[metaslider id=2951] … Read More
Archives for February 2018
By Stu Sjouwerman – February 28th, 2018
Warwick Ashford, security editor at ComputerWeekly had an interesting observation after reading CyberArk’s latest cyber threat report:
“Organisations are failing to learn from cyber attacks, and lax security practices are leaving organisations worldwide open to damaging cyber attacks”
“Respondents said the greatest cyber security threats they currently face are targeted phishing attacks (56%),insider threats (51%), ransomware or other malware (48%), unsecured privileged accounts (42%), and unsecured data stored in the cloud (41%).
There is a worrying lack of action by businesses to improve security following an attack across the global technology industry, according to the latest cyber threat report by privileged account security firm CyberArk.
The report also highlights poor practices concerning cloud and endpoint security, and from security professionals themselves, putting sensitive data, infrastructure, assets and even employers at risk.
Every organization has something of value to a cyber attacker, and greater investments in cloud technologies and DevOps processes mean the attack surface is expanding exponentially, and attackers continue to target and exploit privileged accounts, credentials and secrets to accomplish their goals, the report said.
Nearly half (46%) of IT security professionals rarely change their security strategy substantially, even after experiencing a cyber attack, according to a CyberArk-commissioned poll of 1,300 IT security decision makers, developers and line of business owners in seven countries.
This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk, the CyberArk report said.
The survey also revealed that while 89% of IT security professionals believe securing an environment starts with protecting privileged accounts and more than four in 10 cite it as a top security risk, more than a quarter (28%) are not putting this knowledge into action.
Demands for flexibility
The proportion of users who have local administrative privileges on their endpoint devices increased from 62% in 2016 to 87% in 2018, a 25% increase the report said could indicate that employee demands for flexibility have been allowed to trump security best practices.
The survey findings suggest security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats and the resultant impact on the business.
This inertia is reflected in the fact that 46% of respondents said their organisation cannot prevent attackers from breaking into internal networks every time it is attempted, 36% said that administrative credentials are stored in Word or Excel documents on company PCs, and half admitted their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics.
The report notes that the automated processes inherent in cloud and DevOps mean that privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, the report said these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities.
The survey shows that while organisations increasingly recognise this security risk, they still have a relaxed approach towards cloud security, with half of organisations polled having no privileged account security strategy for the cloud and more than two-thirds (68%) relying on built-in security capabilities.
“There are still gaps in the understanding of who is responsible for security in the cloud, even though the public cloud suppliers are very clear that the enterprise is responsible for securing cloud workloads. Additionally, few understand the full impact of the unsecured secrets that proliferate in dynamic cloud environments and automated processes,” the report said.
Overcoming cyber security inertia, the report said, requires cyber security to become central to organisational strategy and behavior, not something that is dictated by competing commercial needs.
According to the survey, 86% of IT security professionals feel security should be a regular board-level discussion topic, and 44% said they recognize or reward employees who help prevent an IT security breach, increasing to nearly three quarters (74%) in the US.
However, only 8% of companies continuously perform red team exercises to uncover critical vulnerabilities and identify effective responses. Investing in regular red team exercises could help determine where to focus efforts and prioritize risk reduction, the report said.
Rich Turner, European vice-pesident at CyberArk, said cyber attackers are often able to penetrate traditional perimeter defences when targeting organisations that have not moved with the times. This was cross-posted with grateful acknowledgements.
Report: 52% of companies sacrifice security to expedite projects
Organizations can be exposed to vulnerabilities when professionals prioritize a deadline over security, according to research from Threat Stack.
- 52% of companies admit to cutting corners on security to meet a project deadline. — Threat Stack, 2018
- 68% of executives said their CEO doesn’t want the security or DevOps teams to do anything that could slow a project down. — Threat Stack, 2018
More than half of companies admit to loosening security measures to expedite projects or meet deadlines, a new Threat Stack report found.
In a survey of over 200 executives, 52% said their company had prioritized a deadline or objective over the firm’s security. The emphasis on speed over security could leave holes in a project, leaving a company vulnerable.
The focus on speed comes from pushback on both sides of a project, the report found. Over two-thirds—68%—of respondents said their CEO asks the DevOps and security teams to not do anything that would slow a project, while 62% said their operations team sometimes fights new security efforts.
The majority of respondents said SecOps is important for their organization, but only 35% said it was a complete or mostly complete project at their company. At 18% of companies, SecOps isn’t established at all, the report found.
“The vast majority of companies are bought-in, but, unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It’s important that stakeholders across every enterprise prioritize the alignment of DevOps and security,” Brian Ahern, Threat Stack CEO, said in the press release.
Most of the challenges come from organizational alignment, the report found, as DevOps and security teams might be operating in different silos.
The discrepancy suggests companies should agree and focus on security to ensure their company remains safe, even under pressure from a deadline or the competition. More at: https://www.techrepublic.com/article/report-52-of-companies-sacrifice-security-to-expedite-projects/#ftag=RSS56d97e7
We’ve seen tremendous advances in technology over the last 15 years or so, but security continues to struggle as much today as it did a decade ago.
A large part of the problem is that security professionals and their leaders have bought into myths that hamper their ability to move their organizations forward and achieve maturity – the kind of maturity that’s necessary to be able to survive and recover from a cyber attack.
In no particular order, here are the four myths that security organizations need to stop believing and how they should move forward.
Myth #1: Cybersecurity risk can be eliminated
As a security professional, you know this isn’t true, right? Cybersecurity risk cannot be eliminated. It can only be managed. However, judging by the enormous sums of money companies waste attempting to achieve impenetrability, it seems this myth has life in it yet.
The problem is at the top: Senior executives and Board of Directors don’t understand the nature of cyber security. They think if they throw enough money at the problem, it will go away. But we know that’s not the case. Senior executives and Board of Directors must be educated on the inevitable nature of a cyberattack and how that risk is managed.
Myth #2: There’s a cybersecurity silver bullet somewhere-we just haven’t found it yet
Nothing will prevent your organization from being the target of a cyberattack. There isn’t a single technology solution, employee training/awareness program, insurance policy, contractual agreement, or anything else that can protect your organization 100% from a cyberattack.
The best you can do is implement a balanced, yet strategic risk management program that enables the CEO to stand in front of the executive suite and explain with confidence, “We understand our risk exposure, and we have the ability and financial resources to recover from an event should the inevitable happen.”
Myth #3: The security organization effectively operates as a silo
How much success has your security organization had to date? If it’s operating in a silo, that success is limited. Yes, the security person is primarily responsible for cyber security, but he/she can’t do it alone. To be effective, security must be a team sport. This team includes the employees who handle employee training and awareness, people who oversee business continuity and operations, staff who purchase cyber insurance, the lawyers who contract with clients and suppliers and, of course, the C-suite and Board of Directors. These groups need to work together to the same end, otherwise there will always be gaps in your security posture.
Myth #4: Regulatory compliance = security
It amazes me that organizations continue to use regulatory compliance requirements as the primary framework for their cybersecurity efforts. While newer regulations and frameworks like the NIST Cyber Security Framework and New York Department of Financial Services guidelines are risk-based, the vast majority of organizations I speak to aren’t using them appropriately. Organizations need a maturity-based cyber risk management framework with short-, medium-, and long-term benchmarks. The framework should be reviewed and updated quarterly and tested annually.
It can be difficult to explain to the Board the inevitability of a cyber attack, or to align disparate groups to work toward the same objective. But these things must be done if organizations are going to actually improve their security posture and mature their security programs. It’s time security professionals are honest with themselves-and with upper-management-and start making real progress toward resiliency.
KnowBe4, Inc, the world’s largest security awareness training and simulated phishing platform, this week announced it has successfully completed a Service Organization Controls (SOC) 2 Type I examination for the hosted phishing and training product lines, which help organizations address the human sources of risk associated with phishing attacks.
With System and Organization Control audits (SOC) becoming more and more necessary to retain and engage new customers, many service companies are unsure whether a SOC 1 or SOC 2 audit will be suitable. Even though these audit exercises are largely the same from a procedural standpoint, they serve very different purposes for the customers. In this respect, companies ought to understand the differences between soc1 vs soc2. Created for entities operating in the rapidly expanding technology and cloud computing sector, SOC 2 compliance is an industry-standard in data security compliance. In pursuit of this industry-leading certification, organizations undergo a rigorous analysis that can include the following trust services criteria: security, availability, processing integrity, confidentiality, and privacy.
“Achieving this certification demonstrates our continued commitment and investment in larger compliance efforts to exceed enterprise standards and expectations with respect to data security,” said Stu Sjouwerman, Founder and CEO of KnowBe4.
360Avanced, Inc., an independent and qualified security Assessor in St Peterburg, FL, conducted the audit of KnowBe4’s platform, testing the suitability of design of controls, with a focus on security, availability and confidentiality principles in line with strict criteria.
The purpose of SOC standards are to help provide confidence and peace of mind for organizations and their third-party partners. KnowBe4 earned the SOC 2 certification because it has sufficient policies and strategies that are designed to satisfactorily protect their customers’ data.
For more information about KnowBe4’s security practice, visit: https://www.knowbe4.com/security
Employee training is a top priority for improving security, according to 35% of CISOs polled by the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Infrastructure upgrades and network defence were also named as top priorities by 25% of respondents, followed by breach prevention (17%).
Infrastructure upgrades, network defence and breach prevention are prioritised mostly by CISOs reporting into a technical function like chief information officer (CIO), according to the first FS-ISAC CISO cyber security trends report.
Employee training is a priority mainly for CISOs reporting into a non-technical function like the chief operations officer (COO) or the General Counsel.
The report, which is aimed at helping leaders and businesses understand cyber security trends across the globe, said while cyber security used to be handled in the server room, it is now a board room topic.
The survey found that quarterly reports to the board of directors were most common (53%), with some CISOs (8%) reporting more than four times a year or even on a monthly basis.
In the era of increasing security threats and vulnerabilities, the report said CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defences are a priority.
As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organisational spotlight, the report said.
However, the study found that that two-thirds of CISOs do not report to the CEO, and that the top cyber chain of command is more likely to be the CIO, followed by chief risk officer (CRO) and then COO. Only 8% said they report to the CEO.
FS-ISAC recommends training employees should be prioritised for all CISOs, regardless of reporting structure because employees serve as the first line of defence.
Employee training should include awareness about downloading and executing unknown applications on company assets, also in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious emails and attachments, the report said.
FS-ISAC also encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an “at the ready” risk posture and that cyber practices are clear to board members.
As the threat landscape shifts, FS-ISAC recommends that CISOs have expanded reporting responsibilities or dual-reporting responsibilities in the corporate structure to ensure critical information flows freely.
Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making, the report said
Patching and security training programs will thwart attacks more effectively than anything else. You’re already doing them. Here’s how to do them better.
An average of 5,000 to 7,000 new computer security threats are announced each year. That’s as many as 19 every day. The rate at which new threats appear make it difficult to decide which ones require your attention. It might surprise you that, while your competitors waste money on high-tech, expensive, and sometimes exotic defenses, you can get far more value by concentrating on just two things you already do. You can spend less money and nothing you do otherwise will provide a better defense.
The two things you need to do better are not a secret. You already know you need to do them. You know from your own experience that what I’m saying is true. The data in favor of doing them is overwhelming. Still, most companies don’t do them well enough.
Change your security focus
Most computer security defenders focus on the wrong things. They focus on specific threats and what they did after hackers broke in, not how they broke in. There may be hundreds of thousands of unique software vulnerabilities and hundreds of millions of unique malware families, but they all share about a dozen different ways that they initially exploited an environment, including:
- Unpatched software
- Social engineering
- Password attacks
- Physical attacks
- User errors
- Denial of service
Focusing on and reducing these root exploitation causes will help you significantly defeat hackers and malware.
If you want to minimize computer security risk the fastest, identify the biggest root exploitation causes in your company that allow threats to do the most damage to your environment. Stop the biggest root cause and you stop every threat that uses that root cause.
So, what are the biggest root exploitation causes in most environments? Unpatched software and social engineering.
Without a doubt, these two root causes are responsible for the most successful and damaging attacks in most companies and have been for decades. One of these root exploitation methods has likely been behind any big attack that has made news in the mainstream media. In my experience, when a company of any size or even the military suffers a big attack, it’s can be traced to one of those two root causes.
Your company’s experience may vary, and if it does, you can ignore this article. The biggest problems for the majority of readers are unpatched software and social engineering. If they fix those two things, it will do more to decrease security risk than all the other things they could do combined.