Known vulnerabilities pose biggest IT security threats

Cyber risk report cites server misconfigurations as the No. 1 vulnerability.

It’s often said, “There’s nothing new under the sun.” And that appears to be the case in the world of cybersecurity where hackers most often exploit known vulnerabilities to gain access to private computer files, according to HP’s 2015 Cyber Risk Report. Maintaining strong computer security, the report says, is largely a process of plugging up known holes.

While newer exploits may generate more press, the report found that in 2014 the majority of attacks had exploited common misconfigurations of technologies and known bugs in code written years ago. The report found that 44% of breaches came from vulnerabilities that are two to four years old.

“Many of the biggest security risks are issues we’ve known about for decades, leaving organizations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager of enterprise security products at HP. Gilliland urges organizations to use fundamental security tactics to mitigate risk.

According to the report, server misconfiguration was the number one vulnerability of 2014. Access to files and directories provide attackers with crucial information for additional avenues of attack and to determine if their method of attack was successful.

One thing is for sure: the rate of malware attacks is accelerating. AV-Test, an independent anti-malware testing organization, collected 83 million malware samples in 2013. That number almost doubled in 2014 to 140 million and is expected to break 200 million in 2015.

The key takeaway from the report is that security analysts should devote substantial resources to plugging up known holes while also being conscious of possible new lines of attack as new technologies are put in place. These new technologies are important as hackers increasingly focus on finding holes in point-of-sale (POS) and Internet of Things (IoT) technologies.

The HP report also found successfully secured enterprise environments employ complementary protection technologies. A mentality that assumes a breach will inevitably occur instead of only working to prevent intrusions seems a likely best practice. Successfully secured enterprises use all available tools and do not rely on a single product or service.

Some of the report’s tactical recommendations include:

  • Implementing a comprehensive patching strategy to keep all systems up to date
  • Using regular penetration testing and configuration verification to identify potential issues
  • Understanding new lines of potential attack that may be introduced in the installation of new technology
  • Keeping up with the security industry to learn about attacker’s tactics

The report concludes the pace of technology advancement is becoming more rapid, and with that comes the challenge of maintaining security and privacy.

While the escalation in cyberattacks seems relentless, organizations can greatly reduce their risk of breach by upgrading equipment, plugging known vulnerabilities, and listening to security pros for new developments. Employing a variety of security measures can help create a highly functioning network that maintains strong privacy and security for individuals and the company.


This article was originally posted on Network World.

Image credit Cutcaster.

Michelle Drolet published in Web Security Journal – Know When to Onboard a Virtual CISO

Know When to Onboard a Virtual CISO


Towerwall Founder and CEO Michelle Drolet’s latest article “Know When to Onboard a Virtual CISO” is featured in the Web Security Journal. Read more below:

A virtual Chief Information Security Officer (CISO) can be an invaluable asset to your company. The virtual CISO provides your business with a person who will be in charge of the electronic security aspects of your company. You will have an executive in place that will not only oversee your electronic security, but will also define it.

Because the CISO is virtual, which means they work off-site, they cost only a small fraction of what a full-time, on-site person would cost. You get all the benefits of having an executive director of security without having to pay the additional money to keep on at your office and pay all the liability insurance and benefits that are associated with making a hire of that nature.

With a virtual CISO, you have someone who can perform jobs that are mandated by government compliance regulations. Anyone who works with the cyber security aspects of your company will report directly to this person, who will oversee the entire operation. Your virtual CISO will not only make sure your company is in compliance, he or she will also work to reduce cyber security risks to your company, making it safer and more secure for both you and your clients.

When you consider all of the benefits a CISO brings, you must ask yourself if your company can afford to not have one.


Click here to read the entire article on Web Security Journal >

Are Mobile Apps Putting Your Data at Risk?

Frequently, companies don’t realize that the mobile apps they use are reason for concern. Once their data is breached, they begin to investigate. However, there are telltale signs that indicate an insecure mobile app. If you know what to look for, you may be able to avoid a catastrophic data breach.

Mobile apps are everywhere and their benefits are many, offering functionality, flexibility and increased productivity. These apps have altered the way we do business. Unfortunately, all of these benefits do come at a price. As a business owner, how can you be sure that the mobile apps you and your staff access are secure? According to the most recent report from Lookout, the malware encounter rate in the US is at 7%. Estimates indicate that the number of Android devices affected by malware is more than 6 million.


The Bring Your Own Device (BYOD) Trend is Reason for Concern

Some companies are following the BYOD trend, but this practice has brought about some critical security concerns that need to be addressed. According to the Ponemon Institute’s Cost of Data Breach Study: Global Analysis, a security breach can be costly.  Average costs for a breach increased by 15% in 2014, reaching $3.5 million.

Rigorous checks on mobile security must be implemented and adhered to. A solid Mobile Device Management (MDM) policy is essential for every company.


Data Leaks

One obvious sign that an app might be malicious is atypical data access patterns. These patterns are concerning because some apps record your unencrypted data so it can be sent to a designated server. Once there, ruthless business rivals or cyber-criminals may collect your data. This transfer of sensitive data is very common and frequently goes unnoticed.

Excessive data usage or unexpected charges on a cell phone bill may signify the presence of malware. You need to monitor the amount of data each app uses. If you find suspicious activity, flag it. If you establish an audit trail, you will have a clear picture of data usage.


Inability to Encrypt Corporate Data

It is unrealistic to think that employees will follow an MDM policy prohibiting them from installing apps on their devices. This is especially true if the device belongs to the employee. You can mitigate the data leakage problem and user installed malware issues by ensuring that all your corporate data is encrypted and remains inside a secure container.


Insecure Transfers

Although cloud-based services are a convenient option when transferring files, if your staff is using a third-party app there is no guarantee that your files are secure. According to a new Netskope report, 88% of cloud apps being used as part of the BYOD trend are unsafe. This report also states that 15% of employees’ credentials have already been compromised.

If you do not have a system that secures the transmission and employs the encryption of your files, you may be unknowingly leaking data everywhere.


Unauthorized Users

This is an obvious risk to the security of your data. If you decide to allow mobile devices to access your network remotely, then you need to take the appropriate steps to authenticate the user.


Mobile Apps are Not Tested to Ensure Security

Enterprise app development focuses on business value, as opposed to security. For this reason, you need to consider professional penetration testing. It can uncover vulnerabilities and weaknesses you may have overlooked.

Building effective security is much less expensive and easier to do during the development of an app. You should consult with an expert to ensure that security testing remains an important portion of your software development process from the beginning.


This article was originally published in Network World.

Image credit Cutcaster.

Throw your vendor under the bus? Not quite so fast



Tips for your third-party risk management program

Home Depot said the crooks initially broke in using credentials stolen from a third-party vendor […] Recall that the Target breach also started with a hacked vendor…” — Brian Krebs, Krebs on Security
In everyday business, a complex set of external relationships is commonplace. Services, infrastructure, and even software live in the cloud, supplied by third-parties. An organization’s value is often in the data it generates, but how secure is that data across your digital supply chain? Do your external vendors and partners adhere to your security standards? How do you know for sure?
They may have filled out a questionnaire and ticked your compliance boxes. But, if a legal or regulatory issue comes up down the line, or there’s a serious data breach, that questionnaire is not going to save you from exposure. Trust your partners, but make sure you verify. There’s no substitute for comprehensive due diligence and you must continue to monitor partners for as long as the relationship lasts.

What are the risks?

There’s a lot to consider here, and you have to remember that your third-party vendor isn’t necessarily accountable to your industry regulators in the same way you are. That could lead to some serious legal exposure for your company. Can you answer these questions?

  • Who is your data being shared with and what security protocols are in place? Does your third-party vendor sub-contract or outsource to other parties? What are their security protocols?
  • Are the same standards being met across the company in every data warehouse and office? What about offshore operations?
  • How do you establish the authenticity of your incoming data? Do you have an audit trail?

You could have the best security in the world and it could all be rendered worthless, because a hacker or a data thief can bypass it and gain entry through a smaller, less secure, third-party partner. Cyber criminals probe for weaknesses to find the path of least resistance and they’ll jump at any chance to sneak in the backdoor.

Taking a deep dive

It’s not realistic to have a moat around your organization anymore. There are too many business benefits to sharing information and improving accessibility for your employees, but you need to have confidence in the vendors you choose. Trust is earned.

You need a real risk assessment strategy. Hire an outside company to get an unbiased view of your vendors. Engage experts that can identify likely issues, test the checklist claims, help you mitigate the risks, and continue to monitor your partners to ensure standards are maintained.

Plan ahead and stay secure

Decide on your security posture as early as possible, and build the necessary risk assessment into your screening process. It should factor into the decision-making when you are shopping for new partners. Consider your requirements and create a security profile that covers everything including physical security, applications, IT services, malware protection and detection, wireless devices, user policies, and anything else that’s pertinent to your data and project. What’s the plan if and when a data breach does occur? The more you nail down upfront, the better your chances of handling an incident with minimal damage and exposure.

Don’t take it on trust when the vendor ticks all the boxes, have an assessor test them out at random. If you do discover issues then consider presenting a plan for remediation. Your security assessor can help you with practical suggestions and you may find that your vendor is willing and able to take the necessary steps to comply. A good partner will collaborate with you to mitigate any identified risks. It’s much better to find problems at the outset when there’s time to solve them before any damage has been done.
That initial check gives you a snapshot, but you really need a real-time overview if you want to manage your third-party risk properly. Evaluation should be ongoing and your security requirements must evolve to reflect the changing nature of your business and the continuous flow of new threats emerging.

Protect your data integrity

Ultimately, if you’re going to trust a third-party vendor with your data then you need to be sure that they are adhering to your security standards, and the only way to do that is by putting them to the test.

Full rules for protecting net neutrality released by FCC

The US Federal Communications Commission (FCC) on Thursday lay down 400 pages worth of details on how it plans to regulate broadband providers as a public utility. These are the rules – and their legal justifications – meant to protect net neutrality.

They were passed last month, and details have been eagerly anticipated. The main gist of the lengthy document released on Thursday are these three new rules:

  • No Blocking: broadband providers may not block access to legal content, applications, services, or non-harmful devices.
  • No Throttling: broadband providers may not impair or degrade lawful internet traffic on the basis of content, applications, services, or non-harmful devices.
  • No Paid Prioritization: broadband providers may not favor some lawful internet traffic over other lawful traffic in exchange for consideration of any kind – in other words, no “fast lanes.” This rule also bans ISPs from prioritizing content and services of their affiliates.

The document’s introduction sets the scene for justifying net neutrality, with a description of the innovation that flourishes under unfettered traffic flow, such as the growth of Netflix streaming (it’s now the number one business in North America when it comes to sending out peak downstream traffic), Etsy having grown from $314 million in merchandise sales in 2010 to $135 billion 3 years later, and new innovative businesses such as CBS and HBO with their upcoming cable-subscription-free streaming plans and Discovery Communications with its planned “over-the-top” service providing bandwidth-intensive programming.

These innovations are downright award-winning, the FCC said, dropping in a mention of Amazon taking home two Golden Globe awards for its new series “Transparent.”

To keep fueling the country’s economy, an open internet is crucial, the FCC said:

It must remain open: open for commerce, innovation, and speech; open for consumers and for the innovation created by applications developers and content companies; and open for expansion and investment by America’s broadband providers. For over a decade, the commission has been committed to protecting and promoting an open internet.

But just how this economic engine gets regulated is one of the crucial questions.

Specifically, which regulations of Title II of the Communications Act – the legal underpinnings of the commission’s move to regulate broadband – will it enforce?

The FCC’s document addresses the concerns that have arisen over the Commission possibly moving away from its goal of “ubiquitous availability of broadband to all Americans” that’s been set out in previous classification decisions, confirming that it will be using a light regulatory hand, as has beenrequested by President Obama.

The FCC bent over backwards – as it has done repeatedly – to try to convince critics that it won’t be heavy-handed.

FCC Chairman Tom Wheeler said in an accompanying statement that Title II powers that are off the table include mandatory universal service contributions, rate regulations, or a return to local loop unbundling.

Wheeler also went to pains to make it clear that the light regulatory touch will let innovation flourish, similar to how wireless has been regulated:

Let me be clear, the FCC will not impose 'utility style' regulation. We forbear from sections of Title II that pose a meaningful threat to network investment, and over 700 provisions of the FCC’s rules. That means no rate regulation, no filing of tariffs, and no network unbundling. During the 22 years that wireless voice has been regulated under a light-touch Title II like we propose today, there has never been concern about the ability of wireless companies to price competitively, flexibly, or quickly, or their ability to achieve a return on their investment.

The New York Times has provided excerpts from the rules, along with analysis, that provides a deep dive into the many wrinkles of the new rules.

Here are a few of the salient details:

  • The rules cover mobile devices.
  • The commission might not get involved in price-setting, but it will retain authority to ensure consumer privacy. From the new rules:

    Section 222: Protecting Consumer Privacy. Ensuring the privacy of customer information both directly protects consumers from harm and eliminates consumer concerns about using the internet that could deter broadband deployment. Among other things, Section 222 imposes a duty on every telecommunications carrier to take reasonable precautions to protect the confidentiality of its customers' proprietary information. We take this mandate seriously.-Paragraph 53

  • Internet “fast lanes”, otherwise known as “paid prioritization”, have been banned. That doesn’t mean that the FCC is going to focus on things like Netflix slowdowns, though; rather, the commission seems to be focused on traffic from providers like Comcast and Verizon, while Netflix slowdowns come down to interconnection disputes.
  • The FCC will decide what’s acceptable on a case-by-case basis, opening the door for what’s anticipated to be loads of legal analysis and litigation.

It will take some time for lawyers to wade through the new rules, but AT&T, for its part, put out a terse statement that mentions possible legal action:

Unfortunately, the order released today begins a period of uncertainty that will damage broadband investment in the United States. Ultimately, though, we are confident the issue will be resolved by bipartisan action by Congress or a future FCC, or by the courts.

The two dissenting commissioners’ opinions were included along with the new rules.

Here’s an excerpt of Ajit Pai’s arguments against them:

This is not only a radical departure from the bipartisan, market-oriented policies that have served us so well for the last two decades. It is also an about-face from the proposals the FCC made just last May.

So why is the FCC changing course? Why is the FCC turning its back on internet freedom? Is it because we now have evidence that the internet is not open? No. Is it because we have discovered some problem with our prior interpretation of the law? No. We are flip-flopping for one reason and one reason alone. President Obama told us to do so.

And from Michael O’Rielly:

Today a majority of the Commission attempts to usurp the authority of Congress by rewriting the Communications Act to suit its own "values" and political ends. The item claims to forbear from certain monopoly-era Title II regulations while reserving the right to impose them using other provisions or at some point in the future. The commission abdicates its role as an expert agency by defining and classifying services based on unsupported and unreasonable findings. It fails to account for substantial differences between fixed and mobile technologies. It opens the door to apply these rules to edge providers. It delegates substantial authority to the Bureaus, including how the rules will be interpreted and enforced on a case-by-case basis. And, lest we forget how this proceeding started, it also reinstates net neutrality rules. Indeed, it seems that every bad idea ever floated in the name of net neutrality has come home to roost in this item.

Michelle Drolet quoted in TechTarget

Our Michelle Drolet is quoted in TechTarget’s article “Four ways DevOps can boost AWS security“. Read more below:

Many IT teams believe security belongs to someone else. Building security into the DevOps process can be a tricky but rewarding move.

Combine the “It’s not my job” belief that many IT administrators have about security tasks with the relentless pressure to release more applications and updates on a public cloud, and you have a recipe for security disaster. And in organizations where DevOps teams lead the charge, securing the public cloud becomes even trickier.


Click here to read the entire article on TechTarget >