memory.

Don’t be afraid of the cloud! Losing all of your newly-created complex passwords to a hard drive crash would be a terrible loss. Make sure you sync your password file in the cloud to be able to access them across multiple devices (phones, tablets, laptops) and always have a backup. Roboform has its own cloud storage built in and 1password uses Dropbox or iCloud. Your passwords are encrypted withAES encryption so even if someone somehow broke into the cloud provider and stole your password list, they cannot decrypt your passwords without the one complex password you committed to memory.

The next step to ensure you won’t be an easy victim is to set up two-factor authentication for some sites that are more important to your personal cyber security like Gmail, eBay and PayPal.

Gmail
You may not have thought about it, but your personal Gmail account ties many things together. For example if you use Gmail as your email address for your Amazon account, if someone hacks your Gmail they can force a password change to access your Amazon account. Similarly, your bank and many other systems may use your email as a way to allow for password resets.

Criminals can also use your Gmail account to send out legitimate looking email requests for emergency help to all the people in your address book like the email below:

Hi,

How you doing? I made a trip to London (United Kingdom) unannounced some days back, Unfortunately i got mugged at gun point last night! All cash, Credit card and phone were stolen, i got messed up in another country, stranded in London, fortunately passport was back in our hotel room. It was a bitter experience and i was hurt on my right hand, but would be fine. I am sending you this message cos i don’t want anyone to panic, i want you to keep it that way for now!

My return flight leaves in a few hours but Im having troubles sorting out the hotel bills, wondering if you could loan me some money to sort out the hotel bills and also take a cab to the airport about ($1,550). I have been to the police and embassy here, but they aren’t helping issues, I have limited means of getting out of here, i have canceled my credit cards already and made a police report, I wont get a new credit card number till I get back home! So I could really use your help.

You can contact the hotel management through this telephone number (+449444045232), you could wire whatever you can spare to my name and hotel address via Western union:

Name: John Hastings
Location: 201 Bunaby Street, Chelsea,
Greater London
SW10 0PL.
United Kingdom

Your Gmail account plays an important part in your overall internet safety. It is very important you set a strong password and enable two-factor authentication. Here is how to do it:

• Login to your Gmail account then go-to the following URL
  https://www.google.com/landing/2step/
• Click on “Get Started” then “Start Setup.” Enter the number for your phone and verify the number by entering the numeric code that Google sends to the phone by either text message or voice call.

• You can also choose to use the smart phone app Google Authenticator, which you would register through the same wizard shown above. To install Google Authenticator click here for iOS or here for Android. Either way works and will stop people from easily taking over your personal email (and of course your online identity!).

PayPal and eBay
If you use either of these services, they are high-value target accounts for crime. PayPal is especially problematic as it links directly (in most cases) to your bank account. EBay accounts, on the other hand, are often hijacked then used fraudulently to sell nonexistent items, leaving the account owner to work out the mess. I highly recommend you protect yourself by setting up two-factor authentication for both accounts.

Setup instructions for PayPal:

Go to https://www.paypal.com/us/cgi-bin/webscr?cmd=_register-security-key-mobile

This will give you the option to set up a secondary authentication method. You have three choices, pay a small amount and they will ship you a small fob that will provide one-time passwords to use as a secondary authentication for your account (i.e. a hacker can’t get into your account by just guessing your password or resetting it). The second choice is a more convenient one if you have a smartphone. You can download the Symantec VIP Access program for smartphones. Or you can just have PayPal send messages to your mobile like we did with Gmail.

When you get the token software installed on your smartphone, authenticate it to your PayPal account and register its unique ID. Now when anyone wants to use your PayPal account, they will have to have both your username and password and the one-time token password your phone or fob would generate. Note: you can also tie this token to your eBay account.

There was a lot of work to do to get to this stage. It is unfortunate that this process is obscure and not built-in or easier to enable. I am sorry to say that there is one more step if you use Gmail with any applications that auto-check email. I have several, such as the Microsoft Outlook client for Mac. These applications do the authentication automatically. For convenience with only a small security risk I can use Gmail to set up application- or device-specific passwords. These fixed passwords can ONLY be used by the same app on the same device. You can do this by editing the “authorizing applications & sites” button in the Gmail account settings.

When you click edit, it will force another authentication then allow you to set up, manage and track application-specific passwords.

So that’s it. I wish it was easier, but these are a couple of steps that can make your internet identity much harder to abuse.

Gavin Reid, Vice President/Threat Intelligence, Lancope

[Cloud Security Alliance Blog]