In possibly the most delicious hack ever, a team of Israeli security researchers at Tel Aviv University have developed a way of stealing encryption keys using a cheap radio sniffer and a piece of pita bread. Truly a sight to see.
Lee Munson, NakedSecurity.com
Flight delays just got a little more advanced. A Polish airline was hit by a cyber-attack grounding around 1400 planes. There was never any danger to passengers because the attacks happened while no planes were in the air. However, the company says that the hack could happen to anyone, at any time making this a worldwide issue.
Wiktor Szary and Eric Auchard, Reuters.com
If you liked last week's blog about the unique challenges facing healthcare today, then you'll love this look into how medical devices are becoming "key pivot points" in the war against hackers and cyberattacks.
Megan Williams, Business Solutions- bsminfo.com
Do you BYOD? As if security wasn't already difficult enough to control within your network and its devices, now security teams have to worry about the exponential threat of “bringing your own device”. This article gives 8 best practices for BYOD security and an insightful look at this new challenge.
Keith Poyster, ITPortal.com
In the past few weeks, the U.S. Government has repeatedly been in the news for its recent hack—allegedly by the Chinese—which leaked over four million personnel records. However, this wasn't the only group infiltrated by Chinese hackers in the past few months; According to the popular blog Mashable, over four million medical records were also stolen. This hack exemplifies a growing concern and a new set of challenges for healthcare organizations surrounding the use of digital records. Now that healthcare records are all digitized and shared over networks and multiple devices, these records have become very valuable to criminals while hospitals, clinics and other organizations are still trying to find the best way to protect them.
While the issues surrounding digital records and possible breaches are the most often reported, they are not the only challenge unique to healthcare organizations. Aside from keeping your records safe, organizations must concern themselves with personnel issues such as the need for multiple people to have access to records. Not only do doctors and nurses need access to patient records but now the billing department, insurance companies and regulatory committees do as well. Some of these positions can easily be credentialed with role based access; some of them are temporary employees or work across different functional areas and need access to different things at different times. It is hard for the organization to maintain proper access control and security with so many unique needs.
On top of the multiple user access requests are the multiple devices that the information needs to be available on. No longer are records and information kept behind the nurses’ station in folders or on desktops; now healthcare professionals are using multiple laptops, tablets, phones, and other mobile devices in their practices. The need to provision all of these devices for any new employee can take days—if not weeks—to get up and running. There is also the need to be able to remotely wipe access to all information if the device is lost or stolen. According to the most recent Healthcare breach Report from bitglass, 68 percent of all healthcare data breaches since 2010 were due to device theft or loss. It is extremely difficult to roll out a process that would cover all of these needs on so many different devices.
One last issue highlighted in the news recently is the vulnerability of specialized medical equipment to be hacked. In another Mashable article, it is reported that drug pumps may be hackable in fatal ways because they enable a hacker to increase or decrease the dosage of drugs. One of the reasons it's so hard to regulate these devices is because they are on a closed loop and can't be easily scanned for malware. The IT department cannot add software because it is an FDA issue and therefore the hospital has a hard time monitoring. So how is the security team supposed to monitor devices that they do not have full access and transparency to? For that matter, how is one team going to maintain visibility into all of the moving pieces of infrastructure and personnel in their organization?
The best way to mitigate these risks is to implement an Identity and Access Management (IAM) solution. These solutions are known to improve accuracy through their automated provisioning policies and are also instrumental in providing transparency into all access and credentials in an organization. An IAM program helps with personnel risk by giving role-based access and visibility into all roles and credentials of any individual. It will also automatically grant credentials to any new employee across all devices and will take away that access once he or she is terminated. This provisioning or de-provisioning can be done by any verified owner/administrator both on a desktop and on any mobile device, making the speed and scalability of the project fit to any organization's needs.
The risks for healthcare organizations will continue to grow as both the Internet of Things and the sophistication of hackers mature in the next few years. IAM solutions are driven by real-time data that allow you to make the most informed decisions possible. Imagine having information on what accounts were most at risk so that you could monitor the risk of data breaches; what if you could automatically wipe sensitive data from a laptop when your doctor forgot it on the plane? IAM solutions can allow you to mitigate these risks and give you visibility into your systems. While the risks and attacks will never stop coming for your organization, with IAM, you will have the ability to recognize these attacks sooner and fight back.
Smiley face. Thumbs up. Is that a crab? The language of teens and tweens everywhere may soon be protecting your sensitive information. That’s right, a British firm is trying out emojis in passwords which they believe will lead to better security. The company claims that using emoji passwords is mathematically more secure. We'll let you decide for yourself.
Lucy England, BusinessInsider.com
When the company that promises to keep your passwords safe and secure gets hacked, do you feel safe? The good news here is that because of their authentication data, it doesn’t look like the hackers were able to get into encrypted user data.
Paul Ducklin, NakedSecurity.com
We've grown used to seeing hacks on banks, retailers, and others with sensitive information that they can sell or share. However, hacking has now made its way to America's favorite pastime. In the last week, the St. Louis Cardinals were accused of hacking into the Houston
Michael S. Schmidt, NewYorkTimes.com
While we have all become savvy to the Nigerian Prince Email scam, there is a new phishing attack on the horizon and it’s coming from the inside. Bonnier Publications was the target of an attack that cost them $1.5 million in transfers. Hackers accessed credentials for a previous CEO and used his email account to order accounts payable to electronically transfer $3 Million to a Chinese bank. Luckily the publisher caught on before the second payment was due.
Ashley Carman, SCMagazine.com
Another mobile hack? That’s right, it was reported this week that possibly 600 million handsets are vulnerable to an attack that allows hackers take photos and read texts on your phone. Users are being urged to stay away from unsecure Wi-Fi networks until the bug is fixed. No word yet on if you can use this as an excuse for all of those selfies.
Sarah Griffiths, MailOnline
In part one of this blog, we shared reasons why your security team may not be able to sleep at night: risks to your information technology infrastructure that may be caused by risk from identities and their access. We discussed the most common access risks—from the routine to those caused by changes in the business—and provided some reasons why you may want to look inside, and not just invest in perimeter security. If you haven’t yet read part one, you can do so here.
So now that we know what the risks are, let’s discuss ways to mitigate these access risks and gain visibility into your organization.
Identity and Access Management Controls
When we look at provisioning identities or certifying access for governance, it quickly becomes a rubber-stamping process. You want to make sure the right people have the right access but what if you don’t know what that person needs for his or her job? Do you reject or approve? Other than a slowdown in productivity, there is no bad outcome if you don’t approve access, but instead request additional sign-offs. After all, with hundreds of thousands of people and identities, access rights and roles, policies and regulations, actions, and resources, you have trillions of access relationships to manage.
In a survey conducted by Courion about the access risks that cause the most anxiety, number one on the list—at 46 percent—was privileged account access; that is, accounts such as those used by administrators that have increased levels of permission and elevated access to critical networks, systems, applications, or transactions. Other anxiety-causing access issues that accounted for 31 percent were unnecessary entitlements and abandoned or orphaned accounts. What this tells us is that over half of the anxiety in your organization is based on provisioning.
To effectively address this issue, we need to start looking at not just passing our audit at the end of the year but also at the true impact of risk created through increased or inaccurate access credentialing on an ongoing basis.
But what if with each request you received you also knew the perceived risk of approving or rejecting it? What if you could take a look at all of your credentials across your system and see who was the greatest risk? That’s where an intelligent or risk-aware identity and access management tool comes in.
With risk-aware IAM you have the ability to automate your provisioning process to keep your backlog at a minimum and still ensure that you are provisioning the correct access to your employees without just rubber-stamping an approval. With intelligence driving your provisioning and governance you can see risks long before you have an issue. Imagine if you were able to log in and see access credentials listed like this:
We need to understand these access risks on a scale from low risk to high. Provisioning today includes a request, a policy evaluation, and a quick approval or rejection of the request. At Courion, we see things differently. If the request is seen as a low risk item, then it gets passed through and fulfilled in our automated system.
But for other access requests which may represent some risk, the access request will require an approval or both an approval and a micro certification.
This micro-certification, or risk-based certification review, provides holistic context around the information being examined, thus allowing an IS manager to make an informed decisions on whether a user’s access is suitable or not before granting access. By performing these narrowly focused, micro-certifications, organizations can reduce access risk in a smarter more efficient way on the front end of the request to guard against over- or under-privileged accounts
Intelligent IAM is the next-level evolution of traditional IAM. Each process is led with intelligence with front end approvals and risk assessments that allow near real-time decisions that manage and mitigate risk to the company. According to Gartner, “By year-end 2020, identity analytics and intelligence tools will deliver direct business value in 60 percent of enterprises, up from less than 5 percent today.”
Through continuous monitoring and analytics applied to your provisioning and governance activities in real time, you are able to see the most up-to-date information thus allowing your company to truly make data-driven decisions. With intelligence driving policy, provisioning, and access decisions, you can mitigate risk in real time and have better visibility into your organization.
Are you looking for more visibility into your company’s identity and access risk? With a Quick Scan assessment of your organization’s access risk we can help you take a quick look into your security measures and provide you with a plan of what you can do to mitigate those risks. If you would like more information on what a Quick Scan can do for your company, contact us today at 1-866-COURION or at firstname.lastname@example.org.
Think you caught everything this week in the world of Cybersecurity? Here are a list of the top articles that grabbed our attention.
Security Metrics - Don't be thrown off by the haircut analogy; this blog is a great look at how we translate our efforts into a meaningful context. Security and IT departments are missing a way to communicate their value in terms that non-security professionals can understand and evaluate and Joshua does a great job of bringing this to light.
Joshua Goldfarb, DarkReading.com,
'Your PC May Be Infected!" Inside the shade world of antivirus telemarketing - We all spend money securing the perimeter—holding up the firewall—but do we spend enough time training all of our employees on the possibility of PC security scams? This $4.9 billion industry is built around calling, emailing, or sending pop-up messages to your employees warning them about a breach and offering to help.
Jeremy Kirk, CSOOnline.com
Why the Firewall is Increasingly Irrelevant - Funny how we discussed last week at Ping’s Cloud Identity Summit that up to 85% of security budgets are being spent on protecting your perimeter and that your biggest threats are from inside the organization. Asaf Cidon has a different take on the same concept: protecting the perimeter is futile.
Asaf Cidon, DarkReading.com
The Rise of Cyber Extortion - We all remember the Sony hack and the introduction of the first widespread use of cyber extortion. It looks like the holding hostage of the Sony data was just the beginning in the rise of this new cyberattack. From denial-of-service attacks to ransomware, this is a great article updating us all on the rise of cyber extortion.
Danielle Au, Security Week
Here at Courion, our mission is to help customers succeed in a world of open access and increasing threats. We want to make sure that the right people have the right access to the right resources and that they are doing the right things with those resources. The question becomes, how does an organization assess those threats and gauge the risk it faces from both internal and external forces? Moreover, how do you plan for that risk and put in place processes to help detect identify and manage the risk?
Most Common Risks
With an increasing number of computers and other devices and an increase in the ways in which users access resources, access rights and the monitoring and managing of complex user access rights becomes harder every day. The stresses and strains of access can come from all over but the most common offenders are:
• Routine changes such as hiring, promotions or transfers
• Business changes such as reorganizations, the addition of new products, or new partnerships
• Infrastructure changes such as mobility, cloud adaptation, system upgrades, or new application rollouts.
In addition to the stresses from business change, there are an increasing number of government regulations that require compliance, regardless of industry. From healthcare to banking, these regulations climb into the hundreds and assuring that you are fully compliant is more difficult than ever. This increase in regulations along with the increase in complexity of access rights makes identity and access governance a red hot priority.
What is Identity and Access Governance?
Identity and access governance tools establish an entire lifecycle process for identities in an organization, providing comprehensive governance of not just the identities but also their access requests. These lifecycles decisions are developed through real time intelligence and are informed by an organization’s processes. When we are preparing for an audit we have to ask questions we had never been asked before: Who has access to what? What does that access allow them to do? And why do they need that access? IGA helps to answer those questions up front to ensure that every identity has the right access, to the right things, at the right time.
When the internet was brand new, an organization had one room with only two to three people having access to resources. As a result, there was a pretty low risk of anyone hacking their way in. Now, our data centers are everywhere from a server room in a remote location to the cloud of everywhere-ness.
The result is that we have a broader and ever exploding attack surface and diversity of infrastructure. You’ve heard of the “Internet of Things” and these “things”, that is, Internet-enabled devices and resources, such as a building thermostat or a household appliance, have increased the attack surface tenfold.
Unfortunately, we also are faced with e a super sophisticated attacker ecosystem. Hackers are now working collaboratively, looking for weaknesses in your infrastructure and are armed with increasingly sophisticated and specialized tools and services. It may only take a hacker a few minutes to get into your system, but now they know that the payoff is worth waiting days or even months for the perfect time to strike.
The Issue of Compliance
If you look at the most recent Verizon PCI Compliance Report you will see that the average organizational compliance is at 93.7%. However, when you break that number down into the number of fully versus partially compliant firms, you will see that only 20% are ‘fully’ compliant. So if as organizations we collectively are compliant at 93.7%, then why have the total number of security incidents detected increased 48% since 2013? The answer is that we need more visibility into our systems. The top audit findings for the reasons behind these attacks are:
• Excessive access rights
• Excessive developers’ access to production systems and data
• Lack of removal of access following a transfer or termination
• Lack of sufficient segregation of duties
The biggest risk here is credentials. The number of stolen credentials is no surprise when you consider the number of transfers and terminations and accounts with excess access to sensitive systems that may remain active.
According to the Verizon Data Breach Investigations Report, 2015, when asked if their organization is able to detect if access credentials are misused or stolen, 42% of companies surveyed in the report said they are not confident in their ability. Even worse, according to CSOOnline, 66% of board members are not confident of their companies’ ability to defend themselves against any cyberattack. For those of us on the information security team, that shows a lack of boardroom trust in our capabilities.
Why do board members have so much trouble trusting our cybersecurity measures? Consider the fact that in 60% of cases, attackers are able to infiltrate the system within minutes and it typically takes information security around 225 days to find the breach. Just recently, the U.S. government Office of Personnel Management was hacked and more than 4 million current and former government employees may be affected. While investigators have known about the breach since April, they are still trying to determine what was hacked and what information was leaked since it could have been up to six months since the attackers initially gained access into the system.
Preparing for an Attack
This attack makes us think about the elements of an attack and where our federal government’s systems may have broken down. The elements of an attack are:
While we have anti-virus and anti-malware to fend off some of these attacks, and DLP and SIEM processes in place to fend off or detect others, we do not have the ability to fully defend against access targets and lateral movement once access is gained. What this means is that even though we are spending money, sometimes up to 85% of our budget on defending the perimeter, we have little to no security on the inside stopping hackers once they have penetrated our networks.
Are you ready for an attack on your system? Do you have a plan for internal and external breaches? Do you know your current risk? In part 2 of “Assessing the Risk of Identity and Access” we will discuss ways you can measure your perceived risk and ways to monitor your access rights to ensure true compliance.
Want to know your risk? Contact us today for an Access Risk Assessment of your system to identify your risks today.
The new Operational Center of Excellence in Roswell, Georgia will serve as the global headquarters for all Courion operations. This move was a very strategic decision. According the Georgia Department of Economic Development, more than 25% of the worldwide security revenue market share comes from companies in Georgia. This move positions Courion with fellow thought leaders in security enterprise software with access to the best talent and most up to date trends and information in the securities industry.
While we are making continued changes here at Courion, there is one thing that will not change: our mission to help customers succeed in a world of open access and increasing threats.
At CONVERGE, I laid out our three-pronged approach to making this mission a reality which included investments in human capital, product management and organic and inorganic growth. Our relocation to Roswell ties directly to our investment in human capital. We see this as commitment to our customers and our teams to not only hire the best minds in the business but to continuously provide them the training needed to be at the top of their field.
This move is just one example of the ways we are working to improve our service to our customers. In the way of product management we have hired a new team, including a UX designer, and have assigned product owners who will be able to connect with you, our customers and partners, to make sure that your needs are fulfilled in our products.
At CONVERGE, we discussed the acquisition of Bay31. This falls in line with our last tenant of change, a commitment to organic and Inorganic growth. This acquisition will increase our abilities in the intelligence space and will give customers access to better information as well as allow our product development team new programs and information systems that they could previously only dream of.
This is just the beginning of a fresh start for Courion. Coming out of CONVERGE we committed to more communication regarding product updates, better customer support, and real-life examples of using our products in your business. These programs are in the works and you will start to see the results of these efforts very soon.
As always, we will remain laser-focused on our mission to help our customers succeed, and I believe that creating this new Center of Excellence in Roswell is just the beginning of a bright future.
You also can Follow us on Twitter for exciting incoming news and everything Information Security!
Summertime. If the baseball teams are traveling, so are we! Connect with Courion as we hit the road for two of the information security industry’s most popular events.
From Monday June 8th through Thursday June 11th, you can find Courion at the Gartner Security & Risk Management Summit in our nation’s capitol, Washington, D.C. Do let us know if you are attending so we can connect with you.
And while we don’t possess Hermione Granger’s Time Turner from the popular Harry Potter series, you can also find us some 2,685 miles away at the Cloud Identity Summit in San Diego, which also runs from June 8–11.
If you will be at Cloud Identity Summit, make sure to attend the session on "Assessing the Risk of Identity and Access" on Wednesday June 10th at 9:45 a.m. PDT led by Courion VP of Marketing & Product Management Venkat Rajaji.
Venkat’s session will share how you can enhance traditional governance and provisioning with continuous monitoring, analytics, and intelligence so your organization is more risk-aware, even in a world where the mix of cloud and enterprise legacy applications and resources may present an identity and access management challenge.
So whether you are on the east or west coast or somewhere in-between, we hope you will make the time to connect with Courion.
Cybersecurity Ventures, a research and market intelligence firm focused on companies in the cyber security industry, which it states is projected to grow to more than $155 billion by 2019, recently published the ‘Cybersecurity 500’, what the firm describes as a list of the world’s hottest and most innovative cyber security companies.
We’re delighted that Courion was recognized on the list.