Browsing category


bitcoin, Blockchain, cryptocurrency, Penetration Testing, Professional Development, Security Professionals, Security Services, X-Force,

How Chris Thomas Paired His Passion for Blockchain With Pen Testing

Chris Thomas, X-Force Red’s blockchain security expert, has always had an interest in understanding how technologies are built and operated. As a young child, Chris’ father thought it would be enjoyable for the two to build a computer instead of buying a premanufactured one. After two attempts, the father-and-son duo successfully built Chris’ first computer. Little did they know the project would ignite Chris’ future career as a penetration tester.

At just 11 years old, Chris performed his first penetration test, hacking into his school’s network. The content of his school’s information technology class wasn’t challenging for Chris, giving him plenty of time to teach himself how to program and code. Using his self-taught knowledge, he was able to scan the school’s network and access window shares that allowed him to log in as a domain administrator. Because he has a strong moral compass, Chris communicated his findings with the school’s system administrator, who became a close ally and supported Chris’ work. Through this experience, Chris knew he wanted to become a penetration tester.

Starting a Career in Penetration Testing

After secondary school, Chris pursued and completed an undergraduate degree in programming and a graduate degree in cybersecurity. He then began his first full-time job working as a system administrator for a large technology company in Manchester, England. Chris’ knowledge was second to none, but his employer would not let him begin his career as a penetration tester with the company. It was not until Chris alpha tested and passed the CREST CRT exam that his company moved him to a junior penetration tester position.

Over the next 10 years, Chris excelled in his role as a penetration tester and became a principal consultant, serving as the technical lead on a project for a large financial institution. He and his team managed the company’s global penetration testing network and built the network access controls from scratch. In the midst of that project, Chris met Thomas MacKenzie, who is now X-Force Red’s associate partner in Europe, the Middle East and Africa.

Joining the X-Force Red Team

Chris has always been infatuated with blockchain technology since its inception and initial ties to cryptocurrency. With a passion for understanding how systems work and function, he immediately educated himself on all things blockchain and bitcoin and has continued researching and tinkering with the technologies ever since.

When Thomas joined X-Force Red, he contacted Chris about his interest in joining the team as well. Thomas knew Chris had a strong interest in blockchain and reminded him that IBM was one of the industry leaders in developing new blockchain technology. Thomas suggested that Chris become X-Force Red’s leading blockchain testing expert, an opportunity Chris accepted without hesitation.

In his current role, leading X-Force Red’s blockchain testing services, Chris combines his passion for penetration testing with his love for blockchain. The team works with clients to find weaknesses not only in the implementation and use of blockchain technology itself, but also in the connected infrastructure.

Alongside X-Force Red’s veteran hackers, who are also developers and engineers, Chris is excited to help shape the adoption and implementation of blockchain across various industries.

Learn more about X-Force Red Blockchain Testing

The post How Chris Thomas Paired His Passion for Blockchain With Pen Testing appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Carter Garrison

Advanced Attacks, Blockchain, Chief Information Security Officer (CISO), CISO, Cloud Services, Collaboration, customer experience, Infrastructure Security, Public Cloud, Risk Management, RSA Conference, Security Conferences, Security Services, Security Trends, Threat Prevention, X-Force, Zero-Day Attacks,

The Biggest Stories From RSAC 2019: What Scares the Cybersecurity Experts?

RSAC 2019 has officially wrapped. The reported attendance at San Francisco’s Moscone Center was more than 42,500, but to anyone who was there, it seemed like there was at least 60,000 security professionals on the ground. Whether or not you attended, there was no possible way to take in all of the 31 keynotes, 621 sessions and more than 700 vendors in the business expo. Fortunately, the RSA show website is filled with free materials, including on-demand presentation videos, conference blog posts and slide decks to capture what you missed.

When you’re at a show as large as RSAC 2019, it’s only natural that you’ll discover perspectives that are new and, sometimes, at odds. The conference brings together luminaries and cybersecurity experts from diverse fields such as research, government, industry and nonprofit sectors. This can result in tension, like the clash in perspectives between cryptography experts and government officials around privacy rights on the show’s opening day.

The diverse viewpoints at RSAC can also facilitate intensive collaboration around much-needed solutions, such as the mini-track on Wednesday dedicated to the growing need for public interest technologists. When the perspectives of chief information security officers (CISOs) and experts at RSAC 2019 are viewed as a continuum, you can begin to see a story emerging about the state of cybersecurity in 2019 and what organizations should pay attention to moving forward.

Your Security Ecosystem Matters

In the business expo, presentations and in conversations with CISOs, there was a very real sense that the industry is moving away from distributed security solutions and products. Security leaders and vendors are increasingly realizing the risks of deploying too many standalone solutions that don’t talk to each other. It’s costly and it doesn’t create better security results for many organizations. The industry is beginning to emphasize the value of a single-pane-of-glass approach.

Rob Westervelt, research director at the International Data Corporation (IDC), believes the growing complexity of security solutions has created gaps in coverage in the enterprise because many organizations don’t understand the capabilities of the technology they have deployed. When you’re trying to manage a complex security stack, it can easily create issues with misconfiguration and policies that aren’t uniform across the enterprise.

Infrastructure Attacks Could Become a Nightmare

There was, unsurprisingly, a heightened focus on the risks of infrastructure-level attacks at the conference. Former CIA director and former secretary of defense Leon Panette’s biggest nightmare is a malware attack that disables critical parts of U.S. infrastructure. As reported by ZDNet, Panette believes that this nature of attack has the potential to be a “digital Pearl Harbor” with millions of lives lost.

Open Collaboration and New Releases

RSA Conference 2019 invariably hosts exciting new tech announcements, including the National Security Agency (NSA)’s Ghidra reverse engineering tool for open collaboration among security researchers. Reverse engineering is the technical practice of taking code of unknown origin, including malware, and analyzing components to understand the code’s capabilities. It’s a primary focus among security researchers to understand and stop emerging threats, including zero-day viruses and advanced persistent threats (APTs).

IBM announced its X-Force Red Blockchain Testing service to test vulnerabilities in blockchain platforms in the enterprise. IBM’s X-Force Red security team will provide services to test the back-end processes for networks powered by blockchain, including a comprehensive analysis of chain code, public key infrastructure, hyperledgers and the applications used for access control. In addition, this service will also assess hardware and software applications that are usually used to control access and manage blockchain networks.

Maintain Trust With Digital Risk Management

Rohit Ghai, president of RSA, is scared of the “cataclysmic results” of a possible future in which trust no longer exists. He defines trust as the ability for an organization to understand and manage risk. Ghai believes that mechanisms to ensure trust — and the presence of trust — are critical for enterprise IT to work effectively.

Ghai urged organizations to “think of security as a risk management problem; focus on minimizing impact.” To maintain an effective environment where trust can exist, Ghai advised companies to adopt solutions for digital risk management, including automated solutions for risk identification and silent security.

The Most Dangerous Hacks Are Dynamic

In a highly anticipated panel discussion, researchers from the SANS Institute presented their top exploits. Ed Skoudis, Heather Mahalik and Johannes Ullrich highlighted the risks of DNS hijacking, domain fronting and, increasingly, targeted attacks on an organization via compromised cloud accounts. According to Mahalik, attackers are increasingly learning to leverage information stored in public cloud services and using this data against users and enterprises.

Security Isn’t Funny

The final keynote at RSAC 2019 was a conversation with comedian, actress and writer Tina Fey. When asked if she saw any similarities between comedy and cybersecurity, Fey simply responded, “No.” Cybersecurity isn’t funny to Fey, and many of the 42,500 attendees at the RSA conference would likely agree with her.

Fey proceeded to draw similarities between her experience in improv comedy, perhaps inspired by her time on Saturday Night Live, and how she thinks organizations can improve. According to Fey, both improv groups and cybersecurity teams need to trust peers, collaborate and practice extensively to improve.

This perspective was echoed by IBM Security General Manager Mary O’Brien in her joint keynote with IBM Security Vice President Caleb Barlow, “Change Your Approach to Get It Right.”

“I think it’s time to rewrite our playbook,” O’Brien said. “As an industry, we face unrelenting waves of new attacks and business challenges … we need to be exponentially better.”

O’Brien called for open collaboration in the organization and new agile working models for companies. She encouraged organizations to forget everything they thought they knew about perfect security to move forward.

“We need a culture that knows failing is part of making progress, a culture that encourages other points of view and new ways of operating,” she said.

RSAC 2019 in Review

As RSAC 2019 is reviewed over the next days and weeks, it’s clear cybersecurity is no longer simply the IT department’s responsibility. CISOs are sitting closer to the board. Cybersecurity is an increasingly political and cultural issue, and new public interest technologists are needed to create effective policy and progress in government.

Threats and risks continue to evolve, and few attendees at RSAC would argue that the old ways of doing things can move anyone forward. We need new models, new security ecosystems and new types of cybersecurity experts for the industry to become “exponentially better.”

The post The Biggest Stories From RSAC 2019: What Scares the Cybersecurity Experts? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jasmine Henry

Blockchain, CISO, Collaboration, Cryptography, Cybersecurity Jobs, Cybersecurity Legislation, Data Privacy, Government, RSA, RSA Conference,

At RSAC 2019, It’s Clear the World Needs More Public Interest Technologists

Cybersecurity experts are no longer the only ones involved in the dialogue around data privacy. At RSA Conference 2019, it’s clear how far security and privacy have evolved since RSAC was founded in 1991. The 28th annual RSAC has a theme of “better,” a concept that speaks to the influence of technology on culture and people.

“Today, technology makes de facto policy that’s far more influential than any law,” said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School, in his RSAC 2019 session titled “How Public Interest Technologists are Changing the World.”

“Law is forever trying to catch up with technology. And it’s no longer sustainable for technology and policy to be in different worlds,” Schneier said. “Policymakers and civil society need the expertise of technologists badly, especially cybersecurity experts.”

Public policy and personal privacy don’t always coexist peacefully. This tension is clear among experts from cryptography, government and private industry backgrounds at RSAC 2019. In the past year, consumer awareness and privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), has created an intensely public dialogue about data security for perhaps the first time in history.

The Cryptographer’s Panel, which opened the conference on Tuesday, delved into issues of policy, spurred in part by the fact that Adi Shamir — the “S” in RSA — was denied a visa to attend the conference. Bailey Whitfield Diffie, who founded public-key cryptography, directly addressed the tension between the legislature, personal privacy and autonomy. Other keynote speakers called for collaboration.

“We are not seeking to destroy encryption, but we are duty-bound to protect the people,” stated FBI Director Christopher Wray. “We need to come together to figure out a way to do this.”

Moving forward to create effective policy will require technical expertise and the advent of a new type of cybersecurity expert: the public interest technologist.

Why Policymakers Need Public Interest Technologists

“The problem is that almost no policymakers are discussing [policy] from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate,” wrote Schneier in a blog post this week. “The result is … policy proposals — ­that occasionally become law­ — that are technological disasters.”

“We also need cybersecurity technologists who understand­ — and are involved in — ­policy. We need public-interest technologists,” Schneier wrote. This profession can be defined as a skilled individual who collaborates on tech policy or projects with a public benefit, or who works in a traditional technology career at an organization with a public focus.

The idea of the public interest technologist isn’t new. It has been formally defined by the Ford Foundation, and it’s the focus of a class taught by Schneier at the Harvard Kennedy School. However, it’s clear from the discussions at RSAC and the tension that exists between privacy, policy and technology in cybersecurity dialogue that public interest technologists are more critically needed than ever before.

Today, Schneier said, “approximately zero percent” of computer science graduates directly enter the field of public interest work. What can cybersecurity leaders and educators do to increase this number and the impact of their talent on the public interest?

Technology and Policy Have to Work Together

Schneier wants public interest technology to become a viable career path for computer science students and individuals currently working in the field of cybersecurity. To that end, he worked with the Ford Foundation and RSAC 2019 to set up an all-day mini-track at the conference on Thursday. Throughout the event, there was a focus on dedicated individuals who are already working to change the world.

Schneier isn’t the only expert pushing for more collaboration and public interest work. A Tuesday panel discussion focused on how female leaders in government are breaking down barriers, creating groundbreaking policy and helping the next generation of talent flourish. Public interest track speaker and former data journalist Matt Mitchell was inspired by the 2013 George Zimmerman trial to create the nonprofit organization CryptoHarlem and start a new career as a public interest cybersecurity expert, according to Dark Reading.

On Thursday, IBM Security General Manager Mary O’Brien issued a clear call for organizations to change their approach to cybersecurity, including focusing on diversity of thought in her keynote speech. “Cross-disciplinary teams provide the ideas and insights that help us get better,” O’Brien said. “We face complex challenges and diverse attackers. Security simply will not be better or best if we rely on technologists alone.”

It’s Time for Organizations to Take Action

When it comes to creating an incentive for talented individuals to enter public interest work, a significant piece of responsibility falls on private industry. Schneier challenged organizations to work to establish public interest technology as a viable career path and become more involved in creating informed policy. He pointed to the legal sector’s offering of pro bono work as a possible financial model for organizations in private industry.

“In a major law firm, you are expected to do some percentage of pro bono work,” said Schneier. “I’d love to have the same thing happen in technology. We are really trying to jump start this movement … [however, many] security vendors have not taken this seriously yet.”

There are already some examples of private organizations that are creating new models of collaboration to create public change, including the Columbia-IBM Center for Blockchain and Data Transparency, a recent initiative to create teams of academics, scientists, business leaders and government officials to work through issues of “policy, trust, sharing and consumption” by using blockchain technology.

It’s possible to achieve the idea of “better” for everyone when organizations become actively involved in public interest work. There is an opportunity to become a better company, strengthen public policy and attract more diverse talent at the same time.

“We need a cultural change,” said Schneier.

In a world where technology and culture are one and the same, public interest technologists are critical to a better future.

The post At RSAC 2019, It’s Clear the World Needs More Public Interest Technologists appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jasmine Henry

Artificial intelligence, Artificial Intelligence (AI), Authentication, Automation, Biometric Security, Blockchain, cryptocurrency, Machine Learning, Social Engineering, Threat Detection,

Don’t Believe Your Eyes: Deepfake Videos Are Coming to Fool Us All

In 2017, an anonymous Reddit user under the pseudonym “deepfakes” posted links to pornographic videos that appeared to feature famous mainstream celebrities. The videos were fake. And the user created them using off-the-shelf artificial intelligence (AI) tools.

Two months later, Reddit banned the deepfakes account and related subreddit. But the ensuing scandal revealed a range of university, corporate and government research projects under way to perfect both the creation and detection of deepfake videos.

Where Deepfakes Come From (and Where They’re Going)

Deepfakes are created using AI technology called generative adversarial networks (GANs), which can be used broadly to create fake data that can pass as real data. To oversimplify how GANs work, two machine learning (ML) algorithms are pitted against each other. One creates fake data and the other judges the quality of that fake data against a set of real data. They continue this contest at massive scale, continually getting better at making fake data and judging it. When both algorithms become extremely good at their respective tasks, the product is a set of high-quality fake data.

In the case of deepfakes, the authentic data set consists of hundreds or thousands of still photographs of a person’s face, so the algorithm has a wide selection of images showing the face from different angles and with different facial expressions to choose from and judge against to experimentally add to the video during the learning phase.

Carnegie Mellon University scientists even figured out how to impose the style of one video onto another using a technique called Recycle-GAN. Instead of convincingly replacing someone’s face with another, the Recycle-GAN process enables the target to be used like a puppet, imitating every head movement, facial expression and mouth movement in the exact way as the source video. This process is also more automated than previous methods.

Most of these videos today are either pornography featuring celebrities, satire videos created for entertainment or research projects showing rapidly advancing techniques. But deepfakes are likely to become a major security concern in the future. Today’s security systems rely heavily on surveillance video and image-based biometric security. Since the majority of breaches occur because of social engineering-based phishing attacks, it’s certain that criminals will turn to deepfakes for this purpose.

Deepfake Videos Are Getting Really Good, Really Fast

The earliest publicly demonstrated deepfake videos tended to show talking heads, with the subjects seated. Now, full-body deepfakes developed in separate research projects at Heidelberg University and the University of California, Berkeley are able to transfer the movements of one person to another. One form of authentication involves gait analysis. These kinds of full-body deepfakes suggest that the gait of an authorized person could be transferred in video to an unauthorized person.

Here’s another example: Many cryptocurrency exchanges authenticate users by making them photograph themselves holding up their passport or some other form of identification as well as a piece of paper with something like the current date written on it. This can be easily foiled with Photoshop. Some exchanges, such as Binance, found many attempts by criminals to access accounts using doctored photos, so they and others moved to video instead of photos. Security analysts worry that it’s only a matter of time before deepfakes will become so good that neither photos nor videos like these will be reliable.

The biggest immediate threat for deepfakes and security, however, is in the realm of social engineering. Imagine a video call or message that appears to be your work supervisor or IT administrator, instructing you to divulge a password or send a sensitive file. That’s a scary future.

What’s Being Done About It?

Increasingly realistic deepfakes have enormous implications for fake news, propaganda, social disruption, reputational damage, evidence tampering, evidence fabrication, blackmail and election meddling. Another concern is that the perfection and mainstreaming of deepfakes will cause the public to doubt the authenticity of all videos.

Security specialists, of course, will need to have such doubts as a basic job requirement. Deepfakes are a major concern for digital security specifically, but also for society at large. So what can be done?

University Research

Some researchers say that analyzing the way a person in a video blinks, or how often they blink, is one way to detect a deepfake. In general, deepfakes show insufficient or even nonexistent blinking, and the blinking that does occur often appears unnatural. Breathing is another movement usually not present in deepfakes, along with hair (it often looks blurry or painted on).

Researchers from the State University of New York (SUNY) at Albany developed a deepfake detection method that uses AI technology to look for natural blinking, breathing and even a pulse. It’s only a matter of time, however, before deepfakes make these characteristics look truly “natural.”

Government Action

The U.S. government is also taking precautions: Congress could consider a bill in the coming months to criminalize both the creation and distribution of deepfakes. Such a law would likely be challenged in court as a violation of the First Amendment, and would be difficult to enforce without automated technology for identifying deepfakes.

The government is working on the technology problem, too. The National Science Foundation (NSF), Defense Advanced Research Projects Agency (DARPA) and Intelligence Advanced Research Projects Agency (IARPA) are looking for technology to automate the identification of deepfakes. DARPA alone has reportedly spent $68 million on a media forensics capability to spot deepfakes, according to CBC.

Private Technology

Private companies are also getting in on the action. A new cryptographic authentication tool called Amber Authenticate can run in the background while a device records video. As reported by Wired, the tool generates hashes — “scrambled representations” — of the data at user-determined intervals, which are then recorded on a public blockchain. If the video is manipulated in any way, the hashes change, alerting the viewer to the probability that the video has been tampered with. A dedicated player feature shows a green frame for portions of video that are faithful to the origina, and a red frame around video segments that have been altered. The system has been proposed for police body cams and surveillance video.

A similar approach was taken by a company called Factom, whose blockchain technology is being tested for border video by the Department of Homeland Security (DHS), according to Wired.

Security Teams Should Prepare for Anything and Everything

The solution to deepfakes may lie in some combination of education, technology and legislation — but none of these will work without the technology part. Because when deepfakes get really good, as they inevitably will, only machines will be able to tell the real videos from the fake ones. This deepfake technology is coming, but nobody knows when. We should also assume that an arms race will arise with malicious deepfake actors inventing new methods to overcome the latest detection systems.

Security professionals need to consider the coming deepfake wars when analyzing future security systems. If they’re video or image based — everything from facial recognition to gait analysis — additional scrutiny is warranted.

In addition, you should add video to the long list of media you cannot trust. Just as training programs and digital policies make clear that email may not come from who it appears to come from, video will need to be met with similar skepticism, no matter how convincing the footage. Deepfake technology will also inevitably be deployed for blackmail purposes, which will be used for extracting sensitive information from companies and individuals.

The bottom line is that deepfake videos that are indistinguishable from authentic videos are coming, and we can scarcely imagine what they’ll be used for. We should start preparing for the worst.

The post Don’t Believe Your Eyes: Deepfake Videos Are Coming to Fool Us All appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mike Elgan

Blockchain, Chief Information Security Officer (CISO), Identity and Access Management (IAM), Multifactor Authentication (MFA), patch, Patch Management, Risk Management, Security Leaders, Security Leadership, Security Professionals, Two-Factor Authentication (2FA), Virtual Private Network (VPN), Vulnerabilities,

Spring Cleaning for CISOs: Replace These 3 Bad Habits With Better Cybersecurity Practices

Spring is (almost) here, which means it’s time for some in-house security cleaning. With the holiday shopping season — one of the most treacherous times of year for security — in the rearview, organizations should take a step back to assess what is working, drop what isn’t and invest in the tools they need to take their security strategy to the next level.

With that in mind, let’s take a closer look at three cybersecurity practices chief information security officers (CISOs) need to toss this year, and three that could help reduce overall risk for the enterprise.

Clean Up Your Security Act This Spring

Regardless of the size or type of company, awareness level of employees, or maturity of the technology infrastructure, there is always room for security leaders to improve the enterprise’s overall risk posture. CISOs should crack down on these bad habits to help clean up their organizations’ security act this spring.

1. Patch Postponement

Other tasks often take priority over patching, especially if updates aren’t considered critical. What happens if patches cause app outages, network challenges or productivity loss? This is especially problematic when CISOs tackle spring cybersecurity cleaning. Given the high level of disruption that comes with annual cleanups, patches are often put off until later, but in many cases later never comes.

Here’s the good news for security hygiene: According to a Kenna Security report, less than 2 percent of published Common Vulnerabilities and Exposures (CVEs) have been actively exploited in the wild. The not-so-good news is that, with more than 3 billion vulnerabilities identified in volume two of the same study, this amounts to more than 540 million potentially problematic exploits. It’s no surprise, then, that only 30 percent of vulnerabilities are remediated within 30 days of being discovered.

To get back on track, organizations must toss the notion that patches are optional and prioritize patch progress.

2. Overvalued VPNs

Many companies still use virtual private networks (VPNs) as their preferred method of securing network access, especially for remote users. The problem is that, as reported by Tech Beacon, VPNs often provide complete network access (whether it is needed or not), are cumbersome to manage and can fragment security controls.

Consider the use case for VPNs. Designed to secure internal services when users interact with external applications, VPNs excel at encrypting traffic and obfuscating origin points. But they come with a built-in flaw: They’re natively external, introducing an inherent element of risk. This externality is contagious. The rise of mobile and cloud computing services has shifted the bulk of corporate IT outside of local server stacks, in turn reducing the efficacy of VPN offerings. Widespread use of VPNs, meanwhile, has led to an uptick in VPN-based malware; according to Top10VPN, roughly 20 percent of the top 150 free Android VPN clients may contain malicious code.

The bottom line is that while VPNs have their uses, many corporations are due for a connection cleanup to maximize their value.

3. Password Paradoxes

CISOs are stuck: While standard login security measures remain a staple of network access, they’re notoriously insecure. The proof is in the passwords, and some of the worst of this past year included “123456,” “sunshine,” “qwerty” and the ever-popular “password,” according to SplashData, making it easy for malicious actors to compromise accounts and steal data.

Common cybersecurity practices to improve password potency include asking employees to regularly change passwords or use complex combinations of characters and numbers. The problem is that, according to LastPass, only 55 percent of users change their passwords — even when hacked. Increased complexity, meanwhile, can lead to user frustration and insecure password practices such as keeping hard copies near desktop computers. Even password managers are no guarantee of safety; misconfigured cloud storage or targeted attacks can put millions of credentials at risk.

Get on Track With These Next-Level Cybersecurity Practices and Technologies

While streamlined security hygiene helps limit overall risk, deep cuts must be balanced with solid cybersecurity additions. This spring, start by bolstering your strategy with the following cutting-edge technologies.

1. Prioritize Patching With Intelligent Automation

2019 will see the rise of automated tools that can schedule patches and other maintenance around corporate needs and help avoid the problem of put-off patches. As noted by Forbes, “more organizations will combine artificial intelligence and robotic process automation to create digital workers.”

Artificial intelligence (AI) offers a more efficient way to manage the biggest problem with security patching: prioritization. Given the sheer number of vulnerabilities and patches, it’s difficult for CISOs to know what’s worth the workflow interruption and what can go (temporarily) unpatched. Intelligent automation can help streamline this process.

2. Shift to Zero-Trust IAM

Identity is everything. While VPNs exist as a catch-all — a kind of all-in-one security solution that often overprovisions access — advanced identity and access management (IAM) tools can help solve this problem by focusing on user identity as the defining factor for access.

IAM solutions focus on zero-trust paradigms, which CSO Online described as a model of “never trust, always verify.” By using multiple factors to authenticate user identities and providing IT professionals with granular management controls, it’s possible to tackle security on a per-user rather than per-connection basis and enhance the protection of critical assets.

Also in development are blockchain-based IAM technologies that link access to a shared ledger of identities. The challenge is to balance the need for ID certainty against potential privacy concerns.

3. Address Persistent Password Problems With U2F

It’s one thing to acknowledge that passwords are a problem — many IT professionals can speak at length about the issues surrounding typical access credentials. The hard truth, however, is that passwords aren’t going anywhere.

But it’s not all bad news: Companies can toss overly restrictive password management by pairing passwords with additional authentication layers. Two-factor authentication (2FA) is the most obvious choice, but recent research produced proof-of-concept attacks that can easily spy on 2FA delivery methods. Another option is universal second factor (U2F), which uses physical tokens to eliminate the possibility of man-in-the-middle (MitM) authentication attacks. With 2FA now potentially vulnerable, U2F offers a way to secure valuable assets with minimal workflow disruption.

Spring Into Action to Boost Your Security Posture

Spring offers the perfect opportunity to clean out old cybersecurity practices that are cluttering up IT environments and bolster security efforts with more effective additions.

Start with patch postponement. Instead of waiting for the worst and hoping for the best, leverage intelligent automation to prioritize application updates. Reduce corporate reliance on VPN solutions by opting for ID-based IAM, and push back against bad passwords with the secure authentication of U2F.

The post Spring Cleaning for CISOs: Replace These 3 Bad Habits With Better Cybersecurity Practices appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Application Security, Blockchain, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, IBM Security, Identity & Access, Identity and Access Management (IAM), Identity Governance, Penetration Testing, Security Services, X-Force,

Blockchain: Making the Reward Much Greater Than the Risk

What is the first thought that comes to mind when someone mentions blockchain? Many of you may say bitcoin, which is what’s to be expected considering bitcoin was the first major cryptocurrency that made blockchain a household name. However, bitcoin is only one among a large variety of cryptocurrencies, and while it was the first large-scale implementation of blockchain technology, it is merely one application of many uses by which blockchain can aid society and commerce.

Blockchain technology provides a means to store data in a distributed ledger. The data is stored within a block, where it is digitally recorded and linked together with other blocks, forming a chain. The chain provides the entire history of all recorded data. Data is committed to the chain in the form of transactions. The transactions are only added after they have been validated by the blockchain network’s consensus protocol, so that there is only one version of the truth. Any data stored on the blockchain is “immutable,” meaning it cannot be changed. Also, all network participants have a copy of the data, meaning everything is transparent and everyone has the same version of truth.

The first major implementation of blockchain technology was introduced in 2008 with the release of bitcoin, but it’s only during the past few years that enterprises have come to grasp the technology’s potential. This is happening because the past decade has seen a tremendous reduction in the costs of secure storage, computation power and communications. As a result, more innovation makes its way into mainstream markets, served to average consumers.

The same applies to the business realm. Nowadays, we are starting to see more blockchain adoption across many industries, including financial, food services, healthcare, aviation, automotive and logistics. In 2017, the blockchain market was valued at $708 million. Two separate reports have estimated that by 2024–2025, the market could be valued between $20 to $60 billion. This significant growth represents up to an 8,300 percent increase in the span of less than 10 years.

We are still in the early stages of exploring this technology, and it will take time to fully realize its applications and potential. For example, it took almost 10 years for computers to reach an adoption rate of 80 percent. For enterprises, blockchain technology at scale has only been around since late 2015. So what does this mean, exactly? As we watch a new technology emerge and steadily grow, people who love to be on the cutting edge of technology are excited about the endless possibilities blockchain affords. That said, with new technology also comes new challenges, especially regarding security.

Big Implementations, Limited Experts

The people who deeply understand blockchain infrastructure are typically blockchain developers and architects, whose numbers are increasing, but are still few and far between. If you layer on blockchain security expertise, you will find that number to be even smaller. Hardly any published information or guidance exists about blockchain security.

So what are the implications of developing these full-fledged solutions with little knowledge about the potential attack vectors and risks that could bring the entire system crashing down? Inherently, the decentralized nature of blockchain, coupled with consensus protocols, helps to address some security needs, but the consequences can be dire if security isn’t fully explored.

Blockchain Is Code, and Code Can Be Flawed

As previously mentioned, at its core, the blockchain concept is simple: It is a distributed, immutable, cryptographically assured ledger that can have applications, often called “smart contracts,” interface with it.

A smart contract is made up of numerous lines of code, which are stored within the blockchain. These contracts automatically execute when predetermined terms and conditions are met. They are small programs that replicate processes or business logic and can be used to enforce an agreement between multiple parties in such a way that they can be certain of the outcome without any need for an intermediary.

For example, smart contracts may be used in the healthcare industry. Users’ data, such as blood pressure and other metrics, could be published to a chain, and once a metric rises above a specified threshold, the smart contract could execute actions such as notifying the user and/or processes such as further consultations with specialists to resolve their health problems. A flaw capable of compromising smart contracts could allow an attacker to modify critical details in the code. In the above example, what happens if an attacker is able to affect the business logic or introduce additional code to perform unintended actions?

But as with many powerful technologies, while blockchain is straightforward in concept, if improperly implemented, flaws and vulnerabilities can result in risk and security consequences. Think about what would happen if one could change the smart contract’s data before it is stored on the chain? Data on the chain is supposed to be trusted, right? What about a smart contract flaw that results in business logic not behaving as expected?

In the past few years, X-Force Red has seen a plethora of risks introduced into blockchain ecosystems where it was possible to abuse access controls at the user and administrative levels. For example, some vulnerabilities may enable attackers to inject malicious code into the network, effectively compromising all nodes.

Putting the technology aside, your standard everyday applications (i.e., web/mobile applications) still need to interface with the chain on some level. It has been possible for our penetration testers to compromise these components and pivot to backend systems where there is little to no security, giving an attacker the ability to insert data on the chain or execute any function that is exposed. Functions may include higher-privileged administrative access or accessing data that a user should not have access to. If that happens, how does an environment protect itself against malicious actions?

Raising the Bar on Blockchain Security

Security is about raising the bar high enough that attackers would be extremely hard-pressed to exploit any vulnerability. If they were to attack, they would make enough noise on the network to be detected and incident response procedures would hopefully slam the door shut. So, monitoring from both an application and network level is key to protecting blockchain implementations. Should an internal host be scanning your internal network? I think not!

Another precaution is to take a page out of the renowned television show, “The X-Files,” and trust no one:

  • Build a layered defense where each layer of the solution provides some level of distrust of all the layers above it.
  • Enforce strict access controls both at the application and blockchain layers to prevent overly permissive access and abuse.
  • Ensure there are strong governance controls and processes around the handling of all sensitive information, including key material. Should your certificate authority be disclosed to an unauthorized third party, then it’s game over; they would have full control of your blockchain environment.
  • Implement strong change control and a secure code review process to ensure all configuration settings and source code (i.e., smart contracts) are as secure as possible and do not contain any weaknesses that can be abused.

These are only a handful of basic actions that you can take to help protect the integrity, availability and confidentiality of your blockchain-enabled environment.

At X-Force Red, we have many experienced hackers with blockchain-specific skill sets to perform security assessments and penetration tests on anything within the blockchain technology and connected infrastructure.

IBM is an industry leader in blockchain technology and, as such, our X-Force Red hackers are exposed to numerous areas of the technology while working with leading experts in the field.

This all culminates into possessing a deep technical understanding and the ability to assess any blockchain-enabled solution from an end-to-end perspective. X-Force Red can review the environment from a design/architectural perspective and manually review smart contracts, access controls, configuration of critical components and more. We can also test all applications and technologies that interface with the blockchain, work with key stakeholders and developers to fully realize the potential risks they may face, and assist in reducing the risk of a compromise.

Learn more about X-Force Red’s blockchain testing services

The post Blockchain: Making the Reward Much Greater Than the Risk appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christopher Thomas

Apple Safari, Blockchain, chrome, cryptocurrency, Cryptocurrency wallet, Edge browser, ethereum, Firefox, Google, Google Chrome, Microsoft Edge, opera, Opera R3, Privacy, Web 3.0, Web Browsers,

Opera integrates a cryptocurrency wallet – is this Web 3.0?

When it appears in the next few weeks, the next version of Opera (“Reborn 3” or “R3”) for Windows, Mac and Linux will become the first mainstream desktop browser to integrate a cryptocurrency wallet.

This post appeared first on Naked Security Blog by Sophos
Author: John E Dunn

bitcoin, Bitcoin Satoshi Vision (BSV), Blockchain, child abuse imagery, cryptocurrency, Law & order,

Child abuse imagery found in cryptocurrency blockchain

For the second time in a year, illegal child abuse images have been spotted inside a blockchain. According to a post by web blockchain payments system Money Button, on 30 January its service was abused to place “illegal content” inside the Bitcoin Satoshi Vision (BSV) ledger, a recent cryptocurrency hard fork from Bitcoin Cash [BCH]. […]

This post appeared first on Naked Security Blog by Sophos
Author: John E Dunn

Artificial Intelligence (AI), Blockchain, breach, Chief Information Security Officer (CISO), CISO, Cyber Resiliency, cyber risk, Federal Trade Commission (FTC), Incident Response (IR), Information Sharing, regulatory compliance, Risk Management, Security Leadership, U.S. Securities and Exchange Commission (SEC),

Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure

Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report. EY looked at how Fortune 100 organizations are sharing information related to cybersecurity in their proxy statements and 10-K filings, specifically analyzing these documents for the following:

  • Information related to how the organization manages cybersecurity and security awareness and training — and whether those are part of a wider enterprise risk management (ERM) program.
  • Whether or not public filings contained statements about the importance of cybersecurity risks as strategic risks, or their potential impact on business objectives.
  • How the board is discharging its responsibility to oversee risks, focusing specifically on cybersecurity risks, including board member qualifications regarding cybersecurity as well as the structure and frequency of cyber reports from management.

Before we look at what EY’s analysis revealed, let’s take a step back and look at the environment that got us here.

Business Are Under Pressure to Disclose Cyber Risks

It’s no secret that cybersecurity has become a regular topic of discussion for boards and top leadership. But just because something is discussed every once in a while doesn’t mean that organizations are taking effective steps to deal with it. As the events of past two years have shown, cybersecurity risks are real, and publicly traded organizations that experience a cyber incident — be it a breach, ransomware attack, denial-of-service (DoS) or other digital disruption — will quickly find themselves in the spotlight with ample, but unwanted, news coverage.

The problem for many of these companies isn’t the spotlight from the press or the immediate drop in stock value — it’s the secondary but very significant impacts coming from class-action lawsuits, fines and other regulatory enforcements, and long-lasting scrutiny from regulators such as the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC).

The SEC’s 2011 guidance reminded board directors that cybersecurity — at the time a relatively new issue rising to the board’s level — was a material issue to be addressed. The 2011 guidance specifically mentioned the need “to disclose conclusions on the effectiveness of disclosure controls and procedures,” especially since a cyber incident could impact many of the other areas in which organizations are normally required to disclose information (e.g., financial and operational risks).

However, in 2018, the SEC released updated guidance for cyber-related disclosures to not only remind organizations of their duty to have controls in place to deal with insider trading, but to, in the words of SEC Chairman Jay Clayton, “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” Clayton went on to say he had requested that the SEC division of corporation finance continue to carefully monitor cybersecurity disclosures.

For those wishing to learn from the mistakes of others, the SEC maintains a list of cyber enforcement actions that includes cybersecurity-related matters.

Top Findings From EY’s Cybersecurity Disclosure Study

EY’s analysis of 10-K filings and proxy statements from Fortune 100 firms found that all organizations — yes, 100 percent — included cybersecurity as a risk factor consideration. Furthermore, 84 percent mentioned cybersecurity in the risk oversight section, and nearly 7 in 8 organizations had charged at least one committee with oversight of cyber risks (though, in 70 percent of those organizations, that committee was the audit committee, whose agenda is already bursting with challenging issues).

In terms of board qualifications, 41 percent of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34 percent of organizations mentioned the frequency of board reports, with just 11 percent reporting briefing the board annually or quarterly.

Finally, in terms of risk management, 70 percent of organizations mentioned their cybersecurity efforts and activities, such as training, personnel, refining of processes and monitoring. However, only 30 percent made any reference to incident response planning, disaster recovery or business continuity, and a tiny fraction, just 3 percent, indicated that their preparations included items such as tabletop exercises or simulations.

An Opportunity for CISOs to Play a Larger Role

As companies increasingly acknowledge cybersecurity risks as strategic risks, chief information security officers (CISOs) have an opportunity to play a larger role in the organization’s plans, investments and overall digital strategy. Instead of representing the camp of “security-as-an-IT-issue” — and with this, the simplistic view of security as an impediment to business — the CISO can help drive better conversations around cyber risks and educate top leadership and the board on emerging cybersecurity and privacy issues, including those that aren’t directly connected to cybersecurity such as artificial intelligence (AI), robotics and blockchain.

CISOs can drive progress by engaging with top leadership and the board to provide broader awareness, education and participation in matters that organizations should be more transparent about. Those cyber-related matters include incident response and emerging threats as well as gauging the organization’s readiness (e.g., tabletop exercises, simulations) and the effectiveness of its cyber risk management program.

Recommendations for Board Directors

The EY report provides several recommendations in the form of questions for boards to improve their engagement regarding cybersecurity risks. It’s worth asking the following questions of your organization:

  • Has responsibility for cybersecurity been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?
  • Is the board getting regular briefings on the organization’s strategy regarding cybersecurity risks and cyber resilience? How engaged is the board in reviewing the organization’s cyber risk management program, and security-related investments?
  • How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?

The report also mentioned the benefits of contracting with external advisers to provide board directors the opportunity to have a “dialogue with third-party experts whose views are independent of management.”

In 2019, it is imperative that enterprises take action to inform investors about cybersecurity risks and incidents in a timely manner — even enterprises that are subject to risks but have not yet been the target of a cyberattack. In this light, board directors, top leadership and CISOs should take another look at how well their 10-K and proxy statements satisfy the requirement to disclose material information regarding cybersecurity risks.

The post Why CISOs and Boards Should Work Together to Improve Cybersecurity Disclosure appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos