What's More Valuable Than Money?

Data. However, the value placed on different types of data is shifting

While cybercriminals were once clamoring for your payment data, today they are much more interested in other types of information. And of course, it's all about the money.

Stolen credit-card accounts available on the "deep Web" are selling for 22 cents per record. Netflix account information, on the other hand, averages 76 cents per account. But the real deal is Facebook. A cybercriminal with stolen Facebook  account information averages $3.02 for each one he sells. Uber accounts are even more valuable, bringing in $3.78 per account!

Change your passwords often, use strong ones and never use the same password more than once. If that's not realistic for you, use different passwords for your social and financial accounts. 

Pace and Volume of Regulatory Change are the Biggest Factors in Leading to Risk Evaluation Failures

Results of Bank Director’s 2014 Risk Practices Survey

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren't doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren't getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Four "Basic" Ways To Protect Company Data

Breach at Target appears to have started with a malware-infected email!

Target Corp. and other large retailers have made the news due to data breaches, but businesses of all sizes need to make sure they have up-to-date policies and procedures to protect private data.

The breaches at Target highlight how important it is for organizations to know how secure their networks are?

Here are four measures businesses should take to ensure their data stays private.

• One obvious way is to make sure your business' security software is up to date and working "to make sure you don't leave holes in your technology.

• Do you have policies and procedures in place for how employees interact with the business' server and network? Such measures include making sure employees have strong passwords for their computers and other devices, keeping their machines updated with the latest anti-virus protection and providing them with general awareness on things to watch out for, such as phishing messages (scams that ask people to give out personal information or prompt a person to click on a link that will infect their computer with malware).

• Make sure that employees have safeguards on the personal devices they use to connect to the company's network.

• Don't forget security measures for paper records.

XSS For Managers

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a type of vulnerability which is very widespread and allows an attacker to insert malicious code (JavaScript) into your web browser via the use of a vulnerable web application. The attacker can deliver their malicious code in a number of different ways.

They can trick you into clicking on a link (Reflected XSS), or wait for you to visit a page which already has the malicious code embedded into it (Stored or Persistent XSS).

That annoying pop-up box with the number 1 in it? That's just a way that some people visually prove that their JavaScript (XSS) has been run. But don't let that lousy pop-up box fool you, there is a lot more to XSS than that!

What can hackers do with XSS?

• A hacker may be able to steal your 'cookies' and login to the application as if they were you!
• They may be able to redirect you to a malicious web site without you knowing in an attempt to trick you into giving away sensitive information such as your bank details.
• They could add fake login pages to the vulnerable application to trick you into giving them your username and password.
• They could even use XSS to bypass other security measures which are built into the application and your web browser to protect you.
• The possibilities are almost limitless. Take over your webcam? Yep! Listen in on your computer's microphone?

For advanced attacks see the The Browser Exploitation Framework (BeEF) tool.

Who's been hacked using XSS?

• The Apache Foundation, the creators and maintainers of one of the most popular web server software on the Internet had their servers compromised by an initial XSS attack.
• An XSS attack on the official forum of the popular Linux Operating System, Ubuntu, allowed the attackers to download the usernames, email addresses and passwords for 1.82 million of their users.
• XSS attacks typically target the application's users and their local networks; however, as seen in the examples above, when those users are administrative users the application's web servers are also at risk.
• XSS vulnerabilities are discovered within Facebook, Yahoo, Google, Twitter and other high profile websites on a daily basis by independent security researchers participating in bug bounties.

Here is a list of other hacks using XSS -https://www.google.com/fusiontables/DataSource?snapid=S1158702BBoV

What can I do to protect myself against XSS?

• Make sure that your web browser is kept up to date and that it has all of its security features enabled, such as Cross-Site Scripting (XSS) filtering. If your particular browser does not have an XSS filter, like Firefox, then you can download an XSS filter add-on called NoScript.
• Be careful about what links you click on. A link may look harmless enough, but may contain malicious XSS payloads.
• Log out of web sites when you are finished with them, this makes it harder for hackers to steal your 'cookies'.

The technical bit! What can I do to protect my web application against XSS?

• Cross-Site Scripting occurs when untrusted input is output to a page without first being sanitised and/or properly encoded. For example, if a user supplies their username to login and then you display that username without sanitising and/or encoding it, what happens if the username contains HTML characters?
  
  The web browser will not be able to tell the difference between the user's username and what is the page's valid HTML. Data (the username) is being mixed with code (the HTML)! This could allow a user to login with a username that contains malicious JavaScript and have it execute in the browser within the context of your web application.
  
• Make sure that you sanitise the username before using it, for example, if users should only have alpha numeric characters in their usernames then enforce this with input sanitisation. Use a whitelist! Compare the username against known goods instead of known bads.
  
• Use the right encoding! If the username is going to be used within HTML, then HTML encode all of the username's characters.
  
  This way the browser will know what is meant to be rendered as HTML and what is not. It's not all about HTML encoding though! You must encode for the right output 'context'. See the links below for further information.
  
• Scan your applications for XSS issues. There are many automated web application security scanners which can detect XSS issues in web applications. You could try giving the Open Source OWASP ZAP a go.
  
• Set your session cookies with the HttpOnly flag. This tells the browser that the cookie should not be accessed by JavaScript, helping protect your users from having their sessions stolen.
  
• A HTTP header called Content Security Policy (CSP) can be set by the web server to tell the web browser what and where JavaScript is allowed to be executed from. It uses a whitelist!
  
• Finally, why not install a Web Application Firewall (WAF) such as the Open Source mod_security! A WAF will give your application that extra layer of defence to defend against those attackers but should be used in a defense in depth scenario and not as the only solution as bypasses are found often.

Where can I find further information?

The two types of XSS mentioned on this page (Reflected and Stored) are not the only two! We have only touched upon the subject here. Want to find out more?

The Open Web Application Security Project (OWASP) is a great resource for all things related to the security of web applications. Check out their wiki article on XSS or their XSS Prevention Cheat Sheet. For information on other types of web application vulnerabilities take a look at the OWASP Top 10.

Information Security Forum (ISF) Identifies 6 Major Threats for 2014

ISF report states top six security threats global business will face in 2014 include the cloud, "BYO" trends and cyber-crime

A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.

The six threats identified as major concerns headed into 2014, ISF emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that's often treated as private.

Six: BYO

Trends Topping the ISF's list is BYO, and it's no mistake that the "D" is missing. Workers bring their email accounts, their cloud storage and more. As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

Five: Data Privacy In the Cloud

The cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies' data are being stored on the same servers; whether one's storage services are being subcontracted; and if there's a clear plan for what happens when a contract with a cloud provider is terminated. While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications.

Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.

Four: Reputational Damage

There are two types of companies—those that have been hacked and those that are going to be. What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?. When the situation is something that could send stock prices plummeting, the reality of it sets in.

Three: Privacy and Regulation

Organizations need to treat privacy as both a compliance and a business risk, according to the ISF. "Furthermore," the report added, "we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification, particularly across the European Union. Expect this to continue and develop further, imposing an overhead [cost] in regulatory management above and beyond the security function and necessarily including legal, HR and board level input."

Two: Cyber-Crime

ISF emphasized how shockingly excellent criminals are at coordinating and working together toward a cause. The Syrian Electronic Army's hack into The New York Times was offered as an example. The bad guys are really great at collaboration, because there's a lot in it for them.

Cyber-crime, hacktivism—hacking for a cause—and the rising costs of compliance, to deal with the uptick in regulatory compliance issues, can create a perfect storm of sorts,. "Organizations that identify what the business relies on most will be well-placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

One: The Internet of Things 

High-speed networks and the Internet of Things will create scenarios like the ability for a car to detect a traffic jam ahead and understand that its driver won't make it to the airport in time for his flight—and so contact the airport to change the flight. That level of information, in the wrong hands, is concerning.

Businesses can't avoid every serious incident, and few have a "mature, structured approach for analyzing what went wrong.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately." 

10 defenses against smartphone theft

Thieves see mobile phones as easy cash. Take these 10 steps to defend yourself

10) Use security applications

Android phones and iPhones both come with security software. But that doesn't mean the software is active, or that third-party software might not help even more. If you have an Android phone, make sure you're using Android Device Manager or a third-party security software such as Lookout Security & Antivirus. If you have an iPhone, make sure Find My iPhone has been set up and activated.

9) Use a strong password

Too many people just give up when it comes to passwords, access codes, and PINs. They pick something such as "password" or "qwerty" or "1234." Raise the level of your game: Come up with a functional password generation recipe, then apply it to your devices and websites. You don't need a password manager. This is not rocket science.

8) Keep phone data handy

Write down your phone model number, serial number, and International Mobile Equipment Identifier (IMEI). If your phone gets stolen, you'll want these numbers (along with your mobile carrier's support phone number) to help your carrier place your IMEI number on the GSMA IMEI blacklist. You can find your IMEI number in most phone settings menus by dialing *#06#, or by checking the battery compartment, if accessible.

7) Be aware of your surroundings

We've all seen them. People who meander down the sidewalk, staring at their phones, forcing others to take evasive action to avoid a collision. People chatting on phones oblivious to those nearby. People who set their phones down on cafe tables or on public transit seats. People who let their phones dangle from purse or pocket. Don't be one of these people.

6) React quickly if your phone is stolen

Report the theft to the local police. This will allow police to check websites that might be trying to unload your stolen phone and will provide you with a police report in case you want to make an insurance claim. Report the theft to your mobile carrier, so your phone service can be suspended and the phone's identifier can be blacklisted. Activate any applicable security software such as Find My iPhone or Lookout. You might also want to change your phone and app passwords, in case the thief was able to login and access some of the services you use through stored passwords. If you're really lucky, your phone's security software will help you recover your device.

5) Choose your phone to match your security expertise

Google executive chairman Eric Schmidt recently insisted that Android phones are more secure than Apple's iPhone. That might be true if you're talking about recent-model Android phones with the Android 4.4 "KitKat" operating system. But security experts scoff at Schmidt's claim. The reality is that the majority of mobile malware affects Android devices.

In August, the FBI and DHS issued a report that found 79 percent of mobile malware affected Android devices, 19 percent affected Symbian devices, and less than 1 percent affected BlackBerry, iOS, or Windows Phone devices. Android's troubles largely arise from the fact that as many as 44 percent of Android users worldwide rely on Android versions 2.3.3 to 2.3.7, which have known vulnerabilities.

So although it's possible to run Android securely, it requires more diligence. Choose BlackBerry, iOS, or Windows Phone if you don't want to be proactive about security. Choose Android if you require the flexibility of a more-open ecosystem and are comfortable with the responsibility.

4) Choose your WiFi network carefully

Just because a WiFi network is visible and accessible doesn't mean it's safe. Use secure WiFi networks when possible. When there's no other option, avoid doing anything that involves authentication if you can. You never know who might be listening or intercepting unprotected network traffic.

3) Choose your apps and websites carefully

User behavior represents a major source of insecurity. If you can avoid downloading sketchy apps and visiting suspect websites, you will reduce your chances of acquiring malware. Security firm Trend Micro says it has analyzed 3.7 million Android apps and updates, and found 18 percent to be malicious, with an additional 13 percent categorized as high risk. Almost half of the malicious apps (46 percent) were acquired from Google Play, the company says.

2) Don't buy phone insurance

If the mobile carriers really are fighting pre-installed security software to sustain revenue from insurance premiums, you can fight back by refusing to participate. Carrying your expensive smartphone without an insurance net should also encourage you to guard your phone more carefully. Of course, you'll be wishing you had insurance when your phone slips from your pocket and fracture lines spread across the touchscreen.

1) Leave your phone at home

It's easier said than done. But you can't lose what you don't have. Shocking though it may be, people used to get by without mobile phones. Try it once in while, if only to highlight your device addiction.

The State of Risk-Based Security 2013

The State of Risk-Based Security Management is an in-depth study conducted by Ponemon Institute

Industrial control systems continue to draw scrutiny as the risks involved in preserving aging IT infrastructures continue to escalate. Mission-critical systems in everything from manufacturing facilities to public utilities have shown to be easily breached and highly vulnerable.

A new Ponemon Institute survey, however, found that security efforts in the sector are ramping up: 51% use formal risk assessments to identify security risks – which is higher than the broader enterprise average.

Also, the survey found a majority (86%) believe that minimizing noncompliance with laws and regulations helps meet certain business objectives – and that’s also 5% higher than the average.

Risk-based security is coming onto the radar screen too: 43% measure the reduction in unplanned system downtime to assess the effectiveness of cost-containment management efforts, differing from survey average of 38%. And about half (52%) listed the “flow of upstream communications” as one of the top three features most critical to the success of a risk-based security management approach – an 8% increase over the survey average of 46%.

Even so, this is not enough to protect ICS systems against determined attackers. For instance, only 56% listed an “openness to challenge assumptions” as one of the top three features most critical to the success of a risk-based security management approach – and this is 6% lower than the survey average of 62%.

Further, It is imperative for this sector to get a handle on system hardening and configuration management practices to improve security and reliability. But in this regard though, the industrial sector is less effective than other industries in deploying risk management controls and communicating effectively about security.

Only 40% have fully or partially deployed security configuration management, differing from the survey average of 49%, and 75% have fully or partially deployed system hardening, which is 5% lower than the survey average of 80%.

When it comes to organizational culture, security still has a long way to go to permeating the business.

Most ICS respondents (69%) said security communications are contained in only one department or line of business, differing from the survey average of 63%. And 67% said security communications occur at too low a level, differing from the survey average of 62% – indicating needed oversight from the C-level is generally lacking.

Even though industrial sector organizations are actively considering security risks, they must also improve their willingness to elevate key risks to the executive level. Security risks must be considered in context with overall business risk or the entire organization’s success will be in jeopardy.

Kaspersky Lab 2013 Global Corporate IT Security Risks

34% of respondents ranked protection from incidents as the top priority

Kaspersky Lab, in partnership with research company B2B International, conducts regular surveys focusing on the key IT security issues and cyber threats which worry businesses.

The survey aimed to find out what representatives of these companies thought of corporate security solutions, to ascertain their level of knowledge about cyber threats, what cyber security related problems they most often face, how they address these problems and what they expect in the future.

2013 Kaspersky Lab and B2B International survey results provided below reflect the opinions of companies on key issues related to the security of the corporate IT infrastructure.

They also reflect the changes that have taken place since the previous two studies. Comparing current and historical data helps to identify and analyze existing trends in this area, ultimately creating a complete and, we believe, objective picture of the threat landscape, as well as future problems and trends affecting corporate IT security.

Main Findings

According to the survey results, one of the major problems facing businesses is the creation of a clear IT infrastructure development strategy with an information security strategy at its heart.

Companies are increasingly determined to secure their IT infrastructure in the light of increasing numbers of incidents – and significant financial losses associated with them. The main findings of the survey are:

• Maintaining information security is the main issue faced by a company’s IT management.
• In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and 85% reported internal incidents.
• A serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000.
• A successful targeted attack on a large company can cost it $2.4 million in direct financial losses and additional costs.
• For a medium-sized or small company, a targeted attack can mean about $92,000 in damages – almost twice as much as an average attack.
• A significant proportion of incidents resulting in the loss of valuable data were internal, caused by issues such as unclosed vulnerabilities in software used by the company, intentional or negligent actions of employees or the loss or theft of mobile devices.
• Personal mobile devices used for work-related purposes remain one of the main hazards for businesses: 65% of those surveyed saw a threat in the Bring Your Own Device policy.
• Information leaks committed using mobile devices – intentionally or accidentally – constitute the main internal threat that companies are concerned about for the future.

For the full report in PDF format, click here.

How and why the Chief Information Security Officer role is evolving?

A new standard for security leadership

How can security leaders help achieve business objectives?

Am I doing enough to protect our enterprise?

How can I measure success?

These questions come up time and time again for Chief Information Security Officers (CISOs) and other security leaders. Just as technology constantly evolves and threats shift, the needs of the business change with regards to security and risk. Security leaders have to constantly reassess, adjust, and improve their skills. Those with the right combination of business practices, technology maturity and measurement capabilities are evolving into more versatile security leaders.

Download full graphic version from here.

Collaboration among various sectors is must for protection against cyber-attacks

Information sharing can facilitate, the more effective fighting efforts against cyber-attacks

Sharing information about cyber-attacks is making a difference in the banking sector, helping bring criminals to justice and curbing fraud losses. And other sectors should learn from banking's example.

It's important for information security professionals to continue their efforts to get senior executives to buy in to the need for cross-industry collaboration. Informal sharing of cyber-intelligence has for years been a common practice among cybersecurity warriors in the trenches.

This type of information sharing, however, often has gone on in the background without the knowledge of upper management. That's because many executives are fearful of revealing too much or sharing with competitors their security vulnerabilities. But that attitude is, slowing but surely, changing.

What's more, the intelligence the financial industry has gathered over the last 12 months about al-Qassam and other attackers was shared with law enforcement, government and others. In fact, much of the information federal investigators gather about cyber-espionage and cyber-attacks comes from the financial sector first.

Those kind of partnerships are needed in other industry sectors as well. Cyber-attacks affect numerous industries, from hospitality and retail to healthcare and government. The more information sharing these sectors can facilitate, the more effective fraud-fighting efforts will be.

Aligning Security with GRC

How to Leverage GRC for Security?

Governance, Risk & Compliance (GRC) has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. It plays a strong role in helping security teams understand the business and to protect the organization from threats

But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.

As part of GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software.

GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. It provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes.

Asset Inventory

Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised.

The inventory process may identify equipment that the IT department was previously unaware of. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.

Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.

Incident Response, Controls

Security professionals can also use GRC to improve information sharing across the organization and streamline incident response. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach.

Summary

Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments.

GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about.

Cybersecurity is a never-ending Tom and Jerry cartoon

The Coming Wave of Security Startups

The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants. Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved.

The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete. As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups.

Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing.

According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars. Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years. Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date.

Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks. The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products.

Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source. These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.

Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices. Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage.

Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.

Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups.

For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks. Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.

10 easyways to reduce security headaches in a BYOD world

How you can improve security "Old School style" in a BYOD World?

Security is a huge concern when it comes to BYOD. Here are several steps you can take to protect your network and keep your organization's data safe. 

You're about to officially allow Bring Your Own Device (BYOD) in your organization. Understandably, you're concerned with the security of your network and data. With all those unknown variables entering the mix, how will you safeguard your company and keep sensitive data from falling into the wrong hands?

To put your mind at ease, you need to tackle BYOD with an eye toward security. This means policies and plans must be put into place. With BYOD, you can't always think in the same way you do with standard networking. Here are 10 ideas that might help you get through this transition.

1: Secure your data
Before you allow any non-company devices onto your network, you need to make sure your data is secure. This should go without saying, but if you have sensitive data on open shares, you're asking for trouble. Every network administrator must know the company's data is secure. But if you are about to open the floodgates to BYOD, this must be a priority.

2: Tighten your network security
Just as you've secured your data, you must make sure your network security is rock solid. Do not rely on Windows Firewall to secure your data -- you need to deploy an actual, dedicated device (such as SonicWALL, Cisco, or Fortinet) to handle network security. Pay close attention to making sure the outside world is carefully locked out of your network. With all of those new devices coming in -- and the possible security holes they can create -- you must make sure you have a solid network security plan in place.

3: Implement a BYOD antivirus/anti-malware policy
Any device running an operating system that is susceptible to viruses must be running a company-approved antivirus solution. For devices that do not run a vulnerable platform (Android, IOS, Linux), make sure those users are not passing along suspect files to fellow workers (or customers). To that end, you can still require these users to install and use an antivirus solution to check all outgoing files for signs of infection.

4: Mandate encryption
If your BYOD users will be sharing data from outside your secured LAN, you should require them to use some form of encryption. This might mean any application that stores data on the device will require its own password to gain access to that data (this is on top of the device password). Also, if users are storing company passwords on the device, those passwords must be protected under a layer of encryption.

5: Take advantage of mobile application management (MAM)
You have to know what applications are being used on your network. This doesn't mean you have to prevent users from accessing Facebook or playing games (that's your call, of course). But you must make sure any application being used isn't a threat to the security of your company data. Some devices, like Android, allow you to side-load applications, so any application not on the Google Play Store can be installed. You want to make sure one of your employees isn't inadvertently letting a sniffer or port scanner loose on your network.

6: Require apps like Divide
There are apps out there, like Divide, that do a great job of placing a barrier between your personal and work data. In fact, Divide provides completely separate desktops, so the user can make no mistake. Gaining access to the business side of Divide requires a password -- as well as simply knowing how to gain access to that (mostly) obfuscated desktop.

7: Require multi-layered password protection

You must require all devices to be password protected. But just having a single password to gain access to the device isn't enough. Any application, folder, or file that houses company data must also be password protected. Though it might be an inconvenience, the more password protection those mobile devices have, the safer your data will be. At the same time, you should make sure that users do NOT have passwords (such as those for company VPNs) stored on the machine, unless they are stored in an application that requires encrypted password to open.

8: Implement company-wide phone wipe

If your users want BYOD, they have to be willing to sign on to a plan that gives you the power to wipe their phone if it's lost or stolen. Though this should be the case with every user (not just those using their devices for work), many don't see the value in making sure their sensitive data can be easily deleted if the phone winds up in the wrong hands.

9: Require use of company wireless when on premise

You know some users will "forget" to connect to your wireless network when they arrive. You do not want them doing business on their carrier network. Make sure all users understand that if they are to use their device on premises, they must use your wireless network. Not only will this help secure your company data, it will allow you to better monitor and control what goes on.

10: Limit device support

If you open your company up to BYOD, you are within your rights to limit that policy to certain devices. Say you only want to open this up to tablets that do not have a carrier (so they are limited to Wi-Fi only) or to a single platform. By doing this, you not only make your job easier, you help keep your company network/data more secure.

NIST Updates Malware & Patch Management Guideines

First Revisions to Both Publications in Eight Years

The National Institute of Standards and Technology has published new guidance on malware incident prevention and handling for desktops and laptops as well as enterprise patch management technologies.

NIST Special Publication 800-83 Revision 1, "Guide to Malware Incident Prevention and Handling for Desktops and Laptops," provides recommendations for improving an organization's malware incident prevention measures. The publication also gives extensive recommendations for enhancing an organization's existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts.

SP 800-40 Revision 3, "Guide to Enterprise Patch Management Technologies," provides an overview of enterprise patch management technologies. It also briefly discusses metrics for assessing the technologies' effectiveness. The publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems.

NIST also issued SP 800-165, "2012 Computer Security Division Annual Report," which highlights the activities of NIST's Computer Security Division during fiscal year 2012, which ended Sept. 30.

The Biggest Threat To Enterprise Is The Thumb Drive

How did Iranian nuclear facilities was destroyed? With a thumb drive. And how did Snowden allegedly smuggle out the blueprints to the NSA? With a thumb drive.

No, it wasn't by some ultra secretive means of super-complex cyber code writing and cloud encryption by which good ol' Eddy breached America's security in arguably the most secure compound on the planet — nope — he simply walked in with a thumb drive, downloaded the NSA, and walked out.

Carl Weinschenk of IT Business Times breaks down how bad a threat flash drives can be:

The U.S. Department of Homeland Security ran a test in which staffers dropped flash drives in the parking lot of government and contractor buildings. Sixty percent of folks who picked them up simply plugged them into networked computers. That percentage jumped to 90 percent if the drive had an official logo.

The Washington Times breaks down the threat further by reminding everyone that a "number of commercially available programs can switch off the USB port of every computer on the network."

NSA officials “were laying down on their job if they didn’t disable the USB port,” an unnamed government IT the specialist told the Washington Times, referring to the small socket on the side of a computer where thumb drives are plugged in.

Organizations, whether they're public or private, have had difficulty enforcing Bring Your Own Device security measures now for a number of years. Certainly there are places in government buildings where there are NO recording devices or storage devices allowed under ANY circumstances.

Regardless, Snowden managed to get one in and get one out.

The Risk of Data on Mobile Devices & in the Cloud

Ponemon Institute research finds that 69% of respondents listed mobile devices as posing the greatest risk

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud, sponsored by WatchDox, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services.

The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others.

The study concluded that “[t]he greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

• Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
  
• Only 19% said their organization knew how much regulated data was on mobile devices.
  
• Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
  
• 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
  
• Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
  
• In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

What are the risks?

1. Unsafe Security Practices: With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
   
2. Choice of Cloud Service Provider: There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
   
3. Regulatory Troubles: If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
   
4. The Ease of Sharing: Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
   
5. The Ease of Losing: If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

What should be done?

1. Educate the Cs: The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
   
2. Develop Policies: The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
   
3. Educate the Workforce: Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
   
4. Instill Some Fear: The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress.

The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

Cyber Threats: Trends in Phishing and Spear Phishing

Phishing is a global problem for businesses as well as individuals, targeting 37.3 billion people globally in the past year

Most of us have wisened up to basic scams and know better than to accept a Nigerian prince's offer of money, or a miraculous win on a Spanish lottery that you can't quite remember entering. But cyber criminals are raising their game and have evolved their tactics to target the more cyber-aware for greater returns.

Sophisticated 'spear phishing' attacks can be hard to spot by the experts; even the largest of organisations is not immune. What chance does this provide the average company or employee, let alone those who use computers infrequently?

Spear phishing is not random – cyber criminals identify employees within a target organisation and use social engineering tactics to construct a legitimate looking email. The FBI have warned business to be more aware of spear phishing tactics, as hackers target employees with administrative rights or access to critical systems.

91% of APTs (advanced persistent threats) start with phishing attacks and success could give cyber criminals the 'keys' to bypass security and initiate further attacks. Clicking a link doesn't mean that you are immediately compromised; phishing is part of a larger attack.

Hackers need to expose a system vulnerability and be able to install software quickly and quietly. However, cyber criminals use advanced tactics to disguise malicious attachments and sites to trick users into further action.

This infographic by Via Resource highlights trends and targets in phishing attacks.

Five Ways To Plump Your Security Program Without Going Broke

Some are quick, cheap and often free! Others require a little more time and critical thinking

Addressing cyber-attacks is not just a technology issue. It requires a holistic view from the entire organization. Today's security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach.

It's easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve. Security functions are getting only 70 percent of the resources that they need to do an adequate job" of securing the business, including hardware, software, services and staff. 

The hard stuff is in the next 30 percent." Meanwhile, worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise, rose to $60 billion in 2012, up 8.4 percent from $55 billion in 2011, according to Gartner Inc. That number is expected to hit $86 billion by 2016.

Security experts offer five tips for enhancing security that don't cost a lot of cash — and sometimes no money at all — so companies can spend their security dollars on the hard stuff.

1. Patch security holes and identify vulnerabilities

Three of the top 10 botnets reported in February 2013 were more than 8 years old, according to Fortiguard Labs, the threat-researching arm of network security firm Fortinet Inc. in Sunnyvale, Calif. In the most successful attacks, the majority of those threats had been identified and fixed by vendors years earlier, said Derek Manky, global security strategist.

Companies need to keep patches up to date.

2. Install your free firewall and antivirus upgrades

A lot of people don't realize their basic support contracts with most vendors for support, firewalls and antivirus include free upgrades. If you don't have a strategy to revisit what the available technology is that you've already paid for, then you're missing out on a lot of new features and enhancements" that could prevent a security breach. 

Call your vendor and revisit our firewall and antivirus solution contracts.

3. Keep up with BYOD

Personal devices in the business environment are here to stay. Yet 79 percent of businesses had a mobile security incident in the past year, ranging from malicious apps downloaded to a mobile device to unsecure Wi-Fi connections to lack of security patches from services providers, according to a June mobile security report by Check Point Software Technologies.

These mobile security incidents cost companies between $100,000 and $500,000 in staff time, legal fees and resolution processes.

Organizations can improve mobile device security through BYOD agreements with users to ensure they take security precautions. The checklist should include installing available upgrades and patches; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed, according to the Computer Security Division of the National Institute of Standards and Technology.

4. Define a enterprise-wide security strategy

Nine out of 10 big companies lacked defined security strategy and security plans, or they re not tied with business goals and business objectives. There's no way to know if you're supporting business objectives unless you take the time to develop the security strategy and make they're sure they're doing the most important things for overall risk reduction. 

5. Educate Employees

Successful attacks are usually ones that exploit the human mind. Humans are always the weakest link in the chain.

Education can help stop employees from falling victim to phishing attacks or pretexting schemes or careless use of login credentials, which accounted for 3 of the top 10 threat actions performed against large companies, according to Verizon's 2012 data breach investigations report.

10 Principles To Guide Companies in Creating and Implementing Incident Response Plans

It's common that many companies have response plans but don't truly operationalize them!

With cyber criminals successfully targeting organizations of all sizes across all industry sectors, organizations need to be prepared to respond to the inevitable data breach.

A response should be guided by a response plan that aims to manage a cyber security incident in such a way as to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs.

Here are 10 principles to guide companies in creating and implementing incident-response plans:

1. Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
   
2. Develop a taxonomy of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
   
3. Develop easily accessible quick-response guides for likely scenarios.
   
4. Establish processes for making major decisions, such as when to isolate compromised areas of the network.
   
5. Maintain relationships with key external stakeholders, such as law enforcement.
   
6. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
   
7. Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
   
8. Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
   
9. Identify the individuals who are critical to incident response and ensure redundancy.
   
10. Train, practice, and run simulated breaches to develop response "muscle memory." The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers' awareness and fine-tuning their response capabilities.

An effective incident response plan ultimately relies on executive sponsorship. Given the impact of recent breaches, we expect incident response to move higher on the executive agenda. Putting the development of a robust plan on the fast track is imperative for companies.

When a successful cyber attack occurs and the scale and impact of the breach comes to light, the first question customers, shareholders, and regulators will ask is, "What did this institution do to prepare?"

Why Security Teams Fail PCI Audits?

5 Key Challenges in the way of successful auditing!

For any business accepting credit or debit card payments from its customers, Payment Card Industry Data Security Standards (PCI DSS) compliance - which offers comprehensive standards to enhance payment card data security - is an absolute must.

But for most, ensuring continuous compliance (the ongoing monitoring of rules rather than waiting for audits to show non-compliance) with the vast and ever changing set of rules can be a real drain on resources. 

The 5 'C's

Undoubtedly one or all of the following challenges are getting in the way of successful auditing…the five 'C's:

Complexity- enterprises have hundreds of firewalls, routers and switches, all with their own complex configurations and thousands of access rules. All have to be tracked and catalogued which makes it almost impossible to comply with all the PCI DSS rules.

• Change - hundreds of changes every week amounts to thousands of changes to track from one audit to the next. The combination of rapid change and time pressures mean mistakes happen which can leave businesses wide open.
  
• Connectivity - configuration errors very easily lead to compliance issues and service downtime. A high number of rule changes can compromise cardholder data, which can leave businesses compromised until their next audit.
  
• Compliance - audits are time intensive and usually changes are unchecked between audits making the process even more laborious. Yet businesses cannot afford to fail an audit.
  
• Communication - poor communication and a siloed culture of app owners and IT security can mean a comprehensive compliance check between audits is extremely complicated and difficult to manage.

PCI DSS auditing doesn't always need to be a costly and thankless task. While compliance will always be essential for most enterprises, automation solutions can make it a much more efficient process - by slashing time spent on repetitive, manual work so that security teams can focus on strategic tasks such as security architecture, research and education.