U.S. companies that operate in the European Union (EU) need to understand what drives European organizations when it comes to data protection. This applies to both commercial organizations that want to trade in Europe and IT suppliers that need to ensure the messaging around their products and services resound with local concerns.

A recent Quocirca report, The trouble at your door; Targeted cyber-attacks in the UK and Europe (sponsored by Trend Micro), shows the scale of cybercrime in Europe. Of 600 organizations surveyed, 369 said they had definitely been the target of a cyberattack during the previous 12 months. For 251 of the respondents, these attacks had been successful, 133 had data stolen (or were unsure if it had been stolen), 54 said it was a significant amount of data and 94 reported serious reputational damage.

The reality is almost certainly worse; many of the remainder were uncertain if they had been a victim or not. Cybercriminals are the top concern for European businesses, above hacktivists, industrial espionage and nation state attackers.

This shows that European businesses have plenty to worry about with regard to data security – even before the added complications of the seemingly ever-changing EU data protection laws. The new EU General Data Protection Regulation (GDPR) is looming and seems likely to come into force in early 2018.

The good news for any business trading in Europe, is that the GDPR provides a standard way of dealing with personal data in all EU states (the current Data Protection Directive only provides guidance, from which many EU states deviate).

The bad news is the new stringencies come with the regulation; fines up to €20M (Euro) (21.81M US dollars) or 4% of a non-compliant organization’s revenue, requirements to report breaches ‘without undue delay’ and the ‘right to erasure’ (often referred to as the ‘right to be forgotten’).

Given the scale of crime and the pressure to protect customer privacy, it is not surprising that protecting customers’ personal data is the highest priority in Europe, more so than payment card data (the processing of which can be outsourced) and intellectual property (which is less regulated). U.S. businesses trading in Europe need to adapt their processes to take account of the new regulation and the changing Safe Harbour arrangements that are in-place between the EU and USA following a successful 2015 court challenge to the status quo.

The attack vectors of greatest concern for European organizations are exploited software vulnerabilities and compromised user identities. Protection against these threats is reflected in the measures put in place to help prevent targeted cyberattacks in the first place and to stop them once in progress.

User identities can be protected by improved awareness around safe email and web use whilst infrastructure can be protected through software scanning and update regimes, all of which top the list of deployed security measures.

Addressing concerns about secure infrastructure should play well for U.S. cloud service providers that get across the message that their platforms are more likely to be kept up to date, have vulnerabilities fixed at an early stage and generally will be better managed than is the case with much in-house infrastructure.

The higher up the stack the cloud service goes, the better, so these benefits apply more to application level software-as-a-service (SaaS) than more basic infrastructure-as-a-service (IaaS). The caveat is that with new doubts about Safe Harbour, U.S. providers really need to put in place European infrastructure to satisfy data protection concerns, a move many are now making.

All this said, European businesses know that sooner or later they will have to deal with a first, or for many another, successful breach of their systems and a potential data loss. So assistance with after measures will also go down well. Malware clean up technology tops the list of deployed measures, but the ability to identify compromised systems, data and users is also understood.

Of course, all of these should be in place to assist with the execution of breach response plans, which should also include processes for informing compromised data subjects and data regulators, as well as having plans for good media relations. Less than half of European businesses have such a plan in place, but there is a wiliness to implement them, perhaps with some help and advice from those with the skills and services to offer.

The volume of trade between the U.S. and EU is huge, especially when it comes to technology. Talks to establish the Transatlantic Trade Investment Partnership (TTIP) should make it even easier for U.S. companies to trade with those countries that remain in the EU (the UK may leave following an in/out vote later in 2016).

TTIP will provide common trading rules on both sides of the North Atlantic, but it will not change the need for US-companies to be savvy about local EU data protection concerns.

The post Targeted Attacks Plague the EU Driving Data Protection Changes appeared first on Security Current.

In the old days, identity and access management (IAM) was a mainly internal affair; employees accessing applications, all safely behind a firewall. OK, perhaps the odd remote user, but they tunnelled in using a VPN and, to all intents and purposes, they were brought inside the firewall. Those days are long gone.

Today the applications can be anywhere and the users can come from anywhere. Quocirca research (Masters of Machines II, June 2015)  shows almost 75% of organizations are now using cloud-based software-as-a-service (SaaS) applications with a similar number using infrastructure or platform-as-a-service (IaaS/PaaS) to deploy applications that run in 3rd part data centers. As for the users, as another recent Quocirca research report shows (Getting to know you, June 2015), they can be anywhere too.

It is not just the rise in the number of employees working remotely, but the fact that applications are opened up to outsiders. Whether it is better managing supply chains through sharing applications with partners and suppliers, managing distribution online or transacting directly with consumers, almost all organizations are interacting with external users beyond their firewall.

Furthermore, this is not a small scale opening up to a discrete set of users; the numbers involved are big. The average European enterprise is dealing with approaching a quarter of a million registered external users.

For organizations that are dealing with consumers, such as financial services and transport organizations the numbers are even higher. Dealing with this complete reconfiguration of the way IT applications are managed and accessed has required a re-think of IAM.

The “Getting to know you” research shows that only 20% of organisations think their current IAM systems are fit for purpose. IAM covers a range of capabilities including user provisioning, compliance reporting and single-sign-on. There is also an increasing requirement for federated identity management, which is the bringing together of identities from multiple sources and apply a common policy.

For the majority, the primary source of identity for employees remains Microsoft Active Directory but this is now supplemented by a range of other sources for external users. These include partner directories, government databases, lists from telco service providers, member lists of professional bodies and, especially when it comes to consumers, social media.

The trouble is that many IAM systems were designed to deal with the old way of doing things. They were often purchased as part of software stack from a vendor like Oracle, CA or IBM. Many organizations are now struggling to adapt these legacy IAM systems for the new use cases. As with any legacy system, wholesale replacement is often impractical if not impossible. The result is that new IAM suppliers are being introduced and integrated with the old.

The average organization has at least 2 IAM suppliers; the number is higher when stack-based IAM is being adapted to deal with external users. The second IAM system is likely to be a SaaS system, designed for provisioning users from a wide range of identity sources to other cloud applications.

IAM systems are becoming hybridised, legacy IAM for internal users and some older relationships (such as those with contractors) integrated with cloud-based management for remote workers and users from partners, business customers and consumers. 39% of the respondents to the “Getting to know you” research are taking a hybrid approach to federating identities and 53% are doing so for single sign on, a particularly effective way of handling access to cloud-based resources for internal and external users. Both numbers rise for consumer-facing organizations.

A small number of organizations, around 10%, have moved entirely over to a SaaS-based IAM system such as Ping Identity’s PingOne, Intermedia’s AppID (from its SaaS ID acquisition), Okta, OneLogin or Symplified. Traditional stack-IAM vendors are updating their products; for example, CA SiteMinder, Symantec’s SAM and IBM via its 2014 acquisition of Lighthouse Security. Other cloud service providers, such as Salesforce, have entered the IAM market, in its case by working with the open source provider ForgeRock.

The last decade has seen a revolution in the IAM market. The old guard will attempt to keep up with the up-starts. However, it seems that simply being an incumbent IAM supplier is not enough, so in order to keep up there is likely to more acquisition and consolidation.

The post Is Your Identity and Access Management Fit for Purpose? appeared first on Security Current.

Anyone who listened to Aleks Krotoski’s 5 short programs on Radio 4 in the UK titled Codes that Changed the World will have been reminded that applications written in COBOL, despite dating from the late 1950s, remain in widespread use.

Although organizations are reliant on these applications they are often impossible to change as the original developers are long gone and the documentation is poor. With the advent of Windows and then web browsers, there was a need to re-present the output of old COBOL applications. This led to the birth of screen-scraping, the reading of output intended for dumb terminals and repurposing it for alternative user interfaces.

The concepts of screen-scraping have been reborn in the 21^st Century as web-scraping. Web scrapers are bots that scan web sites for information, when necessary manipulating i/o to get what they need.

This is not necessarily a bad activity, price comparison sites rely on the technique, for example an airline or hotel wants its pricing information shared in the hope that their services will appear on as many sites as possible. However, there are also less desirable applications of web-scraping, such as competitive intelligence. So, how do you tell good bots from bad?

This was the original business of Distil Networks. It developed technology that could be deployed as an on-premise appliance or invoked as a cloud service, enabling bots to be identified and policy defined about what they can or cannot do. So, if you sell airline tickets, it can recognize bots from approved price comparison sites, but block those that are from competitors or are just unknown.

Distil does this by developing signatures that allow good bots to be white listed (i.e. allowed). It recognizes bots in the first place by checking for a lack of a web browser (and therefore real user) and challenging suspects with CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart). It has plans to extend this to APIs (application programming interfaces) that are embedded in the native apps that are increasingly being used to access online resources from mobile devices.

With the ability to recognize and block bots, Distil Networks has realized it has the ability to block other unwanted attention being received by its customers. For example:

• Brute force logins are perpetrated using bots; these can be identified and blocked, and if necessary challenged with a CAPTCHA
• Man-in-the-middle (MITM) attacks where a user’s communication with a resource is interfered with often involve bots, they can be detected and blocked
• Online ad fraud/click fraud rely of bots to click many times mimicking user interest and potentially costing advertisers dearly; such activity can be identified and blocked
• Bot-based vulnerability scanners can be limited to authorised products and services, blocking others that are being used by hackers to find weakness in target systems, giving resource owners back the initiative in the race to patch or exploit

Distil charges by the volume of page requests, so for example, if you were worried about ad-fraud and a bot net was used to generate millions of clicks, then costs could spiral out of control. The answer to that is to use DDoS controls that can detect volume attacks (as discussed in part 1 of this blog post) in conjunction with Distil’s bot detection and blocking capability.

Distil seems to be onto something. It has received $13M in VC funding so far, and has an impressive and growing list of customer. Unlike many security vendors, it seems happy to name its customers; perhaps just knowing such protection is in place will encourage the bad-guys to move on? In the UK this includes EasyJet and Yell.com. Distil is set to make life harder for bad-bots – as ever there will surely be a fight back from the dark side.

The post The Rise and Rise of Bad Bots – Part 2 – Beyond Web-Scraping appeared first on Security Current.

Many will be familiar with the term bot, short for web-robot. Bots are essential for effective operation of the web: web-crawlers are a type of bot, automatically trawling sites looking for updates and making sure search engines know about new content.

To this end, website owners need to allow access to bots, but they can (and should) lay down rules. The standard here is to have a file associated with any web server called robots.txt that the owners of good bots should read and adhere too.

However, not all bots are good; bad bots can just ignore the rules! Most will also have heard of botnets, arrays of compromised users devices and/or servers that have illicit background tasks running to send spam or generate high volumes of traffic that can bring web servers to their knees through DDoS (distributed denial of service) attacks.

A Quocirca research report, Online Domain Maturity, published in 2014 and sponsored by Neustar (a provider of DDoS mitigation and web site protection/performance services), shows that the majority of organizations say they have either permanent or emergency DDoS protection in place, especially if they rely on websites to interact with consumers.

However, Neustar’s own March 2015, EMEA DDoS Attacks and Protection Report, shows that in many cases organizations are still relying on intrusion prevention systems (IPS) or firewalls rather than custom DDoS protection. The report, which is based on interviews with 250 IT managers, shows that 7-10% of organizations believe they are being attacked at least once a week. Other research suggests the situation may actually be much worse than this, but IT managers are simply not aware of it.

Corero (another DDoS protection vendor) shows in its Q4 2014 DDoS Trends and Analysis report, which uses actual data regarding observed attacks, that 73% last less than 5 minutes. Corero says these are specifically designed to be short lived and go unnoticed. This is a fine tuning of the so-called distraction attack.

Arbor (yet another DDoS protection vendor) finds distraction to be the motivation for about 19-20% of attacks in its 2014 Worldwide Infrastructure Security Report. However, as with Neustar, this is based on what IT managers know, not what they do not know.

The low level, sub-saturation, DDoS attacks, reported by Corero are designed to go unnoticed but disrupt IPS and firewalls for just long enough to perpetrate a more insidious targeted attack before anything has been noticed. Typically it takes an IT security team many minutes to observe and respond to a DDoS attack, especially if they are relying on an IPS. That might sound fast, but in network time it is eons; attackers can easily insert their actual attack during the short minutes of the distraction.

So there is plenty of reason to put DDoS protection in place (other vendors include Akamai/Prolexic, Radware and DOSarrest). However, that is not the end of the bot story. Cyber-criminals are increasingly using bots to perpetrate another whole series of attacks. This story starts with another, sometimes, legitimate and positive activity of bots – web scraping; the subject of a follow on article – The rise and rise of bad bots – part 2 – beyond web scraping. Stay tuned!

The post The Rise and Rise of Bad Bots – Part 1 – Little DDoS appeared first on Security Current.

Many insurance companies aspire to sell policies to their customers that will provide financial mitigation against cyber-attacks. That is all well and good, but they need to make sure their own houses are order first.

A recent Quocirca research report, Room for improvement, Building confidence in data security, which was sponsored by Digital Guardian, showed that by some measure, financial services were the most confident about data security. However, whilst more than half of financial services organisations are very confident about data security, 4% are not that confident. It seems insurance companies lie at the lower end of this scale.

Quocirca attended a recent round table in the UK attended by IT security heads from leading insurance companies hosted by Entrust Datacard, a provider of strong authentication tools, digital certificates and online fraud prevention products. If the views of the dozen or so attendees are anything to go by, the insurance sub-sector has a lower level of confidence about data security than banks (of course, some organisations have a foot in both camps, so called bancassurance). Why?

For a start, whereas banks deal directly with their customers money, for insurance companies it is largely secondary, in other words, if your bank account is hacked money may be transferred, it is harder to exploit and online insurance account.

Secondly, it was evident that one of the biggest concerns for insurers is insurance fraud, however carried out, and it was not clear that this was harder or easier to deal with as the industry has moved online.

It was agreed that the two obvious area of vulnerability for insurers were the protection of personal and payment card data. Protecting both is of course a regulatory requirement in the EU, but also makes good business sense. An insurance company may be targeted for such data, not because it is an insurance company per se, but because its defences are weaker.

However, some interesting insurance specific threats also emerged. Stealing lists of policy holders would be useful for planning crimes, for example the targeted thefts of high value cars.

Another involved intellectual property (IP); as quoting for insurance has moved online, the industry has become highly competitive. To appear high on the listings of comparisons sites, where many insurance buyers end up, involves quoting via tightly guarded algorithms, some felt there was a possibility of industrial espionage in this area.

The insurance supply chain may also be vulnerable; many policies are sold via agents and brokers. However good a given insurance company’s own data security is, their Achilles’ heel could well turn out to be a smaller partner. It was noted that some well publicised data breaches relied on compromising smaller partners to find a way into a larger organisation’s IT systems. There should be an onus on insurers to advise and certify the security of it supply chain partners.

There are of course many benefits of being able to safely transact online. Other Quocirca research, not yet published, shows that confidence in the omni-channel (the mix and match of mobile apps, web sites, telephone, face-to-face etc.), which the attendees at the event agreed they need to embrace, goes hand-hand with higher levels of confidence in data security.

Another was being able to verify the ownership of insured assets, many of which can now be certified electronically via the internet-of-things (IoT), reducing the possibility of fraud.

As insurance companies seek to sell other businesses policies that address online risk, they will price protection depending on the security measures put in place to mitigate that risk. As the sector relies more and more on online interaction to keep up with its customers, insurers cannot afford to be seen to fall short of the IT security standards they expect of those they insure.

The post Insurance Companies Need to Eat Their Own Dog Food appeared first on Security Current.

There are few businesses that are not dependent to some extent on their online presence. Websites are no longer simply a source of information, but a place to transact with customers.

Often this will mean dealing with regulated personal and financial data and a commensurate investment in security is required. Those that fail to do may lose the trust of customers and face penalties from regulators.

Dealing with consumers is problematic not just because they expect web sites to perform well and be highly available but because of how transactions are competed.

Payments are usually taken using on the spot payment cards or services, bringing many consumer-facing organizations in to the scope of the Payment Card Industry Data Security Standard (PCI DSS) and other data protection regulations. B2B transactions on the other hand, will often have delayed payment covered by lines of credit.

New Quocirca research shows how the consumer-facing majority (77%) and non-consumer-facing minority (23%) differ in their approach to securing their online presence. The free research report, which is called Online Domain Maturity, was sponsored by Neustar, a supplier of online security and monitoring services.

Consumer-facing businesses are almost twice as likely to be increasing the budget dedicated to securing and managing online resources compared to those that only deal with other businesses.

This extra investment is often focussed on state of the art security. Consumer-facing businesses are more likely to have in place distributed denial of service (DDoS) protection, fraud detection, security information and event management (SIEM) and advanced threat protection. Their non-consumer-facing counter parts still rely on older technologies such as host-based anti-malware and intrusion detection systems (IDS).

Consumer-facing organizations are less likely to rely on in-house skills to achieve their goals. They are more likely to outsource both security and infrastructure leaving them free to focus on the customer experience and transaction closure rates. In almost all areas of security, consumer-facing organizations are more likely to use on-demand services.

This is also true for content delivery networks (CDN) and domain name services (DNS) as well as for the overall hosting web sites and online applications. Better security than many organizations are able to achieve in-house is high on the list of cited benefits of on-demand services.

The internet is now embedded in so many business processes that the choice is how well a given business secures and manages its online presence rather than whether it has an online presence in the first place.

Dealing with consumers raises the biggest challenges and consumer-facing organizations are rising to these through investment and successful partnering with on-demand security and infrastructure service providers.

That is not to say all consumer-facing organizations have got it right, many still have room for improvement; the laggards need to learn from the leaders. Organizations whose primary focus is B2B certainly need to shake off their complacency.

As more and more digital natives enter the work place they will bring their consumer expectations and habits with them. They will expect to be able to find the resources they need online with the security and performance to match. Whether they are transacting for business and personal reasons, a top class online experience is expected by consumers. Businesses that fail to deliver this do not have a long term future.

Quocirca’s report, sponsored by Neustar, is free for Security Current readers to download here.

The post Is Your Online Security Fit for the Online Consumer? appeared first on Security Current.

What do Heartbleed, Shellshock and Poodle all have in common? Well apart from being software vulnerabilities discovered in 2014, they were all found in pre-built software components, used by developers to speed-up the development of their own bespoke programs.

Heartbleed was in OpenSSL (an open source toolkit for implementing secure access to web sites), Shellshock was in the UNIX Bash shell (which enables the running of UNIX operating system commands from programs), whilst Poodle was another SSL vulnerability.

Also common to all three is that they were given fancy names and well publicised. This is not a bad thing; it gives the press something to hang its hat on and gets the message out to software developers that a bug needs fixing.

The time lag between zero day, when a vulnerability is first identified, and the bug being patched is the window of opportunity for hackers to exploit it. With Heartbleed in particular, there was also advice for the general public, to change their passwords for certain web sites that used the vulnerable version of OpenSSL.

However, these widely publicized bugs are just the tip of the iceberg, as data from HP’s Security Research (HPSR) team reveals. HPSR uncovers software security flaws on behalf of its customers and the boarder community.

Unlike the discoverers of Heartbleed, Shellshock and Poodle, HPSR does not seek publicity for all the flaws it hunts down via its Zero Day Initiative (ZDI) program; not least because there are so many of them.

HPSR has a number of ways of seeking vulnerabilities out. Some it simply buys from white hat hackers (those who look for ways to hack software code, but not to exploit the flaws they find).

It also sponsors an annual competition to find flaws called Pwn2Own; the 2014 event uncovered 33 in software from Adobe, Apple, Google, Microsoft and Mozilla. On top of this HPSR does its own research. In total in 2014, ZDI has uncovered over 500 bugs, two thirds of which have been patched, it estimate 50-75% of these were in software components. HPSR claims ZDI is the number one finder of bugs in deployed versions of Microsoft software.

As an HPSR rep points out ‘these days most software is composed not written,’ meaning that software is largely built from pre-constructed components. In fact, not using components would be highly inefficient, as it would mean constantly re-inventing the wheel, especially when many components are cheap or free via open source.

However, the number of bugs in software components means that users need more effective ways to monitor their use and fix problems that arise. This is especially true of open source components, as anyone can contribute to them. HPSR contends that commercial software vendors could strengthen the open source movement by investing more resources to ensure open source components are well-tested and secure.

Of course, the broader HP has an interest in all this for two reasons. First, as a builder and supplier of software, HP is a big user of components. Second, it also helps its customers build and deploy safer software through its Fortify product range. In February 2014 HP announced its Fortify Open Review Project to identify and report on security vulnerabilities in widely used open-source software components.

HP also announced improved component checking support for its on-demand scanning service by partnering with Sonatype to use its Component Lifecycle Management analysis technology.

Software Composition Analysis

HP is not alone in recognizing the need for safer component use. Veracode, another software security vendor, estimates that components constitute up to 90% of the code in some in-house developed applications.

In September 2014 Veracode added a ‘software composition analysis’ into its static software scanning service to protect customers more rapidly from zero day vulnerabilities discovered in components.

With the introduction of software composition analysis Veracode can now create an inventory of all the components used by a given customer, detailing the programs in which each is embedded. When a new vulnerability is identified in a component, Veracode can take rapid and pervasive action; either applying fixes immediately or isolating already deployed applications until patches are available.

This further enhances its ability to protect customers from newly discovered vulnerabilities. Its dynamic scanning service, which tests deployed executables, would pick many of these up too. However, it focusses on common paths through applications and may miss obscure parts that are rarely or never used, but a hacker may focus exactly on these areas once a vulnerability becomes public knowledge.

As Veracode points out, most IT departments are managing software code that was largely not built in-house. The only control, security teams have over software is to maintain effective scanning capabilities with an awareness of components to help understand inherited risk. Software components are not going to disappear; their value to business is too great, security teams need to learn how to live with them.

The post The Problem of Buggy Software Components appeared first on Security Current.

Security products have evolved with the use of the Internet. When web sites were largely static it was enough to tell users which URLs to avoid because the content was undesirable (porn etc.).

As the web became a means distributing malware and perpetrating fraud, there was a need to identify bad URLs that appeared overnight or good URLs that had gone bad as existing sites were compromised. Early innovators in this area included Websense (now a sizable broad-base security vendor) and two British companies SurfControl (that ended up as part of Websense) and ScanSafe that was acquired by Cisco.

Web 2.0

These URL filtering products are still widely used to control user behavior (for example, you can only use Facebook at lunch time) as well as block dangerous and unsavory sites. They rely on up to date intelligence about all the URLs out there and their status. Most of the big security vendors have capability in this area now. However, as the web became more interactive (for a while we all called this Web 2.0) there was a growing need to be able to monitor the sort of applications that were being accessed via the network ports typically used for web access; port 80 (for HTTP) and port 443 (for HTTPS). Again this was about controlling user behavior and blocking malicious code and activity.

To achieve this firewalls had to change; enter the next generation firewall. The early leader in this space was Palo Alto Networks. The main difference with its firewall was that it was application aware with a granularity that could work within a specific web site (for example, applications running on Facebook). Just as with the URL filtering vendors, next generation firewalls rely on application intelligence, the ability to recognize a given application by its network activity and allow or block it according to user type, policy etc. Palo Alto Networks built up its own application intelligence, but there were other databases, such as FaceTime (a vendor that found itself in a name dispute with Apple) which was acquired by Check Point as it upgraded its firewalls. Other vendors including Cisco’s Sourcefire, Fortinet and Dell’s SonicWALL have followed suit.

The rise of shadow IT

So with URLs and web applications under control, is the web is a safer place? Well yes, but the job is never done. A whole new problem has emerged in recent years with the increasing ability for users to upload content to the web. The problem has become acute as users increasingly provision cloud services over the web for themselves (so called shadow IT). How do you know which services are OK to use? How do you even know which ones are in use? Again this is down to intelligence gathering, a task embarked on by Skyhigh Networks in 2012.

Skyhigh defines a cloud service as anything that has the potential to “exfiltrate data;” so this would include Dropbox and Facebook, but not the web sites of organizations such as CNN and the BBC. Skyhigh provides protection for businesses, blocking its users from accessing certain cloud services based on its own classification (good, medium, bad) providing a “Cloud Trust” mark (similar to what Symantec’s VeriSign does for websites in general). As with URL filtering and next generation firewalls, this is just information, rules about usage need to be applied. Indeed, Skyhigh can provide scripts to be applied to firewalls to enforce rules around the use of cloud services.

However, Skyhigh cites other interesting use cases. Many cloud services of are of increasing importance to businesses; LinkedIn is used to manage sales contacts, Dropbox, Box and many other sites are used to keep backups of documents created by users on the move. Skyhigh gives businesses insight into their use, enables it to impose standards and, where subscriptions are involved, allows usage to be aggregated into to single discounted contracts rather than being paid for via expenses (which is often a cost control problem with shadow IT). It also provides enterprise risk scores for a given business based on its overall use of cloud services.

Beyond this, Skyhigh can assert controls over those users working beyond the corporate firewall, often on their own devices. For certain cloud services for which access is provided by the business (think salesforce.com, ServiceNow, SuccessFactors etc.), without need for an agent, usage is forced back via Skyhigh’s reverse proxy so that usage is monitored and controls enforced. Skyhigh can also recognize anomalous behavior with regard to cloud services and thus provide an additional layer of security against malware and malicious activity.

Skyhigh is the first to point out that it is not an alternative to web filtering and next generation firewalls but complimentary to them. Skyhigh, which mostly provides its service on-demand, is already starting to co-operate with existing vendors to enhance their own products and services through partnerships. So your organization may be able to benefit from its capabilities via an incremental upgrade from an existing supplier rather a whole new engagement. So, that is web security 3.0; the trick is to work out what’s next – roll on Web 4.0!

The post Web Security 3.0 – Is Your Business Ready? appeared first on Security Current.

There has been plenty of talk about the threat of cyber-attacks on critical national infrastructure (CNI). So what’s the risk, what’s involved in protecting CNI and why, to date, do attacks seem to have been limited?

CNI is the utility infrastructure that we all rely on day-to-day; national networks such as electricity grids, water supply systems and rail tracks. Others have an international aspect too, for example gas pipelines are often fed by cross-border suppliers. In the past such infrastructure has been often been owned by governments, but much has now been privatized.

Some CNI has never been in government hands, mobile phone and broadband networks have largely emerged after the Telco monopolies were scrapped in the 1980s. The supply chains of major supermarkets have always been a private matter, but they are very reliant on road networks, an area of CNI still largely in government hands.

The working fabric of CNIs is always a network of some sort; pipes, copper wires, supply chains, rails, roads: keeping it all running requires network communications. Before the widespread use of the internet this was achieve through propriety, dedicated and largely isolated networks. Many of these are still in place. However, the problem is that they have increasingly become linked to and/or enriched by Internet communications. This makes CNIs part of the nebulous thing we call cyber-space; which is predicted to grow further and faster with the rise of the internet-of-things (IoT).

Who would want to attack CNI? Perhaps terrorists, however, some point out that it is not really their modus operandi, regional power cuts being less spectacular that flying planes in to buildings. CNI could become a target in nation state conflicts, perhaps a surreptitious attack where there is no kinetic engagement (a euphemism for direct military conflict), some say this is already happening, for example, the Stuxnet malware that targeted Iranian nuclear facilities.

Then there is cybercrime. Poorly protected CNI devices may be used to gain entry to computer networks with more value to criminals. In some case devices could be recruited to botnets, again this is already thought to have happened with IoT devices. Others may be direct targets, for example tampering with electricity meters or stealing data from point-of-sales (PoS) devices that are the ultimate front end of many retail supply chains.

Who is ultimately responsible for CNI security? Should it be governments? After all, many of us own the homes we live in, but we expect government to run defence forces to protect our property from foreign invaders. Government also passes down security legislation, for example at airports and other mandates are emerging with regards to CNI. However, at the end of the day it is in the interests of CNI providers to protect their own networks, for commercial reasons as well as in the interests of security. So, what can be done?

Securing CNI

One answer is of course, CNI network isolation. However, this simply not practical, laying private communications networks is expensive and innovations like smart metering are only practical because existing communications technology standards and networks can be used. Of course, better security can be built into to CNIs in the first place, but this will take time, many have essential components that were installed decades ago.

A starting point would be better visibility of the overall network in the first place and ability to collect inputs from devices and record events occurring across CNI networks.  If this sounds like a kind of SIEM (security information and event management) system, along the lines of those provide for IT networks by LogRhythm, HP, McAfee, IBM and others, then that is because it is; a mega-SIEM for the huge scale of CNI networks. This is the vision behind ViaSat’s Critical Infrastructure Protection. ViaSat is now extending sales of the service from USA to Europe.

The service involves installing monitors and sensors across CNI networks, setting base lines for known normal operations and looking for the absence of the usual and the presence of the unusual. ViaSat can manage the service for its customers out of its own security operations centre (SOC) or provide customers with their own management tools.  Sensors are interconnected across an encrypted, IP fabric, which allows for secure transmission of results and commands to and from the SOC. Where possible the CNI’s own fabric is used for communications, but if necessary this can be supplemented with internet communications; in other words the internet can be recruited to help protect CNI as well as attack it.

Having better visibility of any network not only helps improve security, but enables other improvements to be made through better operational intelligence. ViaSat says it is already doing this for its customers. The story sounds similar to one told in a recent Quocirca research report, Masters of Machines that was sponsored by Splunk. Splunk’s back ground is SIEM and IT operational intelligence, which, as the report shows, is increasingly being used to provide better commercial insight into IT driven business processes.

As it happens ViaSat already uses Splunk as a component of its SOC architecture. However, Splunk has ambitions in the CNI space too, some of it customers are already using its products to monitor and report on industrial systems. Some co-opetition will surely be good thing as the owners of CNIs seek to run and secure them better for the benefit of their customers and in the interests of national security.

The post The Security and Visibility of Critical National Infrastructure: ViaSat’s Mega-SIEM appeared first on Security Current.

The encryption vendor SafeNet publishes a Breach Level Index that records actual reported incidents of data loss. Whilst the number of losses attributed to malicious outsiders (58%) exceeds those attributed to malicious insiders (13%), SafeNet claims that insiders account for more than half of the actual information lost.

This is because insiders will also be responsible for all the accidental losses that account for a further 26.5% of incidents and the stats do not take into account the fact that many breaches caused by insiders will go unreported. The insider threat is clearly something that organizations need to guard against to protect their secrets and regulated data.

Employees can be coached to avoid accidents and technology can support this. Intentional theft is harder to prevent, whether it is for reasons of personal gain, industrial espionage or just out of spite.

According to Verizon’s Data Breach Investigations Report, 70% of the thefts of data by insiders are committed within 30 days of an employee resigning from their job, suggesting they plan to take data with them to their new employer. Malicious insiders will try to find a way around the barriers put in place to protect data; training may even serve to provide useful pointers about how to go about it.

Some existing security technologies have a role to play in protecting against the insider threat. Basic access controls built into data stores, linked to identity and access (IAM) management systems are a good starting point, encryption of stored data strengthens this, helping to ensure only those with the necessary rights can access data in the first place.

In addition, there have been many implementations of data loss prevention (DLP) systems in recent years; these systems monitor the movement of data over networks and alert when content is going somewhere it shouldn’t and, if necessary, blocks it.

However, if a user has the rights to access data, and indeed to create it in the first place, then these systems do not help, especially if the user is to be trusted to use that data on remote devices. To protect data at all times controls must extend to wherever the data is

It is to this end that renewed interest is being taken in digital rights management (DRM). In the past, issues such as scalability and user acceptance have held many organizations back from implementing DRM. That is something DRM suppliers such as Fasoo and Verdasys have sought to address.

DRM, as with DLP, requires all documents to be classified from the moment of creation and monitored throughout their life cycle. With DRM user actions are controlled through an online policy server, which is referred to each time a sensitive document is accessed. So, for example, a remote user can be prevented from taking actions on a given document such as copying or printing; documents can only be shared with other authorized users. Most importantly an audit trail of who has done what to a document, and when, is collected and managed at all stages.

Just trusting employees would be cheaper and easier than implementing more technology. However, it is clear that this is not a strategy businesses can move forward with. Even if they are prepared to take risk with their own intellectual property regulators will not accept a casual approach when it comes to sensitive personal and financial data. If your organization cannot be sure what users are doing with its sensitive data at all times, perhaps it is time to take a look at DRM.

Quocirca’s report “What keeps your CEO up at night? The insider threat: solved with DRM,” is freely available here.

The post Do Increasing Worries About Insider Threats Mean it is Time to Take Another Look at DRM? appeared first on Security Current.