ThreatRavens.

Browsing category

Data Protection

CISO, customer experience, Data Privacy, Data Protection, Digital Identity, fraud, Fraud Prevention, Fraud Protection, Privacy, Privacy by Design, privacy regulations, Retail, User Behavior Analytics (UBA),

The Success of Your Business Depends on Digital Trust. Here Is How to Measure It

Most people can name a recent example of online data being compromised, and consumers have become more concerned about how organizations protect their data. Whether the data in question is a physical location, credit card numbers or buying preferences, modern, tech-savvy consumers are thinking long and hard about digital trust risks and the privacy of their data.

“It’s not now just about price, feature, and benefits, it’s not even about history and legacy, it is about trust,” said researcher Mark McCrindle on behalf of Blackmores, an Australian vitamin company, according to CMO. “Every brand must build and maintain trust, particularly because the customer is more skeptical and empowered.”

The Consumer Confidence Crisis

Consumer confidence in brands has dropped to a historic low. According to the “2018 Edelman Trust Barometer,” 7 in 10 industries are solidly in “distrust territory.” Customers are increasingly aware that their decision to share personal data with brands could have significant implications, and new legislation backs the customer’s right to opt out of untrustworthy brand engagements.

As organizations work to build customer-focused, digital business models, it’s critical to consider the role of trust and privacy in the customer journey. Delivering digital trust isn’t a matter of propping up a secure website or app, or avoiding a costly, embarrassing data breach. It’s about creating a digital experience that exceeds customer expectations, allows frictionless access to goods and services, and protects customers’ right to privacy while using the data they share to create customized, valuable experiences.

Learn how to deliver digital trust

Why Failure to Build Trust Is Risky

There are clear risks facing organizations that fail to deliver trust-inspiring digital experiences. The staggering reputational costs to brands that suffer a data breach underline how easily trust is broken and how difficult it can be to restore. However, even without security incidents, there could be significant consequences for brands that don’t transform the customer experience.

Customers who experience friction as part of the digital experience may choose to go elsewhere, impacting profitability. Brands that lack transparent data privacy practices could struggle to build strong customer relationships if the consumer feels that the interaction is “sketchy” or too invasive. There’s also risk for the organization: If it can’t tell the difference between legitimate customer transactions and costly fraud, it may throw up frustrating security barriers or risk loss due to account compromise or other fraudulent activities.

How to Measure Digital Trust With Business Outcomes

“Digital trust is not a method, product or service,” wrote IBM security orchestration, automation and response leader Matthew Konwiser. “It’s a philosophy that acknowledges why … businesses stay in business; their clients trust them.”

Digital trust can be measured in business outcomes. While these aspects are more complex than security metrics or compliance, they are critical. Digital trust results from a shift in how the organization approaches the customer journey, which can be measured in the following business outcomes.

Outcome No. 1: Build User Trust

Organizations should transform digital customer experiences to create a secure and seamless customer journey across digital products. This reinforces customer trust while providing internal visibility into customer behavior. Increased trust should result in greater customer loyalty and greater share of wallet.

Outcome No. 2: Drive Growth

Organizations that focus on digital trust continuously work to improve user experience and strengthen internal security safeguards. By utilizing security solutions that assess risk and only add verification when needed, there are fewer false positives and security teams can focus where needed. Automation and authentication based on risk scoring can streamline customer access and reduce workload for already over-tasked IT/security staff.

Outcome No. 3: Create Efficiency

Brands should continuously work to offer an improved user experience and strengthen internal security safeguards. Leaders at trust-driven organizations prioritize operational efficiency gains and risk reduction.

Why You Should Shift to a Trust-Focused Model

While digital trust isn’t the exclusive goal or responsibility of the security department, the CISO is a diplomat in the transformation process. At a trust-focused organization, security risk is recognized as business risk. Business leaders should actively support the need for persistent visibility into digital customer behavior, even as the cybersecurity team works to strengthen safeguards against threat actors and data privacy risks.

Trust should feel seamless for trusted customers with barriers only appearing to threat actors. Cognitive solutions and analytics can provide visibility into a customer’s movements across digital platforms and identify risks by comparing real-time data to a baseline of known threats. When an abnormal pattern of customer logins, transactions or behavior is identified, the system should automate an immediate response to further authenticate users or isolate risks.

The process of delivering digital trust is about more than security and technology, however. It’s a shift in leadership that places the customer experience at the center of digital transformation. Trust-focused organizations adopt design thinking processes to create digital products based on the customer journey and architect secure DevOps. Baked-in security offers greater assurance against risks and creates a more seamless digital experience across channels.

Empathy Is at the Core of Trust Delivery

Digital trust is a moving target, like any other strategic business goal. Your organization can’t rely on stagnant strategies to grow profitability or address risks. To build lasting customer relationships, organizations must understand that trust is a dynamic pursuit that requires agility.

Empathy toward the customer is at the core of trust delivery. As customer attitudes about privacy and behaviors shift, enterprise practices and technology must keep up with evolving data privacy threats, compliance requirements and client behaviors. The importance of trust is unlikely to diminish, but delivering trust-inspiring customer experiences requires a culture of design thinking, continuous improvement and security by default.

Read the e-book: Deliver Digital Trust

The post The Success of Your Business Depends on Digital Trust. Here Is How to Measure It appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kami Haynes

January 16, 2019

Data Protection, Health Care, Healthcare, Healthcare Data, Healthcare Industry, healthcare security, Internet of Things (IoT), IoT Security, Medical Data, Risk Management, Threat Intelligence, Threat Research,

How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry

At the IBM Security Summit in 2018, X-Force Red Global Head Charles Henderson told a memorable story. A colleague frantically reached out one Friday afternoon asking him to test five medical internet of things (IoT) devices. One of the devices was to be implanted in the colleague’s body, and he wanted to make sure he chose the most secure model. Charles immediately called his hacker friends, who happily agreed to help him with the research. Within a couple days, Charles recommended a specific model to his colleague, confident the model was the least hackable.

Unlike Charles’ colleague, most patients do not have someone on hand to test their medical IoT devices prior to implantation, which is why it’s critical for device manufacturers to build security into the devices from the earliest stages of development. Patients should be able to trust that the devices in their bodies have no critical vulnerabilities that criminals could potentially exploit.

A Q and A With ‘Q’: Reviewing the FDA’s Guidance on Medical IoT Devices

On Jan. 29–30, 2019, the Food and Drug Administration (FDA) will host a public workshop to discuss medical IoT security. The discussion will focus on the recently drafted guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which aims to help strengthen cybersecurity across medical IoT devices.

Catherine Norcom, X-Force Red’s resident hardware hacker, specializes in building and testing IoT devices in the medical field. Catherine, also known as “Q,” recently joined the team after serving 10 years in the U.S. Air Force.

I chatted with Catherine about the FDA’s guidance, the top risks related to medical IoT devices and how to minimize those risks.

Question: Thank you for taking the time to chat today, Catherine. Which parts of the FDA’s guidance do you think will be most effective?

Catherine: I like the objective of the guidance. Manufacturers of medical IoT devices should be prioritizing security, especially considering the potential detrimental consequences of a breach. Specifically, I like the clause about logging people out after a period of inactivity. I also like the clause that discusses the need for rapid deployment of patches and updates.

However, that clause contradicts another clause in the guidance that recommends users approve any product updates before they are installed. Getting user approval will slow down the patching process. I think updates should be automated. Automated updates wouldn’t be reliant on the user, so software would continuously receive patch installations and, as such, have less vulnerabilities.

I also like that the guidance promotes encrypting any information stored on devices and requires authentication of some kind before the user accesses medical information coming from the device. That way, if a user left a device on a bus, for example, someone else could not access the user’s private medical information.

Where do you think the guidance is lacking?

There are some parts that seemed like they could vary in meaning. For example, the guidance recommends assessing risk and mitigation throughout a product’s life cycle. However, the length of life cycles may vary. I have an FDA-approved smart watch that monitors my pulse. If I have a problem with my pulse, I can take medication based on what the watch shows me. But who determines my watch’s life cycle? The manufacturer could release a newer version, but my watch works fine, so I would keep using it for the next five years.

The guidance also uses buzzwords like “holistic.” Many manufacturers — and, frankly, people in general — do not know what that term means or could interpret it differently. Also, a part of the guidance recommends manufacturers identify vulnerabilities up front. Without explaining how to do that, it’s an unrealistic expectation of a manufacturer. Even if they identified a vulnerability in the Wi-Fi connection, for example, they may not know the USB port is also vulnerable. You need a security specialist to assess risk throughout the process — whether that’s hiring outside specialists or someone in-house.

Since X-Force Red specializes in cybersecurity, let’s pivot the conversation and discuss security risks that come with medical IoT devices.

Medical IoT devices are a top target of criminals, and yet so many are developed insecurely. I recently read a Ponemon Institute study that said 67 percent of medical device makers believe an attack on one or more medical devices they have built is likely. The most obvious risk is the user losing the device, or the device being stolen.

If criminals get physical access to the hardware, they may also be able to access all of the medical data in that device. They could potentially reverse engineer the device as well and gain access to more information that is stored on underlying servers. That information could aid in planning a larger attack against the device manufacturer, or help criminals use patients’ identities in insurance fraud, etc.

Yes, physically stealing a device would provide the easiest pathway to compromising it. What about the risks related to the Wi-Fi connection used by most IoT devices?

Obviously, anything connected to Wi-Fi can be compromised. A brute-force attack is one of the more popular ones. The service set identifier (SSID) is the Wi-Fi network name you see when you try to connect. If a device broadcasts its SSID, for example, a criminal would see the device on the Wi-Fi network and may try every password under the sun until one grants him access. These attacks are typically automated by computers, and it can take mere seconds to brute-force a weak password.

Also, if the Wi-Fi connection from the device is not secured and the data stored on the device is not encrypted, a criminal could intercept the packets and access medical data as it moves from the device to the router. Essentially, a criminal could grab the device’s stored medical data as it moves through the air.

What about USB ports? Many medical IoT devices contain USB ports similar to those we use to charge our cellphones.

Yes, USB ports on medical IoT devices can be used to transfer data. If someone plugs into the device’s USB port and the stored data is unencrypted, the person could potentially access the data. It’s similar to your cellphone: If you plug a USB cable into your phone and connect it to a laptop, you can see the data on your phone and move it to your laptop.

As a rule, people should avoid connecting to any USB port they do not control. That means avoiding those in airports, airplanes, public places, etc. Behind every USB port, there can be a device reading data without explicit permission.

So, what can IoT medical device manufacturers do to strengthen the security of their products as they’re being developed?

First, developers should make sure the device’s SSID is hidden so it doesn’t show up on Wi-Fi networks. Also, oftentimes IoT manufacturers will give all their devices the same SSID. For example, devices that are meant for the kitchen will have the SSID “kitchen.” If devices have the same SSID, then a criminal can connect to them even if they are hidden. It’s crucial that devices have unique SSIDs and preferably let their owners name them to create random names that attackers won’t be able to readily look up.

Good security practices for an application programming interface (API)-enabled device include making sure a criminal doesn’t have access to the API key — which is like a password — so that he or she can’t read the private medical data that the medical device is logging.

An easy and obvious recommendation is to use encryption. Any data on the device and the connection to the wireless hotspot or cell phone should be encrypted. Encryption will disable criminals’ ability to read private data whether they steal packets or plug into a USB port. Manufacturers can also make proprietary software that only talks to the specific IoT device and enables it to securely decrypt the data on it.

It’s also critical to have a secure connection between the device and Wi-Fi access point you are using. The device should not connect to anything that doesn’t require authentication.

Finally, manufacturers should opt for testing their hardware and software as the device is being developed. Manual penetration testing can uncover unknown vulnerabilities that automated tools may not find. For example, testers can make sure the software was programmed in a way that makes files difficult to read. As they are writing and developing the device and its software, manufacturers should consult a security expert at every step, from selecting products to testing during development, and test after the device is built.

Any last words or recommendations for the FDA as it works to finalize the guidance?

Unfortunately, hacking an IoT device, medical and nonmedical, is oftentimes not that difficult. At the DEF CON hacker conference, people with little experience were hacking IoT coffee pots and voting booths in minutes. When you allow an IoT device on your network, if the device has a vulnerability, a criminal can easily compromise your entire network. That’s why it’s critical that manufacturers step up and start prioritizing security when developing their products, and buyers should favor devices that have security built in as part of the design.

This guidance is a step in the right direction to achieving that goal. It gives some really strong recommendations and a focus on the subject of IoT security. If I were sitting at the public discussion, I would suggest they revise some of the recommendations to consider more scenarios that take place in real-world use cases. It can also be helpful if the FDA had different security specialists review the guidance before it’s finalized to add different perspectives.

Listen to the X-Force Red in Action Podcast Series

The post How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Abby Ross

January 15, 2019

CISO, Critical Data, Critical Infrastructure, Data Activity Monitoring (DAM), Data Classification, Data Discovery, Data loss, Data Loss Prevention (DLP), Data Protection,

Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces

Imagine: You just received an alert that threat actors infiltrated your network, leaked mission-critical data and posted it in publicly accessible forums on the dark web. What do you do?

As a security leader, you knew that a breach was inevitable. Your data, applications and endpoints were expanding at an alarming rate — far faster than your organization’s ability to track and control its critical assets. Still, you never imagined you’d find out about the leak via a third-party notification, or just how frightening it would be to learn that your cyber resiliency strategy was insufficient to protect customer data.

If this scenario is familiar, don’t worry — you’re not alone. Traditional approaches to asset identification and protection have failed businesses around the world and across verticals as security leaders struggle to address challenges such as lack of visibility into enterprise data, outdated risk frameworks and the mind-bending acceleration of the threat landscape. To keep pace with opportunistic bad actors looking to take advantage of these security gaps, chief information security officers (CISOs) must implement more sophisticated controls before it’s too late.

Learn more about protecting critical assets

Attack Surfaces Are Expanding Faster Than IT Awareness

With critical assets channeled between multiple clouds, on-premises systems, and multiplatform applications on both company-owned and personal endpoints, it’s no wonder security leaders are stuggling to see the full security picture. And this lack of visibility into enterprise data is more expensive than ever: The cost of a successful endpoint attack now exceeds $5 million, according to The Ponemon Institute, and the compromise rate of enterprise systems has more than doubled in the past five years, according to McKinsey & Company.

CISOs are increasingly called upon to report on security risks in business terms to the board. However, security leaders struggle to speak to invisible data risks, since not all business applications in use are known to IT security. In fact, 57 percent of CISOs said a lack of visibility into the location and protection of sensitive data is “what keeps them up most at night,” as reported by Forbes.

New Frameworks for Asset Protection

Traditional asset protection frameworks have involved time-consuming work to catalog assets, evaluate controls, assign risks and create remediation plans.

“In an increasingly digitized world, protecting everything equally is not an option,” wrote Piotr Kamiski, Chris Rezek, Wolf Richter and Marc Sorel of McKinsey & Company. “The digital business model is, however, entirely dependent on trust.”

Today’s security leaders need new frameworks to find, use and manage critical assets in an evolving enterprise security landscape. Failure to adapt to the new realities of data risk has weighty consequences. The Ponemon Institute’s “2018 Cost of a Data Breach” study, sponsored by IBM, reported an average cost of $3.86 million, a 6.4 percent increase from the previous year. The cost of noncompliance with data security and privacy standards, meanwhile, has risen 45 percent since 2011 to a staggering $14 million, according to SC Magazine. Security leaders must also consider the weightiest consequence of failure to protect sensitive data and assets: loss of consumer trust.

As the risks associated with critical assets continue to shift, a proactive response is necessary to keep up with the evolving threat landscape. The new standard for critical asset protection is a three-part framework to achieve intelligent visibility, proactive mitigation and continuous control.

Intelligent visibility means unified oversight across data, cloud networks and endpoints, with insight into the most critical risks and assets. Proactive mitigation is defined by the ability to create, apply and enforce security across endpoints, apps and data at scale. Continuous control is the ability to create security policies at scale, optimize asset protections, and comply with regulatory requirements and policies.

Smarter Security for Critical Assets: 5 Use Cases

An Aberdeen Group study sponsored by IBM revealed that best-in-class firms are 74 percent more likely than others to view asset statuses via real-time dashboards. These industry leaders are also 40 percent more likely to connect disparate systems for end-to-end control of sensitive data. Use cases for artificial intelligence (AI), cognitive computing, extensibility, automation and human intelligence demonstrate the value of a comprehensive security immune system.

1. Artificial Intelligence

The average security operations center (SOC) logs 200,000 events each day, according to IBM research. Separating false positives from significant risks is a real challenge for overworked and understaffed SOC teams.

Applied AI excels at analyzing structured and unstructured data assets to prioritize risks, classify critical assets and detect anomalies. Integrating AI solutions for testing and compliance enables DevOps to achieve privacy by default and design.

2. Cognitive Computing

Critical asset protection requires the organization to fight false positives and respond immediately to significant threats. Cognitive computing, an advanced application of AI, machine learning and deep learning networks, augments human intelligence and grows smarter with use. Organizations can automatically investigate and respond to indicators of compromise (IoCs) to reduce the workload on SOC analysts.

3. Extensibility

Even with dozens of security solutions, enterprises are struggling to achieve the integration needed for true asset transparency. Over 58 percent of IT executives recently cited a lack of infrastructure-agnostic visibility as their primary challenge, according to Security Boulevard.

By investing in a collaborative threat sharing platform, organizations can scale the capabilities of security solutions in nearly real time and exchange knowledge with a vibrant collective of partners and peers.

4. Automation

One of the most significant risks facing the enterprise is innocent and malicious insider threats. Insider-caused incidents are nearly twice as costly as the average global data breach, according to a Ponemon Institute study. There’s a need for solutions to introduce total transparency and automated action against the most critical risks. An adaptive security ecosystem of solutions can intelligently uncover insights into external and internal threats, orchestrate responses and share actionable threat intelligence.

5. People

SOC analysts must be knowledgeable to defend against evolving threats. CISOs can improve internal skill sets and outsource critical capacities by partnering with managed security services providers (MSSPs). These experts can provide training and expertise to SOC analysts while delivering endpoint and data protection services for a resilient enterprise. Offensive security partnerships can offer expert penetration testing, vulnerability analytics and threat intelligence.

Protecting Customer Trust

Unlocking the ability to find and secure critical assets with leading security solutions can enable the enterprise to achieve regulatory compliance, reduce operational costs and improve security talent retention. Most importantly, critical asset protection is a tool for securing customer trust. Trust is a currency, and solutions for data protection can provide a remarkable advantage for customer confidence.

Read the e-book: Protect Critical Assets

The post Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

January 14, 2019

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

Create a hypothesis.
Investigate via tools and techniques.
Discover new patterns and adversary tactics, techniques and procedures (TTPs).
Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

January 11, 2019

Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

January 11, 2019

Data Protection, Data Security, Encryption, Network, Network Protection, Network Security,

Deciphering the Encryption Paradox

As security professionals, we all understand the importance of protecting data and the need for proper encryption. It’s no surprise, then, that more and more traffic crossing our networks is encrypted. This is a good thing from both a security and privacy perspective, but what if the encryption is being used to hide malicious activity on enterprise networks?

When Encryption Works Against Security

Our networks not only facilitate the connected world in which our businesses thrive, but also provide the conduit for threats to infiltrate our organizations. Threat activity can easily hide deep within network content to avoid detection by traditional methods, which is why we need solutions that can analyze this content with application-level context to distinguish legitimate activity from malicious behavior. But what happens when our network data is encrypted?

Here’s the irony: As more and more network traffic is encrypted, we’re gaining more and more options to decrypt that data. I know it sounds counterintuitive, but as more network traffic is encrypted, there is an increasing need for network vendors to build decryption capabilities into their devices.

Since many of these devices are already deployed inline, they can terminate an encrypted session on one side and start another encrypted session on the other. The data remains encrypted in transit on both sides of the network device, but it provides visibility into the traffic in its decrypted form. Whether it’s a next-generation firewall looking to block intruders or a managed switch directing or filtering select data, visibility is key.

Many of these devices allow decrypted traffic to be mirrored out of a port for full content analysis. As a result, most organizations have either deployed or plan to deploy network devices that are capable of decrypting traffic. Gaining the network visibility we need to secure our organizations is often a matter of enabling those decryption capabilities.

To Decrypt, or Not to Decrypt …

While network visibility is crucial for identifying malicious activity as it crosses a network, there are cases where we may prefer to keep that data encrypted at all times. But despite our best efforts, it’s often difficult to ensure that all of our sensitive data is encrypted properly. Just think of the myriad devices and applications that need to be configured properly to encrypt communications with the latest protocol versions.

By analyzing every network session in detail and knowing which are encrypted, how strong the certificates are, and what encryption protocol version is in use, we can ensure that our data is adequately protected. And while it’s tempting to focus on reports that the volume of encrypted web traffic is increasing, it’s easy to forget about the large amount of traffic on our networks that is associated with non-web applications spanning a wide range of network protocols. Many organizations find that when they take a deeper look into the data that is crossing their networks, a lot less is encrypted than originally thought.

Clearly, we are trending toward increased encryption of network data and we should all embrace it as a valuable tool to help protect our crown jewels. But it’s not the roadblock many think it is when it comes to deep network analysis. There is a growing variety of methods and devices that deliver full network content visibility in a controlled and secure manner. Every organization should consider this approach as part of its network and security evolution and strategy.

The post Deciphering the Encryption Paradox appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Tom Obremski

January 9, 2019

Access Management, Artificial Intelligence (AI), Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, Data Breaches, Data Protection, Data Security, database security, Hybrid Cloud, Incident Response (IR), Integrated Security, Network Security, Patch Management, Risk Assessment, Risk mitigation, Security Operations Center (SOC), Vulnerability Management,

Your Security Strategy Is Only as Strong as Your Cyber Hygiene

It’s an all-too familiar scenario: An email directive to apply a patch to a web server goes ignored, and no one follows up to be sure the patch has been applied. As a result of this simple lack of cyber hygiene, the organization falls prey to a widespread strain of malware.

The team that should have handled the update was probably busy and might not have been fully staffed. There may not have been enough budget to hire enough of the right kind of talent, or perhaps there were just too many factors to be checked and covered. None of that matters, though; the network was breached, and it was entirely preventable. Failure to cover the basics was the downfall, and it could lead to negative publicity and loss of business.

Learn more about enhancing security hygiene

Your Security Improvements Could Be Missing the Point

The average enterprise security team has more solutions in its arsenal than ever before. As reported by ZDNet, some companies have more than 70 unique security applications and tools in place. While chief information security officers (CISOs) and their teams may be drowning in technology, the enterprise isn’t becoming more secure. In fact, the chances of facing a data breach have increased exponentially over the last several years, according to research from the Identity Theft Resource Center.

The truth is that the vast majority of data breaches can be prevented with basic actions, such as vulnerability assessments, patching and proper configurations. An Online Trust Alliance study estimated that 93 percent of reported incidents could have been avoided with basic cyber hygiene best practices, a figure that remains largely unchanged in the past decade. While advanced threats are growing in volume and sophistication, organizations are still getting breached due to poor key management, unpatched applications and misconfigured cloud databases.

CISOs aren’t blind to these trends. According to the “2018 Black Hat USA Attendee Survey,” 36 percent of leaders spend the majority of their time on any given day trying to accurately measure their organization’s security posture. Sixteen percent believe their organization’s greatest failure is “a lack of integration in security architecture” and “too many single-purpose solutions.” Security teams are drowning in alerts and grasping for solutions that streamline cyber hygiene activities.

What Does Cybersecurity Hygiene Entail?

Cyber hygiene refers to maintaining the security and health of an enterprise’s network, endpoints and applications through routine efforts to avoid vulnerabilities and other fundamental activities. It means perfecting the basics, including:

Deleting redundant user accounts;
Enforcing access and passwords with policy;
Backing up mission-critical data;
Securing physical and cloud databases;
Application whitelisting; and
Managing configurations.

When put into practice on an enterprise network, security hygiene is a continuous cycle of identifying vulnerabilities, mitigating risks and improving response capabilities. This begins with a vulnerability assessments of your network and data assets. After all, knowledge is the first step toward effective security hygiene.

Why Preventable Data Breaches Continue to Happen

Organizations that fail to perform basic security improvements face near-certain risks. Last year, IBM X-Force reported a twofold increase in injection attacks aimed at vulnerable applications and devices over the previous year. In total, injection attacks comprised 79 percent of all malicious network activity. An unpatched server or misconfigured cloud database can also lead to costly consequences. The loss of consumer trust could be more severe in the event that an organization is forced to admit it didn’t perform the basics.

The reason why organizations are struggling with cyber hygiene goes beyond human negligence. Networks are more complex than ever, and cyber hygiene requires the effective alignment of people, policies, processes and technology. Organizations fall prey to fully preventable attacks due to increased endpoints, cloud adoption, stolen credentials and the immense resources needed to address regulatory shifts.

“Security in a hyperconnected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach,” said Marc van Zadelhoff, former IBM Security General Manager, in a statement. “CISOs that prioritize these factors can help their organizations significantly improve business processes and achieve measurable success.”

Enterprise networks are complex, and fragmented security solutions for vulnerability assessment don’t reveal the full picture. Security operations centers (SOCs) are overwhelmed with alerts and relying on manual threat research. Performing basic security improvements is impossible without the right ecosystem to identify data risks.

5 Steps to Create an Effective Cyber Hygiene Practice

Hygiene is at the core of a security risk mitigation strategy. Security hygiene is a cultural mindset that spans security, IT, leadership and the individual. To adequately address basic risks, CISOs need full buy-in to continually review data management practices, improve response capabilities and enhance employee awareness. Let’s take a closer look at five steps organizations can take to create an effective cyber hygiene practice.

1. Identify Risks

Data is a modern organization’s most valuable asset. Solutions for security hygiene must comprehensively identify the location and sensitivity of business data, extending to risk assessment, remediation and vulnerability assessments of hybrid cloud environments.

Risk needs to translate into action, and CISOs should actively share knowledge of data security with other executives to improve privacy. Solutions for comprehensive, real-time vulnerability assessment can help in the development of a stronger approach to risk and compliance.

2. Prioritize Response

Security hygiene is a continuous effort to address risks in real time and prioritize the protection of the most sensitive data assets. Organizations must develop a response policy based on data sensitivity. Cognitive security solutions can help orchestrate efforts to remediate the highest-risk vulnerabilities and automate activities to enforce policy or regulatory requirements.

3. Improve Risk Awareness

CISOs, risk officers and business leaders should collaborate to improve incident response (IR) capabilities where hygiene is viewed as an imperative. Third-party expertise can increase risk awareness and orchestration capabilities and design thinking can help increase the use of cognitive technologies, artificial intelligence (AI) and risk management automation for streamlined security hygiene.

4. Secure Digital Transformation

Change is inevitable and constant in a contemporary enterprise network environment. Security hygiene involves a forward-thinking attitude that creates policies for secure deployment and management of new technologies. Change management efforts should incorporate discussions on how to actively secure Internet of Things (IoT) deployments and other emerging technologies.

5. Disseminate Responsibility

Leaders should create a culture that encourages compliant behaviors in employees. Silent security can safeguard data privacy across endpoints without sacrificing user productivity. A culture of shared responsibility helps mitigate the risks of shadow IT, especially when coupled with employee awareness initiatives.

Take Preventative Measures Against Meaningful Security Risks

The most crucial improvement to your organization’s security stance may not be acquiring new solutions; it could be a shift to a culture of cyber hygiene. CISOs must collaborate with other leadership to address one of today’s most significant business risks: failure to check off the basics effectively.

The majority of today’s security breaches are caused by inadvertent insider mistakes, such as unpatched systems, misconfigured cloud databases and incomplete risk assessments. Without full network visibility and regular utilization of cyber hygiene best practices, your enterprise could face very real, but entirely preventable, security risks.

Read the e-book: Enhance security hygiene

The post Your Security Strategy Is Only as Strong as Your Cyber Hygiene appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kami Haynes

January 4, 2019

Authentication, Credit Card Data, Credit Card Fraud, Data Protection, Distributed Denial-of-Service (DDoS), Multifactor Authentication (MFA), Payment Card Industry (PCI), Payment Card Industry Data Security Standard (PCI DSS), Point-of-Sale (POS) Systems, Retail, Retail Industry, Retail Security,

The Gift That Keeps on Giving: PCI Compliance for Post-Holiday Season Returns

Payment card industry (PCI) compliance was more critical than ever this holiday season as retailers experienced both in-store and online sales growth. But security professionals in the sector can’t afford to let their guard down yet. As the shopping season winds down, retailers face the challenge of securely handling massive customer transaction volumes across both on-site point-of-sale (POS) terminals and e-commerce portals — and ensuring that post-holiday credit card refunds don’t compromise consumer data. How can they maintain PCI compliance amid all this chaos?

‘Tis the Season to Spend

Final numbers have not yet been tallied as of this writing, but NPR forecasted holiday retail spending to reach $124 billion in 2018 after Black Friday exceeded expectations with 27.8 percent gains over last year.

Despite online gains, however, Adobe predicted that 83 percent of shopping would still take place in-store. Research firm Deloitte reported that “consumers are upbeat about the economy,” and with 73 percent expecting continued economic stability or growth, average holiday spend per consumer is predicted to increase by $300.

Mitigate Rising Retail Risks

Threat actors are also enjoying the uptick in consumer spending. According to U.S. News, POS fraud is up 8 percent this year, following a 70 percent jump in 2017.

This often takes the form of card skimmers installed at POS locations. But, as CSO Online reported, recent research demonstrated that it’s possible — though unlikely — for scammers to steal credit data via radio frequency identification (RFID). More practical forms of credit card fraud include retail and hospitality database breaches and local government compromises, which can expose millions of consumer credit records.

As consumer volumes increase during the holiday season, retailers are hard-pressed to ensure both in-store and online security. For example, brick-and-mortar locations often face the challenge of managing temporary staffers who aren’t fully trained in POS security and may inadvertently expose consumer credit data. Online, the rush to provide substantive server resources and accommodate Cyber Monday shoppers can lead to gaps in authentication and authorization, in turn reducing overall security.

Improve Presence of Mind

The PCI Data Security Standard (DSS) provides a common compliance framework to ensure that credit card data is properly handled, stored and accessed by retail enterprises. The framework was most recently updated in May 2018, and it now requires providers to use early Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to maintain risk and mitigation plans.

In addition, the updated PCI DSS mandates multifactor authentication (MFA) for all nonconsole administrative access alongside pre-existing requirements for documented descriptions of cryptographic architecture and penetration testing on segmentation controls every six months.

Despite the critical role of PCI compliance in credit card security, however, PYMNTS.com reported that 91 percent of retailers would likely fail an audit. In part, this stems from the increasingly complex nature of PCI DSS standards — dedicated IT teams or third-party providers are often required to ensure full adherence to new obligations. During the holidays, more high-priority threats such as distributed denial-of-service (DDoS) attacks and targeted phishing efforts can shift corporate priorities, and PCI compliance often suffers as a result.

Return to Spender

Despite slacking compliance rates, many retailers have established solid best practices for handling credit data at in-store POSs and have implemented controls for detecting large-volume or rapid transactions online. But the holidays present a new problem: postseason credit card refunds.

To help reduce holiday shopping wait times and limit in-store fraud, many companies implement seasonal limits on returns, such as prohibiting any refunds until the New Year. In addition, most sellers require consumers to present proofs of purchase before issuing any type of on-card or cash-in-hand refund.

From a data protection perspective, however, two problems exist. First is outsourcing: As noted by the PCI Security Standards C ouncil, retail enterprises often outsource refund and charge-back processes to third-party providers. But this doesn’t provide automatic compliance; if vendors mishandle returns and expose credit data, retailers are on the hook.

Secondly, while credit card processing is often handled automatically, credit refunds typically require more direct human interaction. If employees are able to access credit data without MFA, any fraudulent refunds or chargebacks will be the responsibility of the retailer, not the credit card issuer. This is true regardless of attack origin; malicious insiders and targeted attacks carry the same risks without MFA protection.

4 Steps to Improve Your PCI Compliance Posture in the New Year

Organizations should take the following steps to manage post-holiday attacks and reduce the risk of noncompliance in the new year.

1. Patch Regularly

Frequent security updates ensure POS systems are protected from newly discovered vulnerabilities. They’re also mandated by PCI DSS; all critical patches must be applied within a month.

2. Audit Constantly

PCI DSS also requires logging and auditing credit data access. Ideally, companies should review these logs daily for indications of potential compromise, such as a sudden spike in credit card refunds at a specific POS terminal or retail location.

3. Limit Data Storage

As noted by Retail Sector, many companies still store sensitive authentication data (SAD), including magnetic stripe and personal identification numbers (PINs). Tokenization, combined with the use of third-party credit vaults, can both boost PCI DSS compliance and reduce the risk of theft.

4. Strengthen Authentication

It’s not enough for companies to use MFA. Retailers must also ensure that their MFA requires the simultaneous entry of multiple factors and doesn’t provide data on which factors resulted in access denial. In practice, this means users should be able to provide their username, password and one-time security code simultaneously, reducing attackers’ ability to determine the limiting factor.

The holidays represent huge opportunities for retailers and attackers alike. Reducing risk in the post-holiday rush to return unwanted gifts and process credit card refunds demands improved PCI compliance, including regular patching, consistent audits, reduced data storage and strong authentication.

The post The Gift That Keeps on Giving: PCI Compliance for Post-Holiday Season Returns appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

January 3, 2019

Cloud Infrastructure, Cloud Security, Cryptography, Data Management, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, General Data Protection Regulation (GDPR), Identity & Access, Risk mitigation, Threat Detection, Threat Prevention,

Lessons From the Data Encryption Front Line: Understanding Common Threats

Data encryption has become a hot topic for many people this year with Article 83 of the General Data Protection Regulation (GDPR) listing it as an example security control to mitigate risks. While the U.K. Information Commissioner’s Office (ICO) provides some useful guidance on how to use encryption, I have had many discussions over the past year about what is the right approach to implementing data-at-rest encryption (DaRE) solutions. There is no magic answer, but there are some fundamental aspects to consider — starting with an understanding of common encryption threats.

Identify the Threats Facing Your Organization

Clients often ask for DaRE, but are unclear why they need it (other than a policy that says they need to implement encryption). There are many threats related to encryption, but I suggest starting with four generic threats in the context of your system/application.

1. Loss of Physical Storage Media

There is a risk of losing storage media, such as disks or tapes. In a cloud environment, storage media is not something under your direct control. To protect from a loss of storage media, encryption can be provided in the underlying storage or media subsystem. This provides a mechanism, transparent to the application, that is fast and has low latency — but does not manage every threat.

2. Disclosure or Modification of Stored Data

Some threat actors, such as an external attacker or internal privileged administrator, can gain access to personal or highly confidential data while systems are running. Encryption at the storage level won’t provide adequate protection in this case, since a privileged or even standard user has access to the unencrypted data. It also will not provide protection from a threat actor attempting to gain privileged access or extracting data using a classic attack such as SQL injection.

Therefore, highly confidential and personal data often needs to be encrypted at the level of structured or unstructured data objects to prevent a privileged user from accessing it. With the General Data Protection Regulation (GDPR) in effect, this is especially crucial.

3. Destruction of Stored Data

Even if stored data cannot be accessed, it can be destroyed by deleting the encryption keys — a cryptographic erasure — or by destroying the actual encrypted data. Systems are normally designed with redundancies, such as a backup of the data and a separate backup of the encryption keys. If segregation of duties is not maintained, it may be possible for a malicious employee to destroy the primary data, backups and encryption keys all at once.

4. Disclosure of Data in Transit

Data needs to be transported between applications, and it is possible to tap into a network to enable confidential data to be read. With cloud storage, the network and server infrastructure is not under your control and there is a risk of data interception.

While many applications use Transport Layer Security (TLS) to encrypt traffic, there are many other communications that cannot use TLS. In a virtual world, physical systems are clustered together with virtualized storage where the underlying transport mechanism may obscure the data but not support encryption.

Balance Risk With Performance, Resilience, Compatibility and Operations

Like all security mechanisms, data encryption has a set of impacts that need to be considered. The primary driver is normally the cost of the encryption, but assuming an unlimited budget, there are potentially some more fundamental impacts on the operation of applications and infrastructure.

One such impact is on performance. Encryption is a highly compute-intensive mechanism that is normally assisted by hardware. With self-encrypting drives, it often cannot be disabled and has zero performance impact. When encryption is applied at a more granular level, the impact is much greater. Encrypting files has a much greater performance impact than encrypting a logical disk, which has a greater impact than encryption within physical storage. Increasing latency with reduced speed of encryption may have a detrimental impact on an application that makes your business uncompetitive.

The next impact to consider is on resilience. Encryption adds complexity and, depending on how it is implemented, may introduce additional dependencies that increase the complexity of change processes and the risk of infrastructure failure. Think about possible failure scenarios and the dependencies, then test component failure and recovery. Finer-grain encryption may provide improved protection, but it reduces the resilience of an application. For example, even if all keys are lost in a key management system, a storage subsystem may still be recovered with offline recovery keys, whereas data in volume-based encryption may be irretrievably lost without additional controls.

Data encryption also impacts compatibility. An encryption app may have a dependency on a specific application feature that cannot be changed, for example, or it may not support specific file systems or database types. This introduces a constraint that prevents encryption from being used, and may require accepting a risk. The finer the encryption — that is, the higher in the application stack — the more constraints will be revealed.

Lastly, consider the impact on operations. While encryption protects your data, it also makes it difficult to access data when you do need it. If a backup service creates a backup of an encrypted server, how can you restore an individual file without shutting down the production service? Sure, there may be workarounds, but does it still impact service levels?

Encryption solutions are still maturing as they move from being add-on packages to being embedded within applications. Constraints will no doubt reduce over time, but it’s good to be aware of them while deploying encryption.

Tailor Data Encryption to Fit Your Needs

There is no single answer to the question of how to properly use data encryption. It comes down to the risk appetite of a business balancing the security risk against performance, resilience, compatibility and operations.

One possible combination is storage-level encryption for performance together with structured data encryption on a limited number of high-risk applications. Depending on their application and data types, organizations will likely need to apply different architectural patterns and accept some residual risk.

To learn more, download the white paper, “Guard Your Organization’s Data With Intelligent IBM Encryption.”

Read the white paper

The post Lessons From the Data Encryption Front Line: Understanding Common Threats appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mark Buckwell

January 2, 2019

Data Protection, Infosec- Resources, Keep Backups, Security Configuration, Use a VPN,

5 Methods to Secure Your Company’s Data from Cybercriminals

Your data is a big part of your company. There are a hundred ways to immediately lose all of them and that could get you out of business. Even more so if you’re holding the personal information of your customers. Data protection should be applied to all the forms of data. That’s why I’ll teach […]

The post 5 Methods to Secure Your Company’s Data from Cybercriminals appeared first on GBHackers On Security.

December 31, 2018

Older Posts