Browsing category

Data Privacy

CISO, customer experience, Data Privacy, Data Protection, Digital Identity, fraud, Fraud Prevention, Fraud Protection, Privacy, Privacy by Design, privacy regulations, Retail, User Behavior Analytics (UBA),

The Success of Your Business Depends on Digital Trust. Here Is How to Measure It

Most people can name a recent example of online data being compromised, and consumers have become more concerned about how organizations protect their data. Whether the data in question is a physical location, credit card numbers or buying preferences, modern, tech-savvy consumers are thinking long and hard about digital trust risks and the privacy of their data.

“It’s not now just about price, feature, and benefits, it’s not even about history and legacy, it is about trust,” said researcher Mark McCrindle on behalf of Blackmores, an Australian vitamin company, according to CMO. “Every brand must build and maintain trust, particularly because the customer is more skeptical and empowered.”

In This Article

The Consumer Confidence Crisis

Consumer confidence in brands has dropped to a historic low. According to the “2018 Edelman Trust Barometer,” 7 in 10 industries are solidly in “distrust territory.” Customers are increasingly aware that their decision to share personal data with brands could have significant implications, and new legislation backs the customer’s right to opt out of untrustworthy brand engagements.

As organizations work to build customer-focused, digital business models, it’s critical to consider the role of trust and privacy in the customer journey. Delivering digital trust isn’t a matter of propping up a secure website or app, or avoiding a costly, embarrassing data breach. It’s about creating a digital experience that exceeds customer expectations, allows frictionless access to goods and services, and protects customers’ right to privacy while using the data they share to create customized, valuable experiences.

Learn how to deliver digital trust

Why Failure to Build Trust Is Risky

There are clear risks facing organizations that fail to deliver trust-inspiring digital experiences. The staggering reputational costs to brands that suffer a data breach underline how easily trust is broken and how difficult it can be to restore. However, even without security incidents, there could be significant consequences for brands that don’t transform the customer experience.

Customers who experience friction as part of the digital experience may choose to go elsewhere, impacting profitability. Brands that lack transparent data privacy practices could struggle to build strong customer relationships if the consumer feels that the interaction is “sketchy” or too invasive. There’s also risk for the organization: If it can’t tell the difference between legitimate customer transactions and costly fraud, it may throw up frustrating security barriers or risk loss due to account compromise or other fraudulent activities.

How to Measure Digital Trust With Business Outcomes

“Digital trust is not a method, product or service,” wrote IBM security orchestration, automation and response leader Matthew Konwiser. “It’s a philosophy that acknowledges why … businesses stay in business; their clients trust them.”

Digital trust can be measured in business outcomes. While these aspects are more complex than security metrics or compliance, they are critical. Digital trust results from a shift in how the organization approaches the customer journey, which can be measured in the following business outcomes.

Outcome No. 1: Build User Trust

Organizations should transform digital customer experiences to create a secure and seamless customer journey across digital products. This reinforces customer trust while providing internal visibility into customer behavior. Increased trust should result in greater customer loyalty and greater share of wallet.

Outcome No. 2: Drive Growth

Organizations that focus on digital trust continuously work to improve user experience and strengthen internal security safeguards. By utilizing security solutions that assess risk and only add verification when needed, there are fewer false positives and security teams can focus where needed. Automation and authentication based on risk scoring can streamline customer access and reduce workload for already over-tasked IT/security staff.

Outcome No. 3: Create Efficiency

Brands should continuously work to offer an improved user experience and strengthen internal security safeguards. Leaders at trust-driven organizations prioritize operational efficiency gains and risk reduction.

Why You Should Shift to a Trust-Focused Model

While digital trust isn’t the exclusive goal or responsibility of the security department, the CISO is a diplomat in the transformation process. At a trust-focused organization, security risk is recognized as business risk. Business leaders should actively support the need for persistent visibility into digital customer behavior, even as the cybersecurity team works to strengthen safeguards against threat actors and data privacy risks.

Trust should feel seamless for trusted customers with barriers only appearing to threat actors. Cognitive solutions and analytics can provide visibility into a customer’s movements across digital platforms and identify risks by comparing real-time data to a baseline of known threats. When an abnormal pattern of customer logins, transactions or behavior is identified, the system should automate an immediate response to further authenticate users or isolate risks.

The process of delivering digital trust is about more than security and technology, however. It’s a shift in leadership that places the customer experience at the center of digital transformation. Trust-focused organizations adopt design thinking processes to create digital products based on the customer journey and architect secure DevOps. Baked-in security offers greater assurance against risks and creates a more seamless digital experience across channels.

Empathy Is at the Core of Trust Delivery

Digital trust is a moving target, like any other strategic business goal. Your organization can’t rely on stagnant strategies to grow profitability or address risks. To build lasting customer relationships, organizations must understand that trust is a dynamic pursuit that requires agility.

Empathy toward the customer is at the core of trust delivery. As customer attitudes about privacy and behaviors shift, enterprise practices and technology must keep up with evolving data privacy threats, compliance requirements and client behaviors. The importance of trust is unlikely to diminish, but delivering trust-inspiring customer experiences requires a culture of design thinking, continuous improvement and security by default.

Read the e-book: Deliver Digital Trust

The post The Success of Your Business Depends on Digital Trust. Here Is How to Measure It appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kami Haynes

Application Security, Chief Information Security Officer (CISO), CISO, Cyberthreats, Data Privacy, Executives, Identity and Access Management (IAM), Open Source, Security Awareness, Security Leaders, Security Leadership, Security Professionals,

The Success of Your Business Depends on Your Security Culture

As you are no doubt aware, 2018 was yet another banner year for cybercrime. IBM Security Vice President Caleb Barlow recently reflected on the historic data breaches, widespread vulnerabilities and unprecedented onslaught of data privacy regulations affecting businesses across geographies. In such a fast-paced industry where technology — not to mention the threat landscape — is evolving daily, security culture is now a key determinant of success.

In my own experience, security teams are more likely to succeed when they’re viewed as an integral part of the business. Mature organizations recognize the direct connection between trust, user experience and revenue and place the chief information security officer (CISO) or chief security officer (CSO) on equal footing with other C-level executives.

Don’t Put the Chief Security Officer at the Kids Table

If you’re wondering why it matters who the CSO reports to, picture this: You’ve been invited to a holiday dinner with your extended family of 15 adults, but the dining room table only seats 14, and it’s already a tight squeeze. Ultimately, someone will need to sit at the kids table. And while that may be a lot more fun, the conversations that take place there will surely be very different than at the main table.

The same dynamic exists in organizations that do not consider the CSO to be integral to the company’s success. If security is involved in senior leadership activities on an invite-only basis, the organization is only inviting trouble down the road. Security needs to be a part of the larger, mature conversations that take place around the health and state of the business. For instance, what happens when a vulnerability scan turns up high-risk flaws? Are there processes in place to ensure good communication? Who decides who is responsible for the fix? Who validates it? Is the report seen as crucial to ensure overall quality for a release, or is it considered a nuisance, a necessary evil?

Business success is directly tied to great user experiences and protecting sensitive data. Today, most organizations can see a point-in-time view of their security posture and threat landscape, but they need more real-time information about the risks they face to keep up with the threat landscape in 2019. Customers today expect, demand and even assume security is present in the applications they use. Meeting that demand requires high degrees of collaboration and communication, so don’t make it more difficult by relegating security to an island.

Everyone Plays a Role in Security

In today’s software world, where there is growing, extensive use of devices, microservices, components, containers and open-source tools, the potential for things to go wrong is increasing proportionally. For this reason, every department and executive throughout the organization needs to play a role in securing enterprise data.

One of the main problems is that people don’t really know what they have in their environment. If you walk into a development shop and ask five people how many applications their organization supports, you’ll likely get five different answers. And just see what happens if you ask for a full inventory of the services, libraries and components associated with those applications. Any information developers do have is often inconsistent across different departments. For instance, I’ve seen situations where IT had one list, security had another, and the two were never consolidated or cross-referenced. The impact of such a disconnect can be devastating.

What if your organization is using a lot of open-source components and a critical vulnerability emerges for one of them? If your enterprise is reliant on a central IT team but you have inconsistent departmental software inventories, how can you really be sure you’ve identified all the affected systems? And if you depend on employees to manually initiate patching efforts, how can you confirm they actually happened? Too often, the patch management process is a mix of automated efforts for some systems and an honor system for others. When this happens, inconsistent lists, inaccurate inventories and unclear, unenforced policies can easily leave critical systems exposed.

Today, the critical systems that might be left exposed could be sitting in the pockets of your employees — I’m talking about the personal devices they use every day. How aware are your employees of your organization’s policies and procedures? Are they enforced? Are the devices they use to access enterprise data in hotels, coffee shops and in transit secure? Making the problem worse is the often blurred line between personal and professional use. How can you know that all the apps downloaded to these devices are safe? Do you rely solely on your employees to secure their own devices?

The industry has moved beyond simply enforcing password policies. Today, nontechnical employees must play a critical role in security strategy and act as the first line of defense. Take the time to educate them on your policies and, most importantly, how they impact the business. Then, take the necessary steps to enforce them. The policy you implement and enforce today just might prevent a breach tomorrow.

Security Culture Delivers Real Business Value

Security culture is becoming a sort of currency for organizations. Studies such as IBM Security’s “Future of Identity Report” have shown that consumers are prioritizing security over privacy and convenience for nearly all application types. It’s no longer acceptable to simply add in or account for security during the development life cycle; it must be part of the initial design and conception.

For that to happen, security needs to be ingrained in organizational culture, perceived as critical to the company’s success, and inclusive of all departments and employees across the enterprise. Organizations that do this well will be better positioned to build trust among their user base and provide the exceptional user experience that customers demand.

The post The Success of Your Business Depends on Your Security Culture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Cuddy

Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

Artificial intelligence, Artificial Intelligence (AI), Automation, CISO, Cloud Adoption, Compliance, Cybersecurity, Data Breach, Data Privacy, General Data Protection Regulation (GDPR), Incident Response, Incident Response (IR), Internet of Things (IoT), IoT Security, Machine Learning, privacy regulations, Risk Management, Security Intelligence & Analytics, Security Professionals, Security Trends,

Top 2019 Cybersecurity Predictions From the Resilient Year-End Webinar

2018 was another significant year for the cybersecurity industry, with sweeping changes that will impact security professionals for years to come.

The General Data Protection Regulation (GDPR) finally went into effect, dramatically reshaping the way companies and consumers manage data privacy. Security teams stepped up their battle against technology complexity by increasingly migrating to the cloud and adopting security platforms. And several emerging security technologies — such as incident response automation and orchestration, artificial intelligence (AI), and machine learning — continued to evolve and saw increased adoption as a result.

As security teams continue pushing to get ahead of adversaries, these trends will almost certainly have long-term impacts. But what do they mean for 2019?

Bold Cybersecurity Predictions for 2019

Recently, I was fortunate to host a panel of cybersecurity experts for IBM Resilient’s sixth annual end-of-year and predictions webinar, including Bruce Schneier, chief technology officer (CTO) at IBM Resilient and special advisor to IBM Security; Jon Oltsik, senior principal analyst at Enterprise Strategy Group; Ted Julian, co-founder and vice president of product management at IBM Resilient; and Gant Redmon, program director of cybersecurity and privacy at IBM Resilient.

During the webinar, the team discussed and debated the trends that defined 2018 and offered cybersecurity predictions on what the industry can expect in 2019. In the spirit of keeping our experts honest, below are the four boldest predictions from the panel.

Bruce Schneier: There Will Be a Major IoT Cyberattack … or Not

Last year, Bruce predicted that a major internet of things (IoT) cyberattack would make the news, perhaps targeting automobiles or medical devices. Fortunately, that wasn’t the case in 2018. But could it happen in 2019?

Bruce’s prediction: maybe (yes, he’s hedging his bet). There are certainly many risks and vulnerabilities associated with the rise of IoT devices. Regardless of whether a major attack is imminent, IoT security needs to be a top priority for security teams in 2019. This prediction is in line with Bruce’s latest book, “Click Here to Kill Everybody.”

Ted Julian: Security Automation Will Create Unintended Negative Consequences

Incident response automation and orchestration is an increasingly popular way for security teams to streamline repetitive processes and make analysts more efficient, but automating poorly defined processes could create bigger issues.

Automated processes accidentally taking down systems is a familiar problem in the IT space. In 2019, we will see an example of security automation hurting an organization in unforeseen ways.

To avoid this, organizations need to consider how they employ technology when orchestrating incident response processes. They should focus on aligning people, processes and technology and methodically employ automation to further empower their security employees.

Jon Oltsik: Continuous Risk Management Will Help Organizations Better Understand Risks

Today, risk assessments and vulnerability scans give organizations a point-in-time look at their security posture and threat landscape. But in 2019, that won’t be enough. Security leadership — as well as executives and board members — need real-time information about the risks they face and what needs to be done to improve. Establishing a system of continuous risk management will help security teams enable this reality.

Gant Redmon: New Laws Will Provide Safe Harbor to Compliant Organizations

A pending law in Ohio would provide a first in U.S. data privacy regulations: Providing safe harbor from tort claims to organizations that are in compliance with their security regulations. In other words, if an organization suffers a data breach but is in compliance with its regulatory obligations, it will be protected from lawsuits related to that breach.

While the Ohio law is the first of its kind, we will no doubt start to hear of similar regulations emerging throughout 2019.

What are your cybersecurity predictions for 2019? Tweet to us at @IBMSecurity and let us know!

Watch the complete webinar

The post Top 2019 Cybersecurity Predictions From the Resilient Year-End Webinar appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Maria Battaglia

Cloud Infrastructure, Cloud Security, Cryptography, Data Management, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, General Data Protection Regulation (GDPR), Identity & Access, Risk mitigation, Threat Detection, Threat Prevention,

Lessons From the Data Encryption Front Line: Understanding Common Threats

Data encryption has become a hot topic for many people this year with Article 83 of the General Data Protection Regulation (GDPR) listing it as an example security control to mitigate risks. While the U.K. Information Commissioner’s Office (ICO) provides some useful guidance on how to use encryption, I have had many discussions over the past year about what is the right approach to implementing data-at-rest encryption (DaRE) solutions. There is no magic answer, but there are some fundamental aspects to consider — starting with an understanding of common encryption threats.

Identify the Threats Facing Your Organization

Clients often ask for DaRE, but are unclear why they need it (other than a policy that says they need to implement encryption). There are many threats related to encryption, but I suggest starting with four generic threats in the context of your system/application.

1. Loss of Physical Storage Media

There is a risk of losing storage media, such as disks or tapes. In a cloud environment, storage media is not something under your direct control. To protect from a loss of storage media, encryption can be provided in the underlying storage or media subsystem. This provides a mechanism, transparent to the application, that is fast and has low latency — but does not manage every threat.

2. Disclosure or Modification of Stored Data

Some threat actors, such as an external attacker or internal privileged administrator, can gain access to personal or highly confidential data while systems are running. Encryption at the storage level won’t provide adequate protection in this case, since a privileged or even standard user has access to the unencrypted data. It also will not provide protection from a threat actor attempting to gain privileged access or extracting data using a classic attack such as SQL injection.

Therefore, highly confidential and personal data often needs to be encrypted at the level of structured or unstructured data objects to prevent a privileged user from accessing it. With the General Data Protection Regulation (GDPR) in effect, this is especially crucial.

3. Destruction of Stored Data

Even if stored data cannot be accessed, it can be destroyed by deleting the encryption keys — a cryptographic erasure — or by destroying the actual encrypted data. Systems are normally designed with redundancies, such as a backup of the data and a separate backup of the encryption keys. If segregation of duties is not maintained, it may be possible for a malicious employee to destroy the primary data, backups and encryption keys all at once.

4. Disclosure of Data in Transit

Data needs to be transported between applications, and it is possible to tap into a network to enable confidential data to be read. With cloud storage, the network and server infrastructure is not under your control and there is a risk of data interception.

While many applications use Transport Layer Security (TLS) to encrypt traffic, there are many other communications that cannot use TLS. In a virtual world, physical systems are clustered together with virtualized storage where the underlying transport mechanism may obscure the data but not support encryption.

Balance Risk With Performance, Resilience, Compatibility and Operations

Like all security mechanisms, data encryption has a set of impacts that need to be considered. The primary driver is normally the cost of the encryption, but assuming an unlimited budget, there are potentially some more fundamental impacts on the operation of applications and infrastructure.

One such impact is on performance. Encryption is a highly compute-intensive mechanism that is normally assisted by hardware. With self-encrypting drives, it often cannot be disabled and has zero performance impact. When encryption is applied at a more granular level, the impact is much greater. Encrypting files has a much greater performance impact than encrypting a logical disk, which has a greater impact than encryption within physical storage. Increasing latency with reduced speed of encryption may have a detrimental impact on an application that makes your business uncompetitive.

The next impact to consider is on resilience. Encryption adds complexity and, depending on how it is implemented, may introduce additional dependencies that increase the complexity of change processes and the risk of infrastructure failure. Think about possible failure scenarios and the dependencies, then test component failure and recovery. Finer-grain encryption may provide improved protection, but it reduces the resilience of an application. For example, even if all keys are lost in a key management system, a storage subsystem may still be recovered with offline recovery keys, whereas data in volume-based encryption may be irretrievably lost without additional controls.

Data encryption also impacts compatibility. An encryption app may have a dependency on a specific application feature that cannot be changed, for example, or it may not support specific file systems or database types. This introduces a constraint that prevents encryption from being used, and may require accepting a risk. The finer the encryption — that is, the higher in the application stack — the more constraints will be revealed.

Lastly, consider the impact on operations. While encryption protects your data, it also makes it difficult to access data when you do need it. If a backup service creates a backup of an encrypted server, how can you restore an individual file without shutting down the production service? Sure, there may be workarounds, but does it still impact service levels?

Encryption solutions are still maturing as they move from being add-on packages to being embedded within applications. Constraints will no doubt reduce over time, but it’s good to be aware of them while deploying encryption.

Tailor Data Encryption to Fit Your Needs

There is no single answer to the question of how to properly use data encryption. It comes down to the risk appetite of a business balancing the security risk against performance, resilience, compatibility and operations.

One possible combination is storage-level encryption for performance together with structured data encryption on a limited number of high-risk applications. Depending on their application and data types, organizations will likely need to apply different architectural patterns and accept some residual risk.

To learn more, download the white paper, “Guard Your Organization’s Data With Intelligent IBM Encryption.”

Read the white paper

The post Lessons From the Data Encryption Front Line: Understanding Common Threats appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mark Buckwell

Access Management, Advanced Threats, Antivirus, atm, CISO, Compliance, Credentials, cryptocurrency, cryptocurrency miner, Cybercrime, Cybercrime Trends, Data Breaches, Data Privacy, Data Protection, database security, Endpoint Protection, Financial Industry, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, IBM X-Force Research, Identity and Access Management (IAM), Incident Response, Incident Response (IR), Malware, Obfuscation, Personal Data, Phishing, regulatory compliance, Security Trends, Social Security, Threat Intelligence, Vulnerabilities, X-Force,

IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape

Taking a look back at 2018, it amazes me that the cybercrime threat landscape continues to top itself year after year. Over the past year, we’ve seen historic breaches, the discovery of large-scale vulnerabilities, the emergence of the trust economy and regulators trying to help make sense of it all.

The looming General Data Protection Regulation (GDPR) deadline finally came in May after businesses spent years preparing. Now we’re in the GDPR era, and we’re still seeing organizations struggle to interpret and tackle the regulation. Businesses are asking themselves, should we disclose every possible incident to be covered or spend more time investigating incidents to confirm them?

We also saw many unintended consequences from the GDPR, including the removal of WHOIS data that threat intelligence experts rely on to identify malicious domains used by fraudsters. We learned that in Europe, organizations will need to go through work councils to receive approval to deploy endpoint protection tools in the wake of an incident due to the privacy regulation. This gives attackers a significant advantage to harvest data for an extensive amount of time — upwards of 30 to 90 days.

One of my security predictions for 2018 was that organizations will start to get response right. We’ve seen some progress on this, but there’s still a lot of work to be done here. Since we opened our Cyber Range in Cambridge, Massachusetts two years ago, we’ve had more than 2,000 people experience what it’s like to respond to an attack.

We’ve seen many industry groups come together in the Cyber Range and collaborate to help their entire industries. We also launched our Cyber Tactical Operations Center (C-TOC), an 18-wheeler that will be touring Europe in 2019 to address the increased demand for preparedness training. Of course, there’s always room for improvement, but our industry is making progress, and for that, I’m proud.

Security Predictions for the New Year

So what lies ahead in 2019? How will the cybercrime threat landscape change and evolve?

Top experts from IBM X-Force have been analyzing emerging trends and clues this year, which they believe are indicators of potential major cybercriminal activity in 2019. Below, these experts reveal their top security predictions for 2019 based on insights from their research and work with clients. The predictions span a range of potential attack schemes and consequences, from industry-specific prognostications to a rapid expansion of emerging criminal schemes.

First, a couple of my own predictions:

Social Insecurity Numbers Dropped for Access

With most Americans’ Social Security numbers a shared secret after 2017, corporations will start to move away from using the numbers as a form of access. In particular, corporate benefits programs often still use Social Security numbers as an identifier. Expect corporations and benefits programs to evolve their authentication methods ahead of regulators.

What organizations can do: Stop using Social Security numbers for identification. Instead, use one-time PIN to establish accounts tied to two-factor authentication. Also, further use of biometrics for authentication.

Unforeseen Consequences of the GDPR

2018 was all about implementation of GDPR and getting organizations prepared. In 2019, new, unforeseen impacts of GDPR on threat intelligence will be identified and have broader consequences in cybersecurity. With the elimination of WHOIS data, identification of malicious domains connected to bad actors becomes an enormous challenge, and we’ll likely see malicious domains ramp up. Organizations in Europe will struggle to remove attackers from networks and devices due to a 30- to 90-day waiting period to deploy endpoint protection after an incident. My hope is that regulators, work councils and security industry leaders can work together in 2019 to identify some exceptions in which security takes precedent.

Possible solution: Greater collaboration between regulators, work councils and security industry leaders to identify exceptions to regulations when security inadvertently could suffer due to the regulation.

Now, some predictions from my fellow X-Force team members:

Automated Customer Service Systems in Attackers’ Sights

Kiosk and other self-service systems have become more and more a part of our world. Retailers, airlines, hotels and public buildings are using these systems to speed up check-ins and reduce labor costs. In 2018, we saw a resurgence in ATM hacking, and we expect in 2019 to see public-facing self-service systems targeted as a way to harvest valuable customer data.

– Charles Henderson, X-Force Red

What organizations can do: Test hardware and software before criminals have a chance to. Harden physical interfaces and disable unused ports at the hardware level. When using third-party components, ensure that they are still supported by the manufacturer.

Listen to the podcast: Spotlight on ATM Testing

A Cyber Insurance Market Reality Check

The growth of cybersecurity insurance has risen alongside the epic growth of cybercrime. While a valuable tool to manage costs of a security incident or data breach, businesses have become too reliant on insurance, avoiding investment in other preventative technologies and response services. In 2019, we’ll see closer teaming between cyber insurance providers and security vendors to fill the emerging gap created by the market.

– Christopher Scott, X-Force Incident Response and Intelligence Services (IRIS)

Possible solution: Providers of managed security services and cyber insurance team up together to offer consulting services, assess risk and implement defensive strategies.

Have Data, Will Travel

Cybercriminals will shift their sights to the lucrative databases of personal data maintained by travel and hospitality companies. In 2018, we saw the tip of the iceberg with high-profile breaches at airlines and hotel chains. Expect more mega breaches in this area in 2019 as cybercriminals look to monetize rewards points and gather new credentials, such as passport numbers and driver licenses, to establish identities for online crime. This data could also lead to targeted, travel-related phishing, tapping a person’s interests, motivations and connections.

– Wendi Whitmore, X-Force IRIS

What organizations can do: Deploy data obfuscation technologies, encryption and regular database activity monitoring. Conduct regular security testing and have an incident response plan in place. Frequently audit the storage requirements for personally identifiable information (PII) and set expirations for how long sensitive data is stored.

Evidence of Cybercriminal Stock Manipulation

There’s growing speculation that some shorting of stocks can be tied to cyberattacks. Are criminals collaborating to time their attacks for financial gain? In 2019, we expect these schemes will be further exposed and possibly prosecuted as government regulators take notice of this activity.

– Dustin Heywood, X-Force Red

Possible solution: A breach of a public company is now both a technical crisis as well as a financial crisis. Rapid manipulation of stock prices can occur as a result of bad guys looking to profit or hedge funds reacting to breaking news. Your speed of response and precision of communications will matter. Organizations need to build and test their runbooks ahead of time.

Crypto-Mining Powered by PowerShell

PowerShell use for malicious activities has continued to grow in 2018. IBM X-Force IRIS saw the tool used by malicious actors to inject malware directly into memory, enhance obfuscation and evade antivirus detection software. In 2019, X-Force IRIS anticipates that crypto-mining tools will use PowerShell to load fileless malware onto compromised systems — similar to reported activity by the crypto-miner GhostMiner earlier this year.

– Dave McMillen, X-Force IRIS

What organizations can do: Enterprises will want to ensure that they are logging, tracking and auditing PowerShell use in their networks. This can be achieved by leveraging the latest version of PowerShell and enabling logging through Group Policy Settings. These logs should be forwarded to a central location where they can be analyzed.

In addition to logging, companies using Windows 10 should be sure to implement an antivirus solution that is compatible with the Anti Malware Scanning Interface (AMSI). This interface provides antivirus products the ability to inspect PowerShell code before it is executed, allowing the product to stop malicious PowerShell before it can run.

Meet more IBM Security All Stars

The post IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Caleb Barlow

Artificial Intelligence (AI), Cloud Infrastructure, Cloud Security, Cloud Services, Data Management, Data Privacy, Data Protection, Data Security, database security, Infrastructure-as-a-Service (IaaS), Log Management,

Cloud Security With a Chance of Data Breaches

With the current data explosion and rise of artificial intelligence (AI), machine learning and deep learning, organizations must make sense of the vast amounts of data they collect to better themselves and gain an edge over the competition. Processing and storing all this data is much easier when someone else is doing it for you, which is why many organizations now look to move their data to the cloud.

Cloud Storage Does Not Mean Cloud Security

The cloud is, in theory, that magical place where everything is easy, where you can pay someone to make all your IT problems go away; no more patching, cooling, power backup, data backup and other headaches associated with maintaining a data center. Cloud vendors will ensure that your data is stored 24/7 and, as long as you are in the right pricing tier, you’ll enjoy great performance, elasticity and a guarantee that your data will never be lost. So far, so good — but what about cloud security?

While cloud vendors are held to high standards to ensure that they will not mess with or lose your data, they are not in charge of security and access management for the applications and databases you run in the cloud, even if you consume your database as a service. Just because you’re operating in the cloud doesn’t mean you’re no longer responsible for protecting your critical data.

Not only are you in charge of protecting your data, but all the regulations of the real world also apply to the magical world of the cloud. If threat actors steal your data in the cloud, you are just as liable as you would be if they stole on-premises data — and the compliance penalties, legal fees and reputational damage associated with a breach can be crippling.

Inherent Problems With Database-as-a-Service Solutions

If you run your IT shop in the cloud as infrastructure-as-a-service (IaaS), you can simply apply the same security measures and use the same security tools and applications that you have on-premises, because you still own everything. The problems start when you choose to relieve yourself of the burden of employing database administrators and use a cloud vendor’s database-as-a-service (DBaaS) offering, such as Amazon Relational Database Service (Amazon RDS) or Microsoft Azure SQL Database. While this option transfers database management to the cloud vendor, they will not assume any responsibility for the security or compliance of those databases — a critical detail.

At this point, you might recall that you already own database protection tools and ask the cloud vendor to install them on the DBaaS. But, to your surprise, the vendor informs you that running third-party software on its database would void the warranty. Now what?

One obvious solution is to turn on native logging, which enables you to feed database logs into your existing security solutions. Sometimes, this is the “good enough” option. However, there are a few inherent problems with this approach. Any insights or security alerts will not be in real time, and intruders can copy your native logs. They are also stored in clear text, so any encryption scheme employed on your database or traffic is rendered useless.

Another issue to consider before turning on native logging is performance. When native logging is on, a database must spend more time writing data to files, and you might see a hit on performance as a result. Finally, native logging does not offer separation of duties, so the employees who can turn the capability on or off are the same people who can access your sensitive data.

How to Monitor a Cloud Database for Security and Compliance

So what should a prudent, security-minded organization do in this case? How can a company monitor a DBaaS solution for both compliance and security? The answer is to adopt a creative approach to circumvent restrictions on installing security software on cloud providers’ databases. Look for a cloud security solution that sits in front of the database and can still send traffic to your existing security tools without having to install any software on the database.

Such monitoring tools work in real time and are more secure than native logs because they do not require storing any unencrypted data and can handle encrypted traffic, which is the most prevalent way of sending data in a cloud data center. By approaching cloud database management and protection in this manner, organizations can gain greater control over the security and compliance of cloud-enabled infrastructures as they leverage the broader benefits of the cloud.

Visit our microsite to learn more

The post Cloud Security With a Chance of Data Breaches appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Shay Harel

Application Security, Compliance, Data Breach, Data Loss Prevention (DLP), Data Management, Data Privacy, Data Protection, Data Security, General Data Protection Regulation (GDPR), Personal Data, privacy regulations, Risk, Risk Management, Security Information and Event Management (SIEM), Sensitive Data,

A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips

This is the third and final blog in a series about the new digital frontier for data risk management. For the full picture, be sure to read part 1 and part 2.

Mining customer information for valuable nuggets that enable new business opportunities gets riskier by the day — not only because cyberthieves constantly find new ways to steal that gold, but also due to the growing number of privacy regulations for corporations that handle increasingly valuable data.

The enactment of the European Union (EU)’s General Data Protection Regulation (GDPR) in May of this year was just the start. Beginning in early 2020, the California Consumer Privacy Act of 2018 (CCPA) will fundamentally change the way businesses manage the personal information they collect from California residents. Among other changes, organizations will find a much broader definition of personal information in the CCPA compared to other state data breach regulations. Pundits expect this legislation to be followed by a wave of additional data privacy laws aimed at shoring up consumers’ online privacy.

One major factor behind these new regulations is the widely perceived mishandling of personal information, whether intentionally or unintentionally as a result of a serious data breach perpetrated by cybercriminals or malicious insiders.

Taming the Wild West With New Privacy Laws

The first GDPR enforcement action happened in September, when the U.K. Information Commissioner’s Office charged Canadian data analytics firm AggregateIQ with violating the GDPR in its handling of personal data for U.K. political organizations. This action highlights the consequences that come with GDPR enforcement beyond the regulation’s potential penalty of up to 20 million euros, or 4 percent of a company’s annual revenues worldwide, whichever is higher. It can also require the violator to cease processing the personal information of affected EU citizens.

Although the CCPA does not take effect until January 2020, companies that handle the personal information of Californians will need to begin keeping records no later than January 2019 to comply with the new mandate, thanks to a 12-month look-back requirement. The act calls for new transparency and disclosure processes to address consumer rights, including the ability to opt in and out, access and erase personal data, and prevent its sale. It applies to most organizations that handle the data of California residents, even if the business does not reside in the state, and greatly expands the definition of personal information to include IP addresses, geolocation data, internet activity, households, devices and more.

While it’s called the Consumer Privacy Act, it really applies to any resident, whether they are a consumer, employee or business contact. There may still be corrections or clarifications to come for the CCPA — possibly including some exclusions for smaller organizations as well as health and financial information — but the basic tenants are expected to hold.

Watch the on-demand webinar to learn more

Potential Civil Lawsuits and Statutory Penalties

The operational impact of these new regulations will be significant for businesses. For example, unlike other regulations, companies will be required to give consumers a “do not sell” button at the point of collecting personal information. Companies will also be required to include at least two methods to submit requests, including a toll-free number, in their privacy statements.

The cost of failure to comply with data privacy regulations is steep. Organizations could face the prospect of civil penalties levied by the attorney general, from $2,500 for each unintentional violation up to $7,500 for each intentional violation, with no upper limit. Consumers can also sue organizations that fail to implement and maintain reasonable security procedures and practices and receive statutory payments between $100 and $750 per California resident and incident or actual damages, whichever is greater. As one of the most populous states in the nation, representing the fifth-largest economy in the world, a major breach affecting California residents could be disastrous.

5 Tips to Help Protect Your Claim

The need to comply with data privacy regulations has obviously taken on greater urgency. To do it effectively requires a holistic approach, rather than one-off efforts aimed at each specific set of regulations. Organizations need a comprehensive program that spans multiple units, disciplines and departments. Creating such a program can be a daunting, multiyear effort for larger organizations, one that requires leadership from the executive suite to be successful. The following five tips can help guide a coordinated effort to comply with data privacy regulations.

1. Locate All Personal and Sensitive Data

This information is not just locked up in a well-secured, centralized database. It exists in a variety of formats, endpoints and applications as both structured and unstructured data. It is handled in a range of systems, from human resources (HR) to customer relationship management (CRM), and even in transactional systems if they contain personally identifiable data.

Determining where this information exists and its usage, purpose and business context will require the help of the owners or custodians of the sensitive data. This phase can take a significant amount of time to complete, so take advantage of available tools to help discover sensitive data.

2. Assess Your Security Controls

Once personal data is identified, stakeholders involved in creating a risk management program must assess the security controls applied to that data to learn whether they are adequate and up-to-date. As part of this activity, it is crucial to proactively conduct threshold assessments to determine whether the business and operating units are under the purview of the CCPA.

At the same time, it’s important to assess how personal information is handled and by whom to determine whether processes for manipulating the data need to change and whether the access rights of data handlers are appropriate.

3. Collaborate Across the Enterprise

Managing data risk is a team effort that requires collaboration across multiple groups within the organization. The tasks listed here require the involvement of data owners, line-of-business managers, IT operations and security professionals, top executives, legal, HR, marketing, and even finance teams. Coordination is required between data owners and custodians, who must establish appropriate policies for who can access data, how it should be handled, the legal basis for processing, where it should be stored, and how IT security professionals should be responsible for enforcing those policies.

4. Communicate With Business Leaders

Effectively communicating data risk, including whether existing controls are adequate or require additional resources and how effectively the organization is protecting customer and other sensitive data, requires a common language that can be understood by business executives. Traditional IT security performance metrics, such as block rates, vulnerabilities patched and so on, don’t convey what the real business risks are to C-level executives or board members. It’s critical to use the language of risk and convey data security metrics in the context of the business.

5. Develop a Remediation Plan

Once the business’s compliance posture with the CCPA is assessed, organizations should develop risk remediation plans that account for all the processes that need to change and all the relevant stakeholders involved in executing the plan.

Such a plan should include a map of all relevant personal information that takes into account where the data is stored, how it is used and what controls around that data need to be updated. It should also describe how the organization will safely enable access, deletion and portability requests of California residents, as well as process opt-out requests for sharing their data.

Automate Your Data Risk Management Program

Thankfully, there are tools available to help automate some of the steps required in developing and maintaining a holistic data risk management initiative. Useful data from security information and event management (SIEM), data loss prevention (DLP), application security, and other IT tools can be combined with advanced integration platforms to streamline efforts.

Privacy mandates such as the GDPR and the CCPA are just the start; a California-style gold rush of data privacy regulations is on the horizon. Countries such as Brazil and India are already at work on new data privacy laws. A comprehensive data risk management program established before more regulations go into effect is well worth its weight in gold.

Watch the on-demand webinar

The post A New Privacy Frontier: Protect Your Organization’s Gold With These 5 Data Risk Management Tips appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Paula Musich

customer experience, Data Breach, Data Privacy, Data Protection, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, Malware, Network Security, Personally Identifiable Information (PII), Point-of-Sale (POS) Systems, Retail, Retail Data Breach, Retail Industry, Retail Security, Risk Management,

5 Recommendations to Improve Retail Cybersecurity This Holiday Season

This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season.

With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.

A Timely Cause for Retail Cybersecurity Concerns

Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.

Don’t Reward the Naughty

A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.

In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.

Phishing Is in Season

Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.

Average Spam per Month

Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)

Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.

Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.

While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.

1. Mitigate the POS Malware Threat

After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.

Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.

To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:

  • Use some form of malware detection on your entire network to include the network of POS systems.
  • Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
  • Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
  • Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.

Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.

As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.

With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.

2. A Clean Network Is a Safe Network

Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.

One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.

To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:

  • Harden the security of underlying web servers.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
  • Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.

Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.

Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.

You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:

  • Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
  • Sanitize user input to prevent injection attacks.
  • Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
  • Enforce multifactor authentication (MFA) for employees.

3. Go to Your Separate Corners

Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.

To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.

In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:

  • Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
  • As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
  • Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
  • Prevent sensitive users and systems from communicating with the internet.

4. Learn From History and Educate Users

Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Conduct short training sessions and field-test them by asking for employee feedback.
  • Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
  • Identify users who need remedial training and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.

For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.

5. Use Network IP Whitelists and Blacklists

Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.

Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.

These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:

  • Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
  • Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
  • Whitelists should include any internal company addresses.
  • Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
  • It is imperative to verify these lists periodically to help ensure that all information is accurate.
  • Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
  • Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.

Stay Tuned for More Holiday Season Tips for Retailers

There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.

Stay tuned for five more tips to help retailers stay secure this holiday season.

The post 5 Recommendations to Improve Retail Cybersecurity This Holiday Season appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: David Bales

Academia, Application Security, Cloud, Cloud Infrastructure, Cloud Security, Data Privacy, Data Protection, Education, IBM Security, Petya, Security Awareness, Security Leaders, Security Leadership, Skills Gap, WannaCry,

How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data

There’s rarely a time in the day when Andi Hudson isn’t immersed in technology. When he’s not fulfilling his duties as IBM’s cloud security architecture lead in the U.K., he’s reaching out to the next generation of cyber professionals through volunteer work with universities and colleges. Or, he’s teaching his own young kids how to write in Python, or how to make wacky contraptions, such as an automated irrigation kit and a Tesla coil that plays music.

Simply put, Andi Hudson lives and breathes tech and security, and he’s always happy to chat about anything from cloud security, to artificial intelligence (AI), to the impact of the Internet of Things (IoT) to the neuroscience of privacy denial.

“For me, cybersecurity has to start right at the very beginning,” he said, speaking from his home in South Wales. “Giving kids access to this stuff is important, but even more important is teaching them to use it ethically and responsibly.”

Spreading the Gospel of Data Privacy

No matter what else he’s doing, Andi is always keeping a close eye on the future. He’s particularly interested in artificial intelligence, data privacy and what the C-suite needs to pay more attention to.

Much of it comes down to the data, which Andi classified as “the oil of tomorrow.” He believes that, given the right bits of information, cybercriminals can steal data (including identities) and “really go to town with this information.” He’s also worried about the confirmation bias this level of sharing brings — that our “likes” are collected and we’re grouped with other users who share the same ideas opinions. To quote Andi, quoting author Cory Doctorow: “It’s not about what you have to hide; it’s about what you choose to share.”

“We give away so much information so freely, to a degree I think the horse has already bolted,” he said. “That’s why I invest so much of my own time in educating academia, because they’re the next generation. But it doesn’t just start at universities and colleges; it starts at home in the family, and in primary school and secondary school. Security is not a product — it’s a process.”

Andi is a science, technology, engineering and mathematics (STEM) ambassador, as well as a Barefoot volunteer with Computing at School (CAS). He visits primary schools to nurture the next generation of cyber professionals. Andi shows the faculty how to teach computational science, helps children understand the importance of STEM subjects and exposes them to careers in technology.

Andi Hudson, cloud security architecture lead at IBM

A Nontraditional Approach to Cloud Security

When he’s not nurturing the youth, Andi leads a growing team of architects at IBM Security U.K. Part of his role is to ensure that all the individual skill sets in security keep cloud-based applications front of mind. IBM promoted him to lead after catching wind of the impressive work he did in the London insurance market, building collaborative cross-vendor solutions for a new target operating model that enables 9,000 U.K. financial services companies to work together.

“IBM never really had a cloud team that encompassed a lot of those different skill sets,” he said. “A lot of the traditional architecture always sat in resource pools within somebody else’s data center — but, of course, with the cloud, that’s all different now. They’re not using their own data centers anymore; they’re using ours.”

While Andi primarily works hands-on with clients on cloud-related transformation projects, he also gets to speak at conferences and, of course, engage with the education sector in both his day job and his volunteer work.

A member of the South Wales Cyber Security Cluster, Andi works with Cardiff’s three universities to make courses as relevant as possible according to the latest industry trends. That plays into the work IBM does with Exeter University, and may soon start doing with Warwick University and the University of the West of England.

“It’s about making a difference,” he said before launching into a story from last year when, at the height of the Petya and WannaCry ransomware outbreaks, he found himself in a war room on a weekend trying to reverse-engineer a client out of an attack.

“You know when you feel sick in your stomach, the nerves and anxiety? I’ve had it before when I used to work for a services company; we switched the system off once and it didn’t come back on,” he recalled. “You have this gut-sickness feeling. You’ve just done a lot of work, you’ve had no sleep, and you know you won’t get any sleep or food until this problem’s gone. It was exactly like that — that sick feeling.”

Why Security Leaders Need to Tell It Like It Is

Luckily, Andi was so close to the customer and had been so hands-on with the account that he was able to solve the problem and develop a watertight remediation plan. He even won an award for his work.

The key, he said, is his willingness to have frank discussions about security, even if it means telling clients what they don’t want to hear. Andi has found that this nontraditional approach helps him develop closer relationships with clients and break conversational barriers that would otherwise stymie progress.

“I think that clear, open transparency just resonates with customers,” he emphasized. “A lot of things were always taboo — certain things you didn’t say to certain executives, and certain things you didn’t cover — but if you want a real, secure solution, unfortunately you have to have those conversations.”

This transparency is especially crucial today, given the lightning-quick pace of change in the industry and ever-evolving nature of the cyberthreat landscape.

“The fact is, it keeps changing — and what’s right today might not be right tomorrow.”

That’s why Andi always has his eyes on tomorrow — both in terms of the threats his clients will have to contend with and the next generation of cybersecurity heroes that will defend them.

The post How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff