Here we go again. When news broke Feb. 27 that a Dow Jones database of 2.4 million businesses and individuals was left on a public server without encryption or password protection, it exposed one of cybersecurity’s most chronic and pernicious problems: risk from third-party vendors and contractors.

A Dow Jones spokesperson blamed an unnamed “authorized third party” for leaving the records unsecured on the Amazon Web Services-hosted Elasticsearch database. The data is part of Dow Jones’ Watchlist, which the company says is used by eight of the world’s largest financial institutions to identify high-risk clients and politicians.  The exposure spotlights an all-too-common issue — organizations focus on strengthening their own cybersecurity posture but maintain inadequate controls for third parties that have access to the client company’s network or sensitive data.

The Dow Jones incident is a particular head-scratcher because third-party risk isn’t exactly new news. Some of the most infamous breaches of recent years occurred after hackers gained access via an unsuspecting third party, including the “big bang” that first drew international attention to the problem: the 2013 attack on Target that affected more than 41 million of the retailer’s customer payment card accounts. The attackers gained access through credentials stolen from a heating and air conditioning contractor.

In 2015, a massive server breach at the U.S. Office of Personnel Management (OPM) compromised sensitive personal information of about 21.5 million people. It occurred after attackers posed as an employee of an OPM subcontractor.  It’s now four years later, and these kinds of incidents keep happening.

The trend towards outsourcing and digitization means that a typical company can rely on dozens of vendors and contractors to perform important business functions. Understanding and managing the cybersecurity posture of what has become a shared ecosystem is crucial. A McKinsey report has said third parties “might be the weakest link of a company’s value chain.”  There’s even an industry term for this development, vendor risk management.

The most recent Ponemon Institute “Data Risk in the Third-Party Ecosystem” survey of more than 1,000 security and risk professionals found that 59 percent of companies have experienced a data breach caused by a third-party partner – a 5 percent increase since 2017 and up 12 percent since 2016. “What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months,” the report said.

While the Dow Jones episode is yet another reminder of the business disruption and reputational damage that third-party breaches can cause, a new wrinkle is the possibility of incurring the wrath of regulators.  The European Union’s General Data Protection Regulation (GDPR) that went into effect in May 2018 includes a strict requirement that gives organizations 72 hours to report details about any type of breach or face fines. (The status of Dow Jones’ reporting to authorities wasn’t clear as of this writing.) The regulatory environment is toughening as well in the United States, where the California Consumer Privacy Act (CCPA) that was passed in 2018 and will be enacted in January 2020 includes similar rules. For example, consumers can learn what data an organization has collected about them, refuse the sale of or delete the data, and sue companies that don’t take reasonable steps to protect their data.

These regulations force organizations around the globe to accept new responsibilities in how they handle data. The use of third-party services such as SaaS applications like G Suite, Microsoft Office 365 and Salesforce, makes data privacy regulations even more complicated for technology, compliance, and management teams.

Of course, the issue of data protection is much larger than mandates such as GDPR or CCPA – it should be a core part of doing business. A good rule of thumb is to only store as much personal information as is absolutely required for the business or applicable laws. You do not need to worry about someone stealing data that you do not have stored.

Here are four key steps organizations should take to mitigate the risk of what happened to Dow Jones happening to them:

1. Map data workflows by charting what data is incoming and outgoing.This allows a company to granularly account for specific data types. Mapping provides a holistic view of an organization’s data and an ability to monitor sensitive information across the entire supply chain (and where any regulations might apply).

2. Work closely with vendors to ensure cybersecurity strength.There is simply no choice but to ensure that strict, specific safeguards are in place. This should be a top priority for every organization that works with third parties, which is pretty much all of them.

3. Understand the extent of your data protection responsibilities. Compartmentalize data based on whether you are processing it, transferring it and where you would be considered a controller of data. From there, you can segregate the security requirements.

4. Fine tune internal policies and processes.Develop an internal process and solution to ensure the strongest possible vendor risk management.

As the Dow Jones incident has proven yet again, third-party risk is something that should keep company leaders up at night.

About the Author:

Mike Puglia brings over 20 years of technology, strategy, sales and marketing experience to his role as Kaseya’s chief strategy officer. He is responsible for overall customer marketing, management and development across Kaseya’s portfolio of solutions.  Previously Mr. Puglia has been at TimeTrade Systems and Salesforce.com.

The post Don’t Let the Dow Jones Security Incident Happen to You: Strategies and Steps for Vendor Risk Management appeared first on Security Current.

Technology is rapidly changing work as we know it. Work is no longer bound by a physical place or specific time. Organizations must adapt to a multigenerational labor force and one that is more task oriented, target focused, and gig based. To ensure the productivity of remote workers, access to business applications, including email, video conferencing, customer databases, and company files additional network resources are required. This has historically been achieved using a Virtual Private Network (VPN) which most commonly provides trust-based access to the business network over the Internet.

Today, larger enterprises have one or more virtual private network (VPN) solutions deployed and they remain one of the most important technologies in IT today. In fact, VPNs are absolutely crucial for cloud migration, supporting mobile employees and contractors, and for delivering security products like UTM, Secure Web Gateway, and Network Access Control – all very common in the enterprise network security stack.

However, the demands on VPNs are changing as new IT requirements continue to evolve over the years. As a result, some experts are predicting their demise and while others are saying they should be replaced by more advanced technologies. The bottom line is that even if the VPN is replaced with a different acronym, the need for an enterprise-grade secure communications channel is as real now as it was 20 years ago.

Enter Software-Defined Perimeters: The Next Generation VPN

It is clear that now is the time for a new generation of secure, remote access solutions…preferably, solutions that are designed for the era of cloud applications and mobile connectivity. Software-Defined Perimeter (SDP) solutions have entered the market and are now taking on this challenge. Work on SDPs began around 2007 within the Department of Defense and has evolved into a mainstream solution.  The Cloud Security Alliance created a working group that published a specification in April 2014.  The goal of SDPs is to prevent network attacks on the application infrastructure.  The unique capability of SDPs is they consider the perimeter as a solution that follows the user device wherever it is, rather than trying to protect a specific location like an office or data center.

Connectivity in an SPD is based on granting specific access upon verification that the device, identity, and role are authorized.  In addition to the “need-to-know” access model the system requires cryptographic verification to ensure compliance.  In theory the use of SDPs, which conceals the Application infrastructure should mitigates the most common network-based attacks, including server scanning, denial of service, SQL injection, man-in-the-middle, and cross-site scripting (XSS).

When considering SDP solutions as an alternative to VPNs, look for ones that address all of the key business needs discussed above. Many solutions focus exclusively on remote access. This is an acute need today for many organizations, but it’s best to invest in a solution that can upgrade all of your VPN requirements and manage them centrally, to significantly reduce the operational overhead.

Key considerations when selecting a software defined perimeter include:

Software-Defined Access

All SDP solutions provide software-defined access. Rather than the old approach of connecting users to the network, SDPs connect them to specific applications or network resources such as servers. Everything else is invisible to the user, and therefore isolated from threats on the endpoint. This kind of dynamic micro-segmentation is the core of Software-Defined Access, and when combined with advanced multi-factor authentication and continuous verification, it dramatically improves the security posture of the network.

SDP solutions simplify the process of defining access policies for IT, and for the end user, they make it easier to access all of the applications they need, without knowing which data center or cloud they are located in. There are generally two ways for users to connect – through a browser by simply clicking a link, and through an agent-based solution. Agentless solutions have a clear advantage when it comes to personal devices or contractors. But agents enable support for the full range of applications, secure internet traffic, and device posture-checks. Many organizations will need a combination of both approaches to meet all of their secure remote access scenarios.

Many basic SDP solutions are built on a proxy architecture, so they cannot replace the remaining functions of the VPN.

Cloud-Delivered Network Security

In addition to remote access, SDP solutions should address the second function of VPN – delivering internet security. With the majority of users working off-site and from unsecured locations, securing their internet traffic is more important than ever. In the broad sense, a “Software-Defined Perimeter” means that security is user-centric rather than site-centric, and includes all of the essential network security functions that IT delivers today, regardless of where the user device is located.

Leveraging the cloud, SDP solutions can deliver network security via a large network of Points of Presence (PoPs), and eliminate the latency issues and costs associated with backhauling internet traffic to the data center. When an SDP solution is implemented over a global cloud network, it’s possible to service-chain best-of-breed security products. For global organizations, this model simplifies network security without compromising on quality. At the same time, it offers a faster, more transparent user experience.

Cloud and Hybrid Cloud Networking

In the era of cloud migration, SDP solutions also have an important role to play in cloud networking. Just as site-to-site VPNs traditionally connected branches, today clouds must be connected to the data center, to branch offices, and to each other. An SDP solution based on a cloud network (NaaS) provides the connectivity that is often required for complex applications and services.

As-a-Service Management and Delivery

First-generation VPN solutions combined physical WAN infrastructure with the virtual private network. The new generation of SDP solutions make a clean break, delivering a software-defined network that is completely independent of the physical network topology. While SD-WAN solutions have also made strides in this direction, they still connect branches to the datacenter. In contrast, full SDP solutions abstract the enterprise network as a set of users and resources. IT onboards them once, and then defines policies for connectivity and security. For example, policies can determine that an AWS cloud connects to an Azure cloud, or that a group of software developers can access a production environment in the datacenter, or that the sales team accesses the internet through a Secure Web Gateway.  This is a far simpler approach than managing and synchronizing VPN policies for every location.

VPN vs SDP

VPN may be a legacy technology, but its role in the organization is fundamentally unchallenged. In the years ahead, we will not see the end of life of VPNs, but rather their rebirth in the guise of SDP solutions that will deliver the same core capabilities in a way that is better designed for the era of cloud migration and mobile working.

About the Author:

Etay Bogner is the CEO and co-founder of Meta Networks, a technology leader focused on helping organizations rapidly provide secure remote access for employees, contractors and partners to corporate applications and the internet.

The post Software Defined Access: The New Requirement for Remote Work Environments appeared first on Security Current.

From a cybersecurity standpoint, 2018 was a disaster. We saw three of the ten biggest data breaches of all time, according to USA Today: Marriott (500 million accounts), Under Armour (150 million) and Quora (100 million).

High-profile data breaches seemed to make headlines every day, as attackers continued their assault on companies that are not doing enough to protect themselves.

The onslaught continues in 2019, and we’ve already seen the exposure of 3.5 billion user profiles in the “Collection 1” leak, and subsequent “Collection 2-5” dump.

When attackers breach a network, that’s the easy part. They then immediately go about trying to secure as much privilege as possible so they can access the most critical infrastructure and sensitive data within the organization. A recent Centrify survey of 1,000 IT decision makers found that 74 percent of data breaches involved privileged credentials.

So attackers get inside, settle in and fan out, moving laterally around the network searching for specific target data. To successfully move and scan they are constantly on the hunt for privileged credentials and privileged access. Having figured out where the valuable data resides, it’s time to elevate privilege to exfiltrate the data and then cover their tracks to avoid detection…and possibly leave the door open to exfiltrate again.

Gartner has identified PAM on its Top 10 list of new projects for security teams to explore in 2019 (the second straight year PAM landed on this list), and the second-fastest growing area for estimated information security spending growth in 2019.

Why does Privileged Access Management continue to be a struggle for organizations to reduce risk and secure the leading attack vector? Part of it may have to do with inaccurate myths about PAM.

Myth 1: Privileged Access Management means password vaulting and rotating passwords

This is the one that we hear most commonly, and it’s a dangerously-outdated mindset when you consider Forrester’s estimate that 80 percent of data breaches involved privileged credential abuse.

As traditional network perimeters dissolve, organizations must discard the old model of “trust but verify” which relied on well-defined boundaries. Instead, it’s time to adopt a Zero Trust mindset that mandates a “never trust, always verify, enforce least privilege” approach to privileged access.

Modern approaches to Privileged Access Management will invoke Zero Trust to help organizations grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing just-in-time privilege and just enough privilege, Zero Trust Privilege minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity and costs for the modern, hybrid enterprise.

Organizations may consider approaching Privileged Access Management by solely implementing password vaults, leaving gaps that can easily be exploited. Zero Trust Privilege combines password vaulting with brokering of identities, multi-factor authentication enforcement and “just enough” privilege, all while securing remote access and monitoring all privileged sessions.

Myth 2: “PAM? We took care of that 5 years ago…”

What’s interesting about this myth is that the Centrify survey also found that 52 percent of respondents don’t even have a password vault. So clearly something is amiss.

But even if your organization did a PAM project 5 years ago – or even just 2 years ago – that doesn’t mean your organization is protected in the modern threatscape.

We now have attack surfaces that include infrastructure, DevOps, cloud, containers, Big Data and more. Legacy PAM solutions, that just vault away shared accounts simply leave too many exposures to cover the expanding exposure points.

The Zero Trust Privilege maturity model starts with the very basics – discover and vault shared accounts, but continues beyond the vault to include identity consolidation with least access and privilege and gets to the mature stage by hardening your environment with high assurance.

Myth 3: PAM is separate from Identity & Access Management

Here’s the thing that most people still don’t realize about data breaches: attackers are no longer hacking in, they’re logging in using our own weak, stolen or otherwise compromised credentials against us (think phishing and social engineering). And we’re making it easy on them by continuing to use unnecessarily-weak passwords and not using Multi-Factor Authentication, which can make things a lot harder for attackers.

Instead, we’re now at a point where we have to assume that the bad actors are already in our networks. That’s why you see the groundswell around Zero Trust, which takes on even more importance when it comes to privileged access credentials.

We also have to assume that attackers are already in the network, which makes a stronger case for Zero Trust approaches to Identity & Access Management across the board.

Myth 4: PAM is only about compliance

Forrester analyst Chase Cunningham has some interesting ways of describing the difference between having a security strategy, and being compliant.

“Compliance is a seat belt on a 747. You’ve got to have it to back away from the gate, it’ll probably help you if you hit some turbulence on the way. However, if things go really bad, does anyone really think a three-inch strip of nylon is going to make you walk away from a plane crash? Absolutely not. Compliance is not a strategy.”

Yes, compliance is an important part of any PAM initiative. Being compliant is important across any department in any organization.

But compliance is not a strategy, and any modern enterprise facing an endless onslaught of attacks seeking to leverage compromised privileged credentials must have a sound strategy. A recent Centrify survey found that 51% of respondents implement PAM because of a stronger desire to adhere to best practices which is only 2% higher than 49% whose objective was to meet compliance mandates.

Myth 5: Zero Trust is just a fad

Okay, so this one is not really a PAM myth, but if you’ve read this far you know that a Zero Trust approach is the best way to protect privileged credentials from being exploited.

While the spotlight has started to shine on Zero Trust a lot more over the past year, the concept is not new. The roots of Zero Trust go back at least to 2010, when John Kindervag (then a Forrester analyst) created the concept and it was initially adopted by Google as part of its BeyondCorp initiative.

But over time, Zero Trust has emerged as a philosophy, approach, and framework that has been proven to help reduce risk of identity-based attacks. Yes, it seems like every cybersecurity company under the sun is now a “Zero Trust” company, and not all of them can validly make that claim. However, when it comes to Zero Trust and Privileged Access Management, the benefits are clear.

Privileged accounts are the “keys to the kingdom” for any organization, and the goal of any hacker looking to profit from cyber-attacks. That is not going to change any time soon. What should change, however, are attitudes and postures to secure privileged credentials with Zero Trust, and stop data breaches.

The post Debunked: 5 Myths of Privileged Access Management appeared first on Security Current.

Computer networking has always evolved at a rapid pace, but it seems to be accelerating at a far greater rate today, resulting in unprecedented challenges for network security managers.

The advent of the Internet has brought unprecedented access and the cloud has increased the speed of development and delivery. Now, containers and microservices provide the framework to reuse code and speed up the pace of business even further.

Today, business simply moves faster than in the past, and IT often struggles to keep pace. Network security managers need to deal with multiple platforms, multiple vendors and a never-ending stream of individual devices connecting to their company’s network. Making it work in a way that’s secure and compliant, while giving employees the access they need, is a major challenge.

Managing for Growth…
Between physical networks, cloud networks, hybrid IT and mobile devices, there is a fast-growing number of connection points to your network that need to be managed and secured to ensure compliance with policies and regulations.

But business rarely stands still. Now consider that an enterprise’s network security team can face hundreds of access change requests each and every week. Due to the size of today’s corporate networks – and the number of changes requested each day – these requests can quickly become overwhelming and difficult for a network security team to manage manually. Trying to keep pace means changes go unchecked and the network is overrun with unused, redundant and overly permissive rules – destabilizing the integrity of the network.

As the number of network connections and the volume of change requests increase, the number of related tasks that need to be factored into the network security team’s workflow also grows. From recertifying rules on a regular basis, to deploying new applications and ensuring access, to removing access to old machines (decommissioning a server), juggling all of these requirements (and more) is the job of network security management today.

…and Security
Ask any network security manager to quickly name their biggest concern, and despite the need to enable rapid growth and integrate a number of different network endpoints, it’s likely they’d all have the same answer: ensure security is achieved despite all the changes. Network security managers are expected to protect their company’s networks – but do so in a way that still enables employees to efficiently and easily do their jobs. Security must be everywhere without being prohibitive.

With network fragmentation and cloud implementations increasing, combined with a growing number of users and devices, there is increased potential for human error, even in a simple network configuration. Every slight change to the environment – intended or not – can have a critical effect across the entire network. Any misconfigurations or forgotten access rules can create a hole in your secure network – one that can be exploited by cybercriminals, leading to compromised customer data, damaged reputation and ultimately, the loss of customers.

The network itself has also fundamentally changed. Companies no longer rely on a physical data center; public clouds and hybrid cloud networks have rapidly become critical elements of IT infrastructure. Hybrid networks are not always visible to the network security team, complicating the ability to understand the network topology, maintain application connectivity and ensure security.

So, how can a network security manager get a handle on the intricacy of today’s corporate networks and make sure they remain both agile and secure?

Segmentation and Automation to Manage Complexity
One way that network security managers can gain control of their networks is to embrace policy-based network segmentation. The idea behind segmentation is that your entire network is split into separate zones – with the benefit being that if an attacker enters the network through a certain area they’d only be able to access that area, or zone. The threat is contained and prevented from spreading to other areas of the network, which limits the potential for disaster. This method requires access privileges to be spelled out specifically through a network security policy for all those that use the network legitimately.

This method can be successful – but setting it up and maintaining it adds a new level of effort to an already difficult-to-manage network. With each zone you create, you also create an opportunity for policy misconfigurations through human error that could cause the security issues you’re trying to prevent.

That’s why to achieve segmentation and correctly maintain it, you need to incorporate automation and orchestration alongside it. Using automation and orchestration, companies can enforce network security policy across all aspects of the network infrastructure – be they IP ranges, subnets, or security groups used in public and private clouds. This approach also ensures that any future modifications of your security policy within the network are secure and compliant.

Automation and orchestration of network policies ensure that you will be able to make secure and compliant changes across your entire network – without compromising agility, risking human error, or wasting your network security team’s valuable time on tedious, easily automated tasks. The network change and implementation processes can be streamlined and secured.

Today’s corporate networks are complex and constantly changing – that’s the reality every network security manager must deal with. It’s imperative to ensure that you’re setting yourself up to successfully make the correct decisions so changes do not put your organization at risk. Network security policy automation and orchestration will help you do so, while also improving visibility and compliance.

The post Don’t Let Complexity Get the Best of You appeared first on Security Current.

If I were a cyber attacker, I wouldn’t go after just any user. I’d target privileged users. They are the people who hold the keys to the kingdom, so to speak – the sensitive information, the crown jewels. They have supervision and control over the enterprise’s servers, endpoints, databases, and customer and employee information. And they present the most efficient way to get to the heart of any enterprise.

Privileged users might be domain administrators, database administrators, network administrators. Depending on the size and type of the organization, their numbers could range from a dozen, to a hundred, or even thousands of people.

It’s not hard to get past these users. I would start by going through LinkedIn or other social media and public sites to know exactly who they are and how I could get to them. And then I would send them an email, perhaps impersonating someone they trust or defer to, or use some other technique to run something executable on their machines.

After I find my way into their machines, I could then completely remotely control the endpoints and do whatever it is that they, in their privileged status, can do. Once I get my hands on all the privileged information they hold, then it’s pretty much game over for that enterprise.

The hacker wins.

Of course, many people would say privileged users are, by the nature of their jobs, technologically knowledgeable and cognizant of risks. So why would they fall victim? The reality is, at the end of the day, they are still human. And I think we all agree that humans are the weakest security link in any organization.

What, then, is a foolproof way to manage this risk?

Two platforms

Prior to establishing my company, I spent six years with the Israeli Ministry of Defense performing cybersecurity functions. My colleagues and I were very much aware of this problem.

We also knew that even the most sophisticated, high-grade, latest endpoint security solutions would never be enough to protect the organization. All the efforts to detect hackers and stop them from doing what they intend to do prove futile because in the end, it is humans themselves who make machines vulnerable to attacks.

The apparent solution: Give each privileged user two separate machines: One for sensitive crown jewels, and another for internet access and other materials. The two-device solution is a very common approach used not only by military but by enterprises around the world. It’s also very cumbersome, to say the least, because it means people have to switch between two machines all the time, and even lug two laptops around. Believe me, I did this for my work as developer at the time. I was not happy with it but felt we had to do it to keep our sensitive information safe.

This created a new pain point of inconvenience – and spurred in me an idea I eventually pursued, honed, tested, and improved at Hysolate.

Can you trust your OS?

Enterprises in any industry try to protect their crown jewels in a myriad of ways. In addition to using security tools and agents, they also impose limits on what even an administrator can do – you can’t visit this URL, you can’t install this app, you can’t use this drive.

But there is an inherent tradeoff in all this. Your administrators will feel restricted by all the limitations. Their productivity will take a huge hit, while their frustration level rises. And many will eventually try to find a workaround – a way to do what they need for their jobs, anyway. When they do this, especially given this privileged status, you are vulnerable all over again. Trainings aimed at educating users abound, but they are not fool-proof.

Not even the most experienced administrator would be beyond believing an email from their CEO asking them to open an attachment or click a link because she needs their help.

Meanwhile, more and more security gaps and holes will emerge, and the enterprise will never be able to guarantee that it will be secure from cyber risks.

So, I go back to the principle of isolation – working on two distinct systems. But not two separate devices.

Instead, you can have multiple virtualized OSes on the same endpoint device. If you run your sensitive information in a dedicated, privileged OS that is sandboxed, everything you do on it is completely isolated from the rest of the world. And then you can have another virtual OS for Internet access and all other corporate work.

Your users won’t have to switch between two machines anymore, or carry multiple devices. They get a seamless transition from one OS to another. We call this approach software-defined endpoints. It’s a win-win situation: You can rest easy because even if your privileged users slip up and fall prey to phishing attacks, for instance, your crown jewels will remain protected because they are in another fully isolated OS. And your users gain the freedom to be so much more productive and work in the ways they are accustomed.

Enterprises’ efforts to anticipate attacks and educate privileged and other users about how not to fall prey to cyber attacks will never end, because hackers are ingenious and will always come up with innovative, clever ways to get into their endpoint devices. It’s a cat-and-mouse game that will never end. Only complete OS isolation paired with user productivity enhancements will address this risk, once and for all.

Tal Zamir is CEO and co-founder of Hysolate.

The post Stopping the cat-and-mouse game appeared first on Security Current.

Keeping companies safe from determined cybercriminals is an everyday battle as threats continue to evolve and business practices change. For many security teams, the question remains: What steps should organizations take today, and what should they anticipate tomorrow?

According to Bhagwat Swaroop, EVP of email security for global cybersecurity company Proofpoint, the threat landscape has shifted away from traditional hacking of computers and networks. Now there are targeted attacks against people, specifically tricking users into clicking on nefarious content or taking an ill-fated action. These technically simple yet customized attacks often use social engineering to con people into becoming unwitting accomplices.

As a result, organizations need to look beyond firewalls and filters and adopt a “people-centric” approach to enterprise security.

While the nature of today’s cyberthreats has shifted, the main attack vector remains email. According to Verizon’s 2018 Data Breach Investigations Report (DBIR), email served as the main entry point in 96 percent of data breach cases. Because of this dynamic, Swaroop believes it is crucial that organizations prioritize security resources around their biggest challenge and most vulnerable communication channel, email.

Compounding the problem, employees can’t always recognize fraudulent emails aimed at stealing their credentials or getting them to wire funds. “While the security team is rightfully concerned with putting security solutions in place, it only takes one employee to unwittingly click on one suspicious email to let the bad guys in,” Swaroop notes. “That human tendency is just one reason why every security program needs to include security awareness training as part of its strategy.”

Earlier this year, Proofpoint commissioned a survey which found that 77 percent of global IT decision makers believe that their company is either “likely” or “very likely” to be targeted by email fraud in the next year. Email fraud attacks generally don’t contain malware payloads, but do resemble actual company emails by employing the same wording, logos, and familiar references to impersonate a trusted entity. They can also spoof real identities by masking fraudulent addresses.

“Social engineering is easy for bad guys to do,” Swaroop says. “They simply conduct search engine or LinkedIn research on their potential victim. It’s much easier and far less expensive than cracking an encrypted database or finding a backdoor into a corporate network. Why would cybercriminals go through the trouble of trying to break through the door when an employee can open it from the inside with a simple click? That’s why phishing campaigns are particularly prevalent now – they’re quick, easy, cheap, and highly effective.”

Phishing attacks are also very effective in industries that regularly deal with outside vendors. “If I get an email from somebody in the same company, I might already know the individual and can always pick up the phone and confirm that the person who sent me the email is the person I know,” Swaroop says.

But when you work in a large network of sister companies, partners, outside vendors or third-party suppliers, you often must trust strangers at face value. Transactions happen at arms’ length, and the employees making the payments are not always the employees with the relationship to the organization, making verification a more cumbersome task.

Attackers’ mindset

Once they’re in, what are attackers after? While their motives are often financial in nature, there are other possibilities as well. These include accessing embarrassing information, mapping out an organization’s organizational chart for future attacks, hijacking an email conversation, obtaining trade secrets, or stealing intellectual property.

“It’s a spectrum,” Swaroop says. “Whatever the motive, the cost and difficulty for launching a phishing attack is marginally low – almost zero. For the victims, however, it’s a different story.”

Often when an employee’s personal information is stolen, it has lasting consequences. One of the most insidious things about phishing attacks is how swift they can occur without the victim’s knowledge. There’s also the residual damage inflicted onto others. “One compromised employee can expose their entire company to the same threat—all it takes is one click,” Swaroop says.

Doing something

So, what is the ideal security solution? Foremost, Swaroop believes organizations must think from an attacker’s perspective and understand who is being targeted, through what means, and their role in the company.

Attackers typically pursue people with access to important data and those who are likely to make a mistake and expose a critical cache of information. Once organizations understand who among their employees are the most targeted, they can develop a people-centric security strategy to best protect them. Keep in mind at some companies a compliance officer might be a bigger target than the COO. It’s all about who can access what data.

“In the end, it’s a numbers game. Think about an organization being targeted by hundreds of attacks. If there are methods you can put in place that automatically block 95 percent of those attacks in the cloud before they hit the email gateway, then your security team is working with a much more manageable number,” Swaroop says.

Organizations should also put systems in place like sender authentication, dynamic email classifications, machine learning capabilities and display name spoofing defense techniques. They should be on the lookout for any shady domain names that almost match a website. It’s also important to complement security technology with consistent employee security awareness training.

“Each of these best practices protects a certain percentage of attack vectors,” Swaroop said. “A combination of all these techniques applied together should put organizations in a better position to prevent email fraud.”

The post Shifting Your Cybersecurity Strategy to Stop People-Centric Threats appeared first on Security Current.

by Jeff McAndrews, Partner, and Kirsti McCabe, Managing Director, Finsbury

Discovering that your company’s cybersecurity has been compromised is likely among the worst nightmares for any CISO. What do you do first? How do you share the news with the people who matter most to your business and the success of your operations? Where do you even begin?

As a CISO, your immediate priority will likely be to identify any technical issues that led to the incident and consider ways to track the culprit, minimize the impact to your customers and prevent further attacks. But another important point to consider is what exactly do you say about it? What role can the CISO play more broadly in supporting and informing those communications with internal and external stakeholders? What do communications professionals consider in making these determinations?

If we had an overarching piece of advice to share with companies on how to deal with the communications fallout from a cybersecurity incident, it would be this: Be forthright.

The potential for the disruption of IT systems, exposure of sensitive customer information or attacks on infrastructure are not just operational risks in today’s digital age, but reputational risks. Companies are routinely assessed on how they respond to such incidents and how they are able to minimize damage to customers, the business and the brand. A critical component of this effort is how they communicate about the incident with external stakeholders.

First – the world is not against you. Consumers expect companies to go to great lengths to secure their information, but they also understand that the landscape is complicated and that a cyberattack can happen even to the best of organizations.

The public is less understanding, however, when they think companies do not have a grip on the situation or are obfuscating the facts. People will be even less forgiving if the company tells them it has the situation under control and that the consequences of the attack are contained – only to find out later that things are actually much worse.

Against this backdrop, there are many steps you can take to help enable rapid, effective and accurate public communications in the event of a cyber incident.

Have a plan.
Before ever experiencing a breach, the most important thing a CISO can do to prepare for communicating about an incident is to ensure a robust rapid-response, notification and escalation plan is in place. Having this type of action plan in place will prevent you from having to decide what steps to take in real-time when trying to deal with the crisis, including what issues should be elevated to whom and when. It’s challenging to make the best decisions under such circumstances. Having mechanisms in place at the outset will help accelerate decision-making and support rapid and accurate communications. Development of such a plan should include:

Establishing a senior working group – including representatives from legal, communications, public policy, regulatory affairs, operations, human resources and the CISO – who will coordinate with each other on gathering the facts and developing internal and external messages in response to the crisis. The plan should provide a contact list to indicate how key people can be contacted after office hours.

Appointing a spokesperson who will explain what happened and what is being done to address the problem, and answer questions through public updates. The key people who will communicate with customers and internal stakeholders should also be identified beforehand.

Preparing in advance draft public statements, messages, questions and answers and other audience-specific materials, addressing various potential cyber incidents. These can be modified to include facts specific to the situation as the details become available, but thinking through and building consensus around a message platform beforehand puts a company ahead of the game when a crisis hits.

Creating a decision tree that clearly identifies who has the authority to make decisions on when to act or what to say.

Get out in front of the issue…
In general, it is always prudent to be proactive and disclose the issue to key audiences as soon as practical (unless there is a risk this will impede efforts to identify the perpetrators). It is better if you control the narrative rather than other actors, say, through an internal leak or a similar disclosure through an involved third-party. If you take too much time to disclose that there has been a security breach – especially in cases where personal or financial data may have been compromised – the perception of a “cover-up” can oftentimes be more damaging from a reputational perspective than news of the breach itself.

…but don’t overstate – at least until you have all of the facts.
It is important at the outset to be credible and demonstrate to critical audiences that you are on top of the situation as best you can. But if you don’t get your facts and your narrative straight, people may begin to question your credibility or your ability to manage the situation.

In rapidly evolving situations like a cyber breach, sometimes it’s better to acknowledge what you don’t know rather than overstate what you think you may know. Early on in a situation, sometimes the best you can say is that you discovered a problem, you are investigating it, you are doing everything you can to take countermeasures and you will provide more information when you have more details.

Resist the urge to make premature claims or promises. Do not rush to say only a few thousand accounts have been affected, for example, only to discover later that 20 million accounts have been affected or that significant personal or financial data were stolen.

Above all, being forthright and clear can play a critical role in helping reassure your external stakeholders.

Take responsibility.
Taking responsibility does not necessarily mean that the CEO, CISO or other pertinent officers of the company must resign or take other drastic measures. Rather, it may mean simply acknowledging the lapse, expressing regret for what happened, vowing to remedy the situation and taking steps to prevent a reoccurrence.

An early acknowledgment of accountability and visible efforts to contain the damage can go a long way in assuaging public concerns.

Know how to reach your customers and address their needs.
As a company manages and investigates a breach, it is essential to communicate concrete steps being taken to help any customers you may have, especially those who have been affected. Make sure that you do this in a manner that is simple and easy to access. One misstep during a recent cybersecurity issue happened when a company offered credit protection consumers had to pay for, aggravating the negative perceptions.

It’s also useful to provide platforms for consumers to elicit information and ask questions so they feel they are being heard. Before a real crisis, stress test these platforms, such as your website or call center, to ensure they work and have sufficient capacity for a sudden surge of activity.

Do you know where your customers turn to find news and information? Do they use a lot of social media? If so, tailor your messages and use these channels to reach them more effectively. If, on the other hand, they are inclined to use traditional channels, follow those as well.

Learn from the mistakes of others.
It is just as important to know what not to do. Consider lessons from other incidents.

Last year’s breach at credit rating agency Equifax is instructive. Company leaders had known about the security incident in July but did not report it until September. The initial estimate of the problem was inaccurate; the number of affected accounts ended up being significantly higher. When the company did provide consumers with an opportunity to get credit protection, consumers could not easily access these services, as the web site kept crashing.

These missteps stand as lessons for how not to respond during a time of crisis.

For security professionals and corporate executives, the fallout of a data breach can be severe. It can take a significant toll on the company’s reputation and operations. It can hit shareholder value and even trigger job losses as people scramble to lay blame. The good news is the story does not need to unfold that way. Many companies are able to recover from a crisis if they take responsibility, are honest with their stakeholders and deliberate with their actions.

Jeff McAndrews and Kirsti McCabe specialize in crisis and reputation management, financial communications and strategic media outreach at Finsbury, a leading global strategic communications firm.

The post Foremost, be Forthright: Communicating in the Event of a Cybersecurity Incident appeared first on Security Current.

Managing Partner, Caldwell Partners

The Chief Information Security Officer (CISO) job has changed significantly in the last couple of years. It has historically been more of a lower-level, tactical IT job, but now has become a higher-level strategic, business-oriented role around enterprise risk management. With that shift in the job responsibilities, the specifications have changed, and therefore how you write your resume should change accordingly.

This primer will provide guidance on how to write a winning resume to help land your next role as a strategic CISO. The most important thing is to demonstrate that you have what is required for today’s CISO position. As you look back through your career, think about how to translate your experiences into a story of what companies want today.  Even if you have had that more technical bent in your previous roles, companies now are interested in your business acumen, your communication skills, and your leadership skills, including how to influence others—in other words, your “softer” skills.

With that in mind, here are some points you want to convey as you highlight your career history:

• What you learned in your previous roles about leadership and management
• How you demonstrated that you have strong business acumen and have used security strategies as a business enabler
• How you helped your business colleagues manage their risk
• How you used your influencing skills to get people to do things they didn’t necessarily want to do
• If you are part of the management team, how you have demonstrated “executive presence,” such as presenting before the board or C-level executives
• How you brought about positive change for your organizations

Tell a good story
The story that must come across is how you bridge the business and technical components of the role—how you are technical but also a leader and an executive manager. Be sure to highlight the unique experiences (at the time) you had in all of your moves. For example, “My team implemented the first cloud security program” or “I built the Security Operations Center from scratch.”
As a differentiator, you can seed your resume with trending hot topics that you have experience with, such as cloud security, privacy, artificial intelligence, machine learning, blockchain, and so on.
Otherwise, your resume should contain the standard fare with as much accuracy and transparency as possible: the companies you worked for, the dates, the job titles, your education. If you feel comfortable, talk about the reporting structure in your jobs, as in “I reported to the CIO.” List the specifics of what you managed. For example, “I managed a team of 20 people and we were responsible for the cybersecurity strategy, policies and operations.”
If you’ve had a lengthy career, the last 15 years in particular are the important ones. For the job roles prior to that, simply list the company, your job title and the dates. There’s no need for any other details about older jobs; they would just make the resume that much longer.
Speaking of length, try to keep your resume to two pages, three at the maximum. No one has time to read a five-page resume. The discipline of the economy of words will help you highlight the most meaningful information. Content is far more important than form.

Explain yourself, if necessary
If you have made a lot of moves in your career – what we call a “jumpy” career – you need to take extra care to explain the moves. In general, employers are wary of people who don’t stay in their jobs very long. For example, a change in companies might be the result of an acquisition, not an actual change in jobs. You might say, “I was at ABC company for 18 months and then XYZ company for 2 years, but it was all the same job. ABC was acquired by XYZ during my tenure.” Such an explanation shows that you are more stable than your resume may make you appear.
You want to list your education and any relevant additional courses, certifications or training. For example, “I attended the CISO Academy presented by the FBI,” or “I hold the CCISO certification.” If you didn’t earn a full college degree, it’s fine to mention that in the resume if you explain why. “I was in my fourth year of college when my father passed away. I left school to take care of my family, and I haven’t gone back to complete my degree.” It’s not important that you didn’t finish, as long as there is a good reason why.
Most people conclude their resume with the standard line “references upon request.” If you can, list the people who are your references—especially if you have someone who is well known and respected in the industry. People want to know who you are close to. It matters, so consider who you use for your references.

Beyond the resume
There are interesting aspects of your career that won’t go on your resume, but you should be prepared to talk about them if you get an interview. For instance, your motivations, what you are good at, what your strengths are, what career lessons you took away from each job role you’ve had. These are great discussion points that you should bring up if the interviewer doesn’t ask.
Make sure your LinkedIn page is current with your experiences. In fact, I recommend you focus as much on your LinkedIn page as on your resume, as many recruiters and prospective employers will find you and learn about you online first before ever seeing your resume. You should be updating your LinkedIn profile every month to reflect the new things you are doing. Make it as real-time as you are. The people in your network matter, too, as employers might take this as a sign of your relevancy. Your network in security is really important because it takes a village to build a secure enterprise.
As you write/update your resume, keep in mind that employers want to see that you are on the right trajectory to be their next CISO. They want to see that you have progressed and learned and have had increasing levels of leadership and responsibility. If you tell a good story, you will be that much closer to the next big step in your career ladder.

Caldwell Partners is one of the world’s premier providers of executive search and has been for more than 45 years. Matt Comyns is managing partner of the firm’s Cyber Security Practice. His focus is on recruiting chief information security officers and next-level-down top lieutenants in information security for large global corporations and fast-growing private companies, as well as cyber security consultants for leading professional services firms and top executives for cyber security technology companies.

The post How to Write a Great CISO Resume – Know What to Include appeared first on Security Current.

There are two philosophical schools as to how companies can protect their system. They can either do it prescriptively, telling people what they can or cannot do.

The problem with this, says Igor Baikalov, PhD, chief scientist for Securonix, is that it limits the business. “Security that impacts the business this way really does not work.”

The second approach, he believes, is something that enables the organization.

“Eventually, companies realize that they need to get better risk visibility, analyze behavior, and have situational awareness.”

Threats from within

This view involves using algorithms and models to know what is not normal for a user or system or a particular application of an entity. Essentially, companies build a “normal” profile and then watch out for any deviations from normality. “This would often indicate some kind of malicious behavior,” he says.

And indeed while plenty of threats come from the external environment, insider threat is also very real – and very prevalent.

“We have seen case after case, data breach after data breach, that is caused by insiders whether it is malicious or accidental.”

Bad guys penetrate the perimeter through network devices or social engineering like phishing, credential sharing. They use these credentials and identities to do something bad on a network.

Because of this, companies must be mindful of whoever has access to enterprise assets, and knows the security measures. “Only an insider will find it easy to circumvent these measures, get access to the information, and then eventually get the information out of the network,” Baikalov says.

Various tools allow for monitoring of a wide range of activities, including swiping cards, using particular doors to get to the office, arriving and leaving at a usual time and coming to work on weekends.

Cyber behavior can be measured and analyzed.

It’s a red flag when somebody deviates from an established pattern.

Countering resistance

“Perhaps ten years ago it was difficult to have this conversation with the customer. The common opinion at that time was ‘I trust my employees so I feel bad about about monitoring them.’” Baikalov says.

But recent breaches show the involvement of insiders, who may even have no idea that they have been used by malicious actors who hijack their credentials.

“These events help us explain to the customer that by monitoring their employees, we detect activity that deviates from the pattern and prevent such incidents.”

Every company has the right to monitor its people as a condition of employment. “There is nothing really that specifically violates privacy laws in this respect.”

And just as each company has a distinct culture, so do different environments and cultures. “In Europe, for instance, there are certain expectations of privacy that are different from the US,” he says. “A lot of that depends on the type of legal environment – the privacy laws and other regulations. In Europe it is amplified tenfold as far as ownership and access to personal data.”

The difference can easily be resolved by providing guarantees. For instance, companies can mask the data so that the analytical tools do not expose the personal data of the users in the system. In many countries with strict privacy laws, for example, only the analysts and their agent can see the information in a remote-analysis environment. On premise, access is given to a very limited number of people at a specific location.

Collecting, connecting

It’s one thing to collect information, and quite another to make sense of the seemingly unrelated data points and point how they connect to and among each other. “At some point we need to be able to use the same language to describe the threat models,” Baikalov says.

It is not just big companies, or those that belong to say the Fortune 100, who have the appetite for mature security in the form of analytics. Aside from federal agencies, or those in finance or healthcare of energy, more and more small but security conscious customers are using analytics to help them protect their information and infrastructure.

AI and good old housekeeping

Looking ahead, Baikalov says artificial intelligence will play a big part in the security battles of the future, both for attackers and defenders.

“Many of the attacks now use some type of advanced algorithms to drive data. They will be in computer time, so you also have to be able to create a system that can respond fast. Remember – the attackers just have to be right once, while the defenders have to be right one hundred percent.”

The challenge, he emphasizes, is for defenders to respond in this speed and eliminate the human factor as much as possible without affecting the enterprise. “Bear in mind the impact on business.”

Despite the exponential increase in terms of speed, and the greater cost of the assets that are being protected, old attack vectors will persist. Breaches will be because security patches were not applied, controls were misconfigured, port was left open, default passwords were not changed. “The absolute majority of the attacks will be caused by poor cyberhygiene and poor maintenance of the systems, not some sophisticated attack.”

How, then, to stay ahead?

Baikalov estimates that 80% of the effort has to go to basic things: Making sure that systems are patched, networks are in order, devices are up to date and security best practices are followed.

Fortunately, security is no longer an afterthought for an increasing number of businesses. Security is taking its place in business decisions. It is becoming recognized as a strategic issue. And why not? “Security breaches can affect, even destroy, companies.”

The post No longer an afterthought: Security analytics takes its place in business strategy appeared first on Security Current.

When Jonathan Halstuch, CTO of RackTop Systems, started providing security solutions to media and entertainment industry 18 years ago, material like videos and photos needed to be physically transported from one place to another for storage, sharing and processing.

“You had to know how to safely move the data from where you are shooting or capturing the footage to a location where it can be reviewed and processed. You had to do this quickly and safely,” he said.

Since then, technology has allowed for digital transfer of information. This, however, has created enormous challenges to media companies in securing the integrity of the material.

But while media firms recognize that security means adopting corporate methods through which different people can collectively work on files, there are some realities they must contend with – the sheer size of the files, the need to outsource some of the work to smaller, less secure entities, and the fact that the methods they may choose are cumbersome and thus not too useful to their staff.

“The order of the day is making the secure path the path of least resistance,” he says.

Problematic solutions

While there remains a smattering of companies who still have a physical notion of security, more and more media and entertainment industry players recognize the increasing need for collaboration across geographies. They know that security means adopting corporate methods by which they could collectively work on and transmit files from anywhere in the world.

Unfortunately, most of these approved corporate methods are cumbersome and, some users say, counterproductive. “Usually these approved methods are not good enough for what they want to do,” Halstuch says.

As a result, people use some other consumer product to share and collaborate instead of the approved methods.

At the Creative Storage Conference held early June in Culver City, California, Halstuch spoke with his peers about the need to come up with a solution and a workflow that is easy enough to use so that people would not resist it.

“If employees start putting data in a system that the company is not even aware of, then that shared data is out there, exposed – and you never know what can become of it. Companies need their people to use the approved solutions so they can keep track of what data is being shared,” he says.

(Big) crown jewels

Banks protect the financial information of their clients and prevent any unauthorized transactions involving these funds. Healthcare companies guard their clients’ health and payment histories. Each industry has its so-called crown jewel. For media and entertainment, there are several prized information that players have to protect at all costs.

These are stories or raw footages or photos, the file sizes of which are ten or a hundred times larger than what other industries work with. Imagine the size of an hour-long piece – you don’t typically have that in banking of healthcare.

“So you have these very large files, and you want to be able to share these files quickly and easily with people as you work on it. Certainly you don’t want these going out prematurely, or outside of the official channels, because you lose revenue that is rightfully yours,” he says.

“You do this by making sure you don’t move the file often, or keep it secure when you do.”

Challenges for the future

The big studios have invested a lot in security, and they have mature and sophisticated ways to protect their data.

But these big studios do not do all of the work. Sometimes they contract some of the work to smaller supporting studios and agencies, for example for subtitles or language tracks. These smaller studios do not have the same level of sophistication in security and compliance infrastructure.

“I see this practice persisting, so these smaller studios need to have an easy-enough way to be compliant and secure and able to protect their data. They need to get tools that, for their size, are usable and manageable and will create a secure content supply chain,” Halstuch says.

This has to happen so the adversary does not target the weaker link.

“It is now easier to do security, so what we are hoping is that smaller studios will find a solution that can make them as secure as the big ones.”

The post The Path of Least Resistance: Security in the Media and Entertainment Industry appeared first on Security Current.