On Monday April 7th, OpenSSL disclosed a bug in their software that allows data, which can include unencrypted usernames and passwords, to be collected from memory remotely by an attacker. OpenSSL is the most popular open source SSL (Secure Sockets Layer) implementation and the software is used by many popular websites such as Yahoo, Imgur, Stackoverflow, Flickr and Twitpic. Many of these popular websites have been patched. However as of this writing some, including Twitpic, remain vulnerable.
Several tools have become available to check whether an individual website is vulnerable. We recommend that you double-check whether websites that you use are affected before logging in. If the website you are logging into is not vulnerable, you should reset your password since the password may have been captured if the server was previously vulnerable. The bug is also present in some client software and a malicious web server could be used to collect data from memory on client machines running these pieces of software.
This particular vulnerability has been present since 2012 and underscores the need to look beyond typical perimeter defenses and continuously monitor for unusual behavior within your network. Persistent attackers will continue to find creative ways to breach the perimeter and detecting abnormal use of valid credentials is becoming extremely important.
By the way, Courion websites, including the Support Portal and the CONVERGE registration page remain unaffected by this vulnerability.
UPDATE: Due to unforeseen circumstances, security correspondent Frank Gardner will not be participating in this seminar.
If you reside in or near London, consider joining us on Thursday April 10th at 9:00 a.m. at the Milbank Tower for what promises to be an interesting seminar.
Courion and Ping Identity executives will discuss how an integrated solution for managing user identities and access to resources both in the cloud and on-premises can provide the ability to quickly and properly authenticate users and provide access, while still enabling you to manage risk and maintain compliance.
The event will conclude with a panel of experts available to address your questions and discuss strategies and solutions.
To register for the event, click here.
For live updates, follow @CourionEMEA.
Learn how using an identity and access intelligence solution such as Access Insight may help you to avoid finding yourself in a Kobayashi Maru no-win situation like Target. in this IT Security Guru post titled,
Kobayashi Maru – Target Breach Rewind of a Different Sort.
“Houston, do we have a problem?”
Are the retail and payment card industries facing a catastrophic collapse in consumer confidence? With the 24/7 news cycle constantly reporting breaches at the largest retail firms, involving hundreds of thousands of customer’s data: it’s hard to argue otherwise. The news that Target’s CIO recently “resigned” shortly after Target disclosed the loss of 40 million or more credit card numbers just illustrates how serious the problem is.
Now, it seems like breaches are happening more often and many involve the brick and mortar store’s point of sales system. While the increase may be partially explained by disclosure laws and aggressive news outlets, that’s cold comfort for companies already struggling to compete with the convenience and price advantages of online-only firms like Amazon.com.
What happens to the retail industry when consumers’ perception shifts to one where shopping online is safer than shopping at retail stores? The answer must have Jeff Bezos smiling, but it also must have him asking his CISO – are we at risk?
With that, in mind, let’s review some top retail breach disclosures involving payment card data from the past 10 years, with links:
2005: DSW Shoes loses 1.4 million customer’s credit card numbers.
2006: OfficeMax loses 200,000 debit card numbers with PINs.
2007: TJX – the grand-daddy of all retail data breaches, 100 million+ accounts stolen.
2008: Forever 21 discloses a three-year long data breach and 100,000 credit card numbers stolen.
2009: Mitsubishi parts ways with 52,000 customer accounts and credit card data.
Of note: from 2005 to 2009, according to www.privacyrights.org, there were 50 retail breach disclosures related to either a hack, an insider abusing access or other credit card fraud such as POS skimming devices. From 2010 to 2013 there were 260, a 5X increase.
2010: Proving small retail shops are not immune; Bear and Wine Hobby in Woburn, MA had 35,000 credit card numbers compromised.
2011: Proving the world’s largest companies and brands are not immune, Sony was hacked and thieves got away with the data of more than 100 million users, including over 12 thousand unencrypted credit card numbers.
2012: Hactivist group “The Consortium” exfiltrates 40 Million plain text credit card numbers from porn site operator Digital Playground (don’t worry, that link goes to a news story).
2013: Double feature? Target is stunned by a Black Friday attack that nets hackers more than 40 million card numbers from more than 100 million consumers while high end retailer Niemen Marcus is hit at the same time.
2014: While not yet confirmed, it appears Sears may have been breached in an attack that appears similar to the Target and Niemen Marcus incidents. Meanwhile, HR employees at The Home Depot were caught stealing employee data from 20,000 individuals (abusing legitimate access) and using that data to open up fraudulent credit card accounts.
In regards to 2014, it’s still only March!
Are we learning a lesson?
If you invest the time to read about these breaches, some common themes emerge:
1. Companies with locked down perimeters still leave their organizations vulnerable to illegitimate use of legitimate access
2. Attacks often go unnoticed for months and years and organizations typically don’t understand the full scope of their breach even years after they are disclosed
3. Hackers are becoming more organized and sophisticated every year
So what can be done?
Of course, Courion and other IAM solution providers have some good ideas. Start by shifting resources into securing and monitoring the “new” perimeter: user access. As Chris Sullivan points out in “Inside Out Thinking”, if 50% of your risk is from the insider threat or “access as the new perimeter”, then consider why 50% of your IT budget is not focused there. As further confirmation, Kurt Johnson’s post on “Intelligent Intelligence” cites the Verizon Data-Breach Report’s statistics that of 76% of breaches leverage user access in some way.
Once you have that budget shifted, start by using it on end user education. The people you let into your network (employees, contractors and customers) are often the soft underbelly of your security program. Most of them don’t want to be, but they may lack the knowledge or sophistication needed to be an IT security asset. Don’t assume they know what phishing, malware or password best practices mean to your ability to protect critical resources.
Next, review your core IAM program. Is it just a tool to make IT more efficient or does it provide the intelligence to help spot attacks as they are happening? As an example, are you reviewing or recertifying access entitlements every six months, or do you have the capability to look for problem access on a continuous basis and require managers to review access as it becomes risky?
Finally, make sure you have a 24x7 monitoring capability – just like you do for your perimeter – that will alert you to attacks as they happen. And when you see these attacks – shut off the offending access immediately.
You can ask questions later, but you don’t want to be on the “top 10 breaches” list next year.
Anyone who has played or watched rugby closely knows about the dark arts of the rugby scrum (not to be confused with the software development method!)
These are dirty tricks and illegal moves that are committed in the scrum out of sight of the referee to gain an unfair advantage.
The casual fan has no idea when this happens, and many players on the field don’t recognize it either, unless they are on the receiving end. But they see and feel the results as their offense gets disrupted and the whole team is now at a disadvantage.
Kind of like data breaches. You don’t know where it is coming from or when it happens, but when the damage is done, it is too late. As this image from the Verizon data breach report shows, the time lag from initial compromise to discovery and successful containment can be weeks, months or even years.
Now we know that the Target Corporation’s data breach was not discovered for about 31 days, well after the damage was done to customers. It also resulted in a near term revenue decline and the latest casualty from the fall-out is the CIO who recently resigned.
So what are your defenses against the dark arts? Rugby players love to debate this topic at post-match social functions. But business professionals have to treat it far more seriously. Don’t let your scrum collapse, get in touch with Courion to understand how to answer the critical questions “Who has access to what resources?” and “Are they using that access appropriately?”
For additional insight on the Target data breach, I highly recommend viewing Courion’s recent webinar. And if you are in London the week of March 17 please visit Courion at Gartner’s Identity & Access Management Summit.
The 3 V’s (Volume, Variety and Velocity) of Big Data have become more relevant in the complex world of Identity and Access Management than ever before. In the midst of dealing with the high volume, variety and velocity of information, organizations not only have to streamline the process of how access is granted and revoked and ensure a high level of productivity, but they also have to reduce risks and maintain high security standards.
Volume: Data seems to be around forever. Many organizations still use data that was created 15 years ago or more. Considering that there is so much information from applications and systems that have been around for a long time, do organizations have all of the information they need? Has the need for new information diminished? The obvious answer to both of these questions is No! In fact it is quite the opposite. The amount of new information has increased exponentially and many if not most organizations have petabytes of information in storage.
Variety: Very few organizations have a single platform, a single source or a single format for information. Operating systems, directories, databases, applications and unstructured data sources such as file shares, social media feed such as Linked-in Facebook, and Twitter all form sources and destinations for information. Each system processes Information in a variety of formats such as text files, word documents, presentations, images, videos, or messages.
Velocity: The popularity of mobile devices and the explosion of social media have completely changed the way we obtain and consume information. Information is available to us at our fingertips and organizations are increasingly providing their employees with mobile capabilities.
All of these elements present a very challenging situation for organizations. It has become increasingly difficult to answer questions such as
– Who has access to applications and what level of access do they have?
– Do the right people have the right level of access?
– What information is being accessed and who is accessing it?
– What are the riskiest applications?
These are just a few examples of the types of questions that organizations seek answers for. But the factors already discussed in this post have made it extremely difficult, if not impossible, to manually find answers to these questions. Organizations struggle to get a handle on what causes risk and to act upon those risk factors in a timely fashion.
The key is to be able to harness relevant information such as identities, policies, and access rights from any data source, analyze the information obtained and embed the intelligence gained thereof in provisioning, de-provisioning and compliance reviews. Information on privileged accounts, abandoned accounts, orphaned accounts, users who have excessive access when compared to their job role or their peers; unused entitlements, riskiest applications and policy violations are some examples of information that needs to be analyzed to effectively implement a secure, robust and an intelligent IAM solution.
My previous blog was about weather – well, that weather caused an ice dam, and that ice dam caused a small roof leak. When I saw the small outline of water on the wall in my home, my first thought was not, “Well, it looks like I need to paint the wall.” My first thought was, “Well, I better find and fix that leak before I have a serious problem.”
That water stain got me thinking about other warning signs, and what people do about them:
– Tire pressure light: Put air in your tires
– Pants too tight: Go on a diet, and workout
– Chest pain, nausea, and pain in your arm: Go to the emergency room
All of these signs are time sensitive. They may turn out to be nothing, but you don’t want to wait until you have a flat, your buttons pop, or you’re unconscious before doing something.
I bet Target, the NSA, RSA, and countless other organizations wish they had a real-time warning that a breach was imminent. Do you wish you had a warning indicator when hackers are trying to exploit vulnerable accounts? Well, one exists. Unfortunately, you may not have implemented yet.
Traditional compliance is like painting over a water stain on a wall once a quarter, while Access Insight is like monitoring for the leak minute-by-minute and fixing the roof at the first drip of water.
Most of us are familiar with purchasing insurance to protect ourselves from unforeseen events and potential loss of our valuable assets. Sometimes, insurance is mandated in order to secure financing for the purchase of a home or a car. In other cases, we may opt to carry insurance to protect our families against loss of income should something happen to us. Alternatively, we may possess valuable assets such as rare pieces of art, precious jewelry, or expensive electronics and we may want to have the ability to replace the cost of those treasured items if there was an intruder who knew how and when to break in and steal our property.
The same is true for companies that want to protect themselves against the liability that occurs if, or when, protected health information, intellectual property, company confidential financial data, or other personally identifiable information is compromised through unauthorized access to company assets. Interestingly, the need for insurance against such threats, or “cyber attacks”, has been recognized for a decade as reported by the Boston Globe in an article published on February 17, 2014.
The article cites that Liberty Mutual Insurance has had a 30% increase in sales of cyber insurance policies in the past year. That statistic emphasizes the trend that what used to be optional is now becoming a necessity. Companies cannot afford the risks associated with the loss of information, damage to their brand, and costs associated with violation of federal regulations. The cost of purchasing insurance is more predictable and helps protect the company.
Let’s consider the fact that purchasing insurance helps to mitigate the costs after a breach as occurred. The damage has already been done and there is no guarantee, as pointed out in the article, that insurance will cover all of the costs associated with the cyber attack. Insurance is essentially a backup plan in the event that a breach occurs. It may protect against some of the costs, but it won’t repair a damaged reputation.
Now let’s consider the possible things that a company can do to prevent attacks from occurring in the first place. There are different areas of vulnerabilities for which there have been long-standing methods to combat threats to networks, data, and security.
Acknowledging the increasing risk of a cyber attack is a huge stride towards making sure that your company is ahead of the curve and leveraging the tools available to minimize the risk of potential threats. The latest area that is emerging to combat against cyber threats is intelligent IAM. Intelligent IAM uses information collected from your infrastructure to reduce the threat surface, detect aberrations in real-time and help to insure that company security policies are met on an ongoing basis.
We now know that Edward Snowden used security credentials provided unwittingly by colleagues at a base in Hawaii to access some of the classified material he leaked to the media.
This news provides a case in point for my October 2013 blog post, which shared this statistic from a recent Forrester Research report: 36% of information losses are due to inadvertent misuse of data by employees. Insider threats are just that, threats, and should be treated with just as much gravitas as defend and detect strategies for external cyber threats.
If you don’t think the inside threat of a data breach by employees is important, consider the results of a survey Courion conducted in collaboration with Harris interactive in May of 2013:
—Nearly 1 in 5 employees (19 percent) age 18-34 who work in an office setting would take company information like customer data, price lists or product plans with them if they knew they were about to be terminated.
—Nearly 1 in 6 employees (16 percent) in an office setting have been able to use old user IDs and passwords to access a former employer’s computing systems.
Education and training of employees should be your first move, and you should make it now. While we do not endorse any specific employee education resource, you may find the information provided by the non-profit National Cyber Security Alliance here a useful starting point.
After employee education, what else should you do? With the media heralding every new data breach as a “the sky is falling!” event, most CISOs are ready to take action to reduce the risk of an inside threat, but just how, exactly? In a late January post on this blog, my colleague Kurt Johnson outlined a few steps you can take right now:
—Look outside AND In. First, hackers are not limited to external parties trying to break into systems via unauthorized ways. A lot of very serious harm can occur by people with legitimate access doing some bad things with it.
—Re-examine access privileges in light of the fact that many breaches involve insiders. Second, it points out how much harm can be done from unauthorized access. Critical data is not just that governed by regulation. There is more and more critical company information available and accessible that could cause an organization significant harm if stolen.
—Examine user access behavior relative to role, relative to peers and relative to historical behavior. Third, user activity is a key ingredient to overall authorized vs. unauthorized access and is something that needs to be examined in context of identity. Most likely the computer activity done these employees was atypical from what they usually do and atypical for people in their job functions and roles. A routine user certification review certainly would not have indicated any threat given the accounts were valid. This is exactly where an identity and access intelligence tool such as Access Insight comes in handy.
—Create strong employment policies so you have a legal leg to stand on.
—Finally, effective policy creation and communication is critical.
The words “weapon of mass destruction” are not a common household term, but it is one that is often bandied about in my home. This has come about because my husband is an academic whose entire career has focused on nuclear weapons, arms control, and American defense policy. So we often characterize household issues using uncommon vernacular that fits within these categories.
It occurred to me recently that while “weapon of mass destruction” has been used for the past 80 years to identify chemical, nuclear and biological weapons, there is another weapon lurking out there that can also be characterized as a WMD because it too can cause great harm and destruction. And while the magnitude of this new weapon can’t be compared to the loss of life caused by atomic missiles and chemical weapons, the magnitude of destruction it can cause is also massive. While this new threat can be characterized as a “weapon of terror” or a “weapon of intimidation”, it is more commonly known as “cyber technology threat”. Regardless of the specific designation, however, the bottom line is that all these weapons cause significant, destructive impact within seconds of reaching their target. And the targets themselves can vary from cities, to specific individuals in enemy territory, to network systems, to private health care information, to our personal financial information, to our children’s school and sports schedules.
The opportunity for this new WMD to cause harm presents itself in a seemingly innocent and innocuous way. It begins with a password. It begins with access. And here again, the analogy to the nuclear world is very clear. Unauthorized access has been a challenge and major concern since the first atomic bomb was designed. Imagine a stereotypical movie scene in which two military personnel desperately struggle to reach the missile launch switches that must be thrown simultaneously? Or the codes which are dispersed so that no one individual has the power to authorize a missile launch? We take great care to manage access to nuclear power in whatever form. We must now take great care to prevent access by the new WMD.
These threats clearly occur at multiple levels: threats to individual privacy, to corporate information and operations, to critical social infrastructure (electricity grids, for example), and even to military activities. And we have seen incidents of these threats continue to rise in number as technology becomes more sophisticated and we become more dependent on new technologies to navigate through our daily lives as students, farmers, sports enthusiasts, software programmers, or professionals.
Intelligent IAM is the best defense system that can be installed to manage access risks. Think of it in the same way we think of missile defense systems. Think of it as an Early Warning System that initiates alerts to possible issues and questionable behaviors. Think of it as a system that prevents massive destruction by the new WMD, cyber technology threat.