TRUST, Can You Put a Price On It?

April 29, 2013

The Ponemon Institute recently published the first-ever research on the cost of losing control of trust—that is, losing control of the cryptographic keys and digital certificates that underlie trust for all transactions in our digital age. How intertwined are these encryption assets and trust? Consider two major exploits of this year alone: the Bit9 certificate theft and the DigiCert compromise. In both cases, hackers managed to obtain legitimate certificates to sign their malware. Their malware perfectly masqueraded as legitimate software because to users’ systems, which rely on certificates to determine whether to throw up system warnings or automatically install software, the malware was legitimate. The financial impact of such an exploit can hardly be exaggerated.

The cyber-criminals behind these exploits understand that each cryptographic key and certificate deployed in an organization is a valuable asset ripe for exploitation. Yet according to the findings, 51 percent of organizations don’t know the most fundamental facts about their own keys and certificates: they don’t know how many keys and certificates the organization has, where they are deployed, what they are protecting, or who has access to them.

It’s not that IT security professionals are simply falling down on the job. In many organizations, policies quite properly require the deployment of keys and certificates for just about every service. As a result, the average enterprise has more than 17,000 of them. No IT staff can manage such a large volume of keys and certificates manually without errors and oversights that completely undermine the supposed value of the mission-critical security and authentication instruments. Yet more than 60 percent of global 2000 organizations do manage their encryption assets manually; we’re talking about spreadsheets that list whatever keys and certificates application admins happen to report and not much more. IT security professionals know things can’t go on like this. Like coal miners listening to the timbers creak and watching the ceilings bulge, they know disaster looms, but their reports to the surface often go unheeded by management.

Too many business executives, locked in yesterday’s security constructs of armed guards, gates and cameras, think of this issue—if they think of it at all—as an annoying management problem for IT security teams to handle. They think the organization is simply losing track of assets that remain intrinsically valuable. They fail to understand that the assets’ value is trust. Lose track of the certificates and keys, and you can no longer trust them. Their value—and the trust that makes all other IT assets valuable—simply evaporates. Worse, compromised assets become liabilities, weapons to be used against the organization.

McAfee recently learned this lesson the hard way. One of their digital certificates was revoked, trust broke down, and Mac users could no longer determine when an application could be trusted or not–to the detriment of the McAfee brand.

The average organization can expect to learn the hard way too:

• The threats are likely—One in five organizations expects failures in key and certificate management to lead to exploits and infiltrations.

• The costs will be high—The average global 2000 organization can expect an estimated $U.S. 124 million in cost exposure from a server cryptographic theft incident. And such an incident is just one of the many that could occur.

• It’s already happening—In the last 24 months, organizations have experienced at least one of these trust exploits due to their key and certificate management failures:

• IT security will continue to fall behind, especially in the cloud—The risks of manual key and certificate management will only multiply as businesses continue to seek the benefits of cloud computing.

Most cloud systems, including Amazon’s and Microsoft’s solutions, rely on SSH to establish secure channels through untrusted networks. SSH provides managers with remote root access to a server and its shell services. It also provides servers with such access to each other. This level of access lets the cloud solution do powerful things, but the more power you give admins and computer systems, the more you must trust them.

Yet SSH has no equivalent to a CA to tell systems which SSH keys to trust. IT staff must manage these trust relationships on their own. To ensure the integrity of the system, the staff should rotate keys often; Amazon Web Services recommends a 90-day period.

Already overburdened IT staff must rotate thousands of keys every 90 days. Is that going to happen? Not manually.

Trust is the foundation of all relationships: trust between admins and servers, between servers and users, between servers and other servers—and between enterprises and the markets they serve. As our world becomes more connected and more dependent on cloud and mobile technologies, CEOs, CIOs, CISOs and IT security managers must make it their top priority to maintain control over trust by managing keys and certificates. When trust is compromised, business stops.

Our hope is that the Ponemon Institute Cost of Failed Trust Report validates the many IT security professionals who already suspect the risks of losing control of trust and that the report better quantifies the costs for them. We also hope that the report motivates business and IT executives to look beyond the problem toward solutions. You can take action to guarantee the hundreds of millions of dollars at risk: make sure your organization has control over trust by implementing a full key and certificate lifecycle management solution.

Via SecurityWeek

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

IT Account Monitoring Control with C24

April 29, 2013

By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good  time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Image credit: Paligari

Related articles

1 Comment | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Customer Decision & Big Data: A possible Journey

April 26, 2013

Customer is king. Always. Whether in B2B or B2C settings. With much writing this week on the importance of a Customer Centric approach where B2B organizations need to develop a much deeper understanding of the modern Customer Decision Journey.

Questions have been raised as per whether Multichannel Marketing Mix approaches have been based on the right models and research to measure results.

With the hype of a report to be issued by the Council for Researchcurrently investigating measurement issues related to digital video advertising, report that in turn will form the basis of an Advertising Research Foundation inquiry into the quality of the models.

We believe it’s important to bring a combination of modeling, information and expertise to decisions “a P&G spokesman said in a statement to AdAge “We have clear evidence that marketing-mix modeling, combined with other information and expertise, has helped to improve return on investment of our marketing spending and media buying.

Beside, measurements what remains key is to reach the customer with a message which will limit the risk of ad avoidance, a phenomenon which has been noticed to be on the increase lately.

Can big data really improve the customer experience with personalized ads, products and service offerings?

For certain big data can say a lot about preferences and even location. But with constantly increasing terabytes of data, in structured, semi structured and unstructured formats. To make sense of it all is to say the least challenging.

The more so for businesses, which do not have their own platform from which to gather this data, nor the technical tools or analyst expertise to navigate and make sense of data gathered from their websites, blogs and external social platforms.

Some even ask the question whether Big Data is in reality an opportunity only for big players of the likes of Google.

What do you think?

Thanks to http://moniagalardi.com/2013/04/25/customer-decision-big-data-a-possible-journey/

 

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Internal Data Loss is Riskier Than You Think

April 19, 2013

In an excellent blog post, Gartner research director Anton Chuvakin poses the question: is an Excel spreadsheet full of credit card numbers on a poorly permissioned internal file share considered a data breach?

Many information security pros and even some DLP vendors would answer “no” because the risk of data loss is implied, not actual.  But I think that is an overly optimistic stance.  To me, this is equivalent to saying, “I know there’s a hole in my roof, but it hasn’t rained in a month, so it’s only an implied risk.”

Anton astutely points out that, in every large organization, you can bet your mortgage on there being unauthorized access to your environment, facilitated by any number of factors including, but not limited to: subpar authentication, BYOD, infected endpoints, or an Active Directory that looks like a rats nest.

Chuvakin says:

 ”The phenomenon of “internally lost data” is way more pervasive than most people think. I’d bet if you think that it is pretty pervasive, then it is EVEN MORE pervasive. Confidential, regulated and “merely” sensitive data on “all access” internal file shares, SharePoint boxes, team web servers, internal blogs, etc is literally all over the place.”

We can confirm this phenomenon as it’s one of the main reasons organizations evaluate Varonis.  We’ve written extensively on the Everyone Problem.  Trust us, this is actual risk.  So what do we do about it?

The Sniff → Scan Approach

Dr. Chuvakin talks about how well the Sniff → Scan approach has worked for some organizations: sniff the network to see what’s leaking and then scan your storage environment to figure out where that data lives:

“[Organizations] first saw *it* on the wire, got mad – and then got curious: just where exactly is it stored internally? “Oh, in 537 different places!”  Next they fought the battle for reducing the internal exposure and then – surprise! – the occurrences of that piece of data being seen on the wire decreased as well…”

The trouble with most DLP solutions that help with data discovery is that, once the data of interest is found, you’re on your own.  There’s no operator’s manual for reducing the exposure in a safe, methodical way without doing collateral damage to the business.  Once you’ve pinpointed where leaky data lives, wouldn’t you love to know: Who can access it? Who’s using it? Who is responsible/is the data owner? How to reduce access down to a least privilege model without cutting off people who need the data to do their jobs?

The only way to answer these questions is to combine other metadata streams with the classification information.  If you’re in the information security space, you’ll start to hear the term Context-Aware Data Loss Prevention, if you haven’t already.  Analysts have begun putting a lot of weight on the ability to determine the context of data and its usage in order to make intelligent decisions about protecting it.

Anton concludes:

“So, if you got [sic] a DLP tool, plan for using its discovery capabilities. Hit those shares, SharePoints, team servers, intranet web sites, etc, etc.  And, yes, you need a process, not just a tool!”

For an in-depth look at the Varonis process for preventing internal data loss, check out ouroperational plan blog series (which starts with data classification).  And if you’re interested to see how the Varonis Data Governance Suite brings context to DLP, let us show you!

Also, have a look at Anton Chuvakin’s blogs here and here.  He’s one of the most entertaining and prolific writers on data protection.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , | Permalink
Posted by david ricketts

Dealing with Mobility and BYOD Security Challenges? Start with The Network

April 18, 2013

The topic of mobility and BYOD has become a fairly divisive subject, because of the differing perspectives on how to resolve security challenges for the mobile user. Perspective on this ranges from the complexities of dealing with BYOD to a recommendation to keep personal and business devices separate. The fact is, we all have strong affinities for our favorite mobile devices, and just as organizations had to embrace the desire for users to use Macs in the office (remember that controversy?), users are now making their own choices about the mobile devices they use at work. When employees are given the resources to do their jobs in more places, they find better and more productive ways to work.

The challenge is how to give users the full advantage of their mobility platform of choice without introducing risks to the business. A key part of that challenge is enabling flexible mobile security options depending on the device and use case. For example, an employee on an unmanaged device may just require access to the Internet, while another employee on a managed device may require full access to specific data center applications. Your mobile security solution should support both use cases.

While there are multiple considerations to secure mobile traffic, it’s the network where you must start. This means maintaining a secure connection, keeping the traffic across it safe, and extending it to all users. By retaining control of the network, organizations can embrace mobility by making it safe for all users in all locations, regardless of the device. Starting from this premise, it becomes much easier to think in terms of how to make mobility work for your organization by providing the security to enable safe usage rather than trying to prevent it.

If you’d like to learn more about mobility and BYOD security challenges, check out my latestSecurityWeek article.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Fujitsu develops next generation technology

April 17, 2013

 

We’re quickly getting used to the fact that computer, smartphone and tablet screens are meant to be touched — but what about paper?

Fujitsu has developed a technology that detects objects your finger is touching in the real world, effectively turning any surface — a piece of paper, for example — into a touchscreenDigInforeports.

“This system doesn’t use any special hardware; it consists of just a device like an ordinary webcam, plus a commercial projector. Its capabilities are achieved by image processing technology,” explains Taichi Murase, a researcher at Fujitsu’s Media Service System Lab.

In a video presentation (above), we see how one can manipulate data on a piece of paper: by using finger gestures, you can copy an image or a text excerpt and store it into memory.

Besides flat surfaces, the technology also works on curved or uneven ones, so one can easily manipulate data from a book.

Though the technology is still at the “demonstration level,” researchers at Fujitsu plan to develop a commercial version of the system by fiscal 2014.

Check out the video above and tell us how’d you use this technology in the comments.

Thanks to mashable.com

Leave a Comment » | Application Hosting, Marketing | Tagged: , | Permalink
Posted by david ricketts

5 Questions about Information Governance in 5 Minutes: Who Should Own Information Governance?

April 17, 2013

Interesting video about data governance. This is the second video in our series, “5 Questions about Information Governance in 5 Minutes.” In this video IG experts answer the tricky question, “Who Should Own Information Governance?”

Thanks to http://barclaytblair.com/2013/04/16/5-questions-about-information-governance-in-5-minutes-who-should-own-information-governance/

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Buyers of expensive IT security ask why they’re still insecure

April 15, 2013

We do a lot of work for IT security clients and the numbers they share with us about attacks and monetary losses numb the brain. The money spent by corporate America to maintain some semblance of protection and to fend off cyber attacks is astronomical. If you’re reading this, you know what we mean. Still, the attacks and the cost of defending yourself grow unabated. What’s going on here?

One of these clients who does big work for big brands told us recently that a perception of low return on their security dollar has created a growing, board-level frustration and alarm within these companies.  “They question the ROI on the hundreds of millions of dollars invested in IT defenses and they have every right to be pissed,” he said. Of course, our clients have a vested interest in encouraging the upgrade of aging defenses so easily overcome by wily, super-smart and well-financed cyber-criminals today.

Computer security is a multi-billion industry employing some of the most brilliant technologists in the world.  They labor relentlessly to stay a step ahead of the bad guys who, just like terrorists, only have to be successful once, while techno-sleuths and defenders must succeed 100% of the time.  Yet, even in the breaches that merit the bigget headlines, most of the time the crooks used ridiculously simple methods to break in.  In other words, many organizations are overlooking basic precautions even as their security systems grow more complex and expensive.  Just like street crime,  bad guys preyed on victims of opportunity.

Like muggers, Cyber-attackers scan for companies who may not be properly utilizing the defenses they have or whose passwords fail the tough-to-guess test. To us in the business of marketing some truly amazing preventive technology, this is an eye-opener.  Here’s hoping they can open more corporate-security eyes as well.  The chain around the company’s digital assets is only as strong as the weakest link. And the bad guys go straight to it.

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

CYBERCRIMINALS HACK INTO FACTORY

April 11, 2013

In one of the strangest smart grid hacker attacks ever, cybercriminals managed to penetrate the thermostats of a state government facility and a manufacturing plant in New Jersey. The Homeland Security Department‘s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) made the disclosure in a newsletter published last week. According to ICS-CERT, hackers exploited vulnerabilities in industrial heating systems which were connected to the internet, and then changed the temperature inside the buildings. Both heating systems were found through Shodan, a search engine of devices connected to the internet. The attacks took place in early 2012 and utilized a flaw (later fixed) in ]Tridium‘s building management software.

“This latest attack on Tridium’s building-management software is another example of how hackers are targeting the software supply chain to indirectly compromise the physical and IT infrastructures of businesses. […] In the past, many organizations relied on independent software vendors to test for vulnerabilities in their code base. However, as cyber-attacks increase, we expect organizations to go further and have applications tested by third-party service providers prior to their procurement and deployment,” Torsten George of IT risk management firm Agiliance told Fast Company.

Thanks to http://www.fastcompany.com

 

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Data Retention in the Social Media Era

April 11, 2013

A variety of industry research analystshave indicated that 3 of the top 10 priorities for IT in 2013 will be initiatives focusing on BYOD, cloud computing and business analytics obtained via Social Media.  While these initiatives provide clear business benefits, they will challenge data retention and records management policies for most organizations.

BYOD, cloud computing and social media have a common thread – they all create data repositories that have been geared towards the non-IT consumer, where governance, management and retention have taken a backseat to ease of use.  With the introduction of these technologies into the enterprise, companies are obligated to develop backup, archiving, and classification strategies to ensure that relevant data is available in the event of litigation and a discovery request.

The Federal Rules of Civil Procedure state that the moment a company receives a legal hold request they must not dispose of data without having a clearly defined and demonstrable retention and disposal policy. These policies cannot be developed and implemented in the midst of litigation as an opposing  litigant could claim that destruction of data was intentional, resulting in damages and penalties awarded to the opposition.

In the article, eDiscovery Rules Applied to Social Media: What This Means in Practical Terms for Businesses, statistics show that the FRCP rules are being enforced— sanctions were ordered in 50% of the cases where sanctions were sought, with a few resulting in large monetary penalties. Needless to say, companies are compelled to comply.

While many companies have chosen the pack-rat approach – save and archive all of the data they manage, including customer data, personal data, etc., this approach is not practical due to everincreasing volumes of data, especially when considering the information generated by mobile devices and social media.

In the event that a company does need to develop a defined retention policy that takes these initiatives into account, their requirements should be part of a larger blueprint for securing their data, linking their retention strategies with governance and accessibility.  These 6 steps provide some basic guidelines:

  1.  Determine the age at which each type of data that has not been accessed would be considered stale – 1 year?  2 years? 5 years?
  2. Implement a solution that can identify where stale data is located based on actual usage (not just file timestamps)
  3. Automate the classification of data based on content, activity, accessibility, data sensitivity and data owner involvement
  4. Automatically archive or delete data that is meets your retention guidelines
  5. Automatically migrate data that is stale but contains sensitive information to a secure folder or archive with access limited to only those people who need to have access (e.g. the General Counsel)
  6. Make sure your solution can provide evidence (e.g. reports) of your defensible data retention and disposal policy

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.

Join 746 other followers