Every January, our blog feeds and magazine headlines are full of the top 5, 10, or 20 trends for the coming year; do we ever hear if they were right? How did those things impact our industry? Did our diligence in these subjects really pay off? Rather than giving you five more things to look out for, I'm taking a look back on what the experts highlighted for 2015 to discuss both how they have impacted us so far and if/how your focus should shift for the remainder of the year.
Here is a list of my 2015 mid-year trends to watch:
We all know that the biggest headache for any security team lies within employee credentials. So far this year we have seen breaches at OPM, Anthem, and UCLA Health which total close to 30 million records being compromised. Even the services that supposedly keep our passwords safe aren't immune which we saw in the case of the LastPass breach
These hacks, along with the other thousands we don't hear about, prove that passwords and other credentials are more valuable to hackers than ever. What I believe this will lead to is the implementation of multifactor authentication. Companies like Apple already have a two-factor authentication in place using the thumbprint scan as an additional password option for banking and other applications. I believe that not only will more personal applications begin to use this for their customers but also that security teams will introduce multifactor authentications in order to access their companies’ sensitive data.
2. Internal Breaches
We've already discussed the different breaches of Anthem, LastPass, UCLA and OPM; one thing they have in common is that all were breached within the past six months, and all were breached from the inside. This trend isn't going to stop because people are continuously finding ways around the firewall.
Am I saying to forget your firewall? Of course not. Everyone needs a fence around their important property and that’s what the firewall does. However, with the rising trends of outsourcing, consulting, interns and other non-employee access, you exponentially increase your risk by providing access that isn't always managed correctly and/or shut off when needed. Keeping an eye on your user access is more important than ever and I see the call for real-time monitoring taking over by the end of the year.
Last year, we saw the first major instance of ransomware with the breach of Sony Pictures. The hackers held information and released it slowly while asking Sony for a ransom in order to stop the leak. This year we have seen ransomware take center stage again, most recently with the breach of 4 New Jersey online casinos whose information was held in exchange for a bitcoin ransom.
While this was clearly an issue for the targeted casinos, it opened up an even larger threat surface. This breach has the potential to not only affect the ransomed casinos but anyone in the city who shared the same ISP provider. Were the other companies on that ISP provider not as lucrative as the casinos? Maybe not today. However, this shows us the power of hackers and their ability to not only steal our information but to use it against us.
4. Internet of Things & Bring Your Own Device Risks
The Internet of Things (IoT) has become one of the hottest topics in the industry, but how has it affected us so far? While the issue of smart refrigerators, coffee makers, etc. might not be showing up in your office yet, the IoT is alive and well and showing itself most often in your employees devices.
Employees bringing their own devices doesn't just mean smart phones or tablets; now we have smart watches, wearable fitness devices, and more. With constant Bluetooth upload, these devices not only change how we consume personal data but also opens a window into our company's data and the portals where we are connected. It is estimated that these devices numbered 21M in 2014 but will increase to 150M by 2019 – a 48% increase. The IoT and bring your own device issues I see in the near future are as simple as "will hacking your Apple watch affect entry into your organization?"
North Korea didn't want to see "The Interview" — and while I don't blame them — I also think that a massive breach of Sony Pictures was a bit over the top. While this may have been the first widely publicized nation-state breach, it is far from the first time one country breached another.
Last month's HackingTeam breach shows a list of customers ranging governments including several US agencies such as the DEA, FBI, and department of from over 10 different defense. Mix this with the allegations that the OPM hack was instigated by China and we have a whole new issue. Will hacking tools be defined as the new weapons of mass destruction?
While these certainly weren’t the only trends to watch in 2015, they were consistently mentioned by industry experts. I happen to agree that these five issues are ones to watch and will continue to evolve and change how we do business.
However, these aren't the only risks that we are seeing now, nor are they the only ones to affect our future. If you are worried about the risks you face in your organization or how to protect yourself against these risks, comment below, contact us at info.courion.com or tweet us @courion.
It started with baseball; now it looks like another sport has been infiltrated by hackers. Team Sky, a professional cycling team competing in the Tour de France, has come forward with allegations that critics hacked into their system and stole training data for one of its cyclists. Watch the video for the full story. Saul O'Keeffe, Itsecurityguru.com
Is this a sign companies are finally realizing that security goes in the development stage
and not after implementation?
According to this article, "more than 60% of all new vehicles by 2016 are expected to be connected to the Internet" so several car manufacturers have joined to form an alliance to help secure systems in our cars. Kelly Jackson Higgins, Darkreading.com
A few months ago, United Airlines launched a "bug-bounty program" which invited anyone and everyone to try and hack into their systems for a reward of one million miles. Well, the company met its match in Jordan Wiens. Read on for more on the program, Jordan, and the safety of flight systems. Kim Zetter, Wired.com
Darkcode is no more! While this is a very "1 down, 800 to go" situation, let's celebrate and marvel at some of the crazy illegal things they had for sale. Cale Guthrie Weissman, Businessinsider.com
According to Vass, "enterprises are throwing lots of money, time and staff at security, but it's not hitting the things that truly worry security experts." Our question is, are these really the issues that worry you? Let us know in the comments or tweet us @Courion. Lisa Vass, Nakedsecurity.com
Here at Courion, our mission is to help customers succeed in a world of open access and increasing threats. We want to make sure that the right people have the right access to the right resources and that they are doing the right things with those resources. The question becomes, how does an organization assess those threats and gauge the risk it faces from both internal and external forces? Moreover, how do you plan for that risk and put in place processes to help detect, identify and manage the risk?
With an increasing number of computers and other devices and an increase in the ways in which users access resources, access rights and the monitoring and managing of complex user access rights becomes harder every day. The stresses and strains of access can come from all over but the most common offenders are:
- Routine changes such as hiring, promotions or transfers
- Infrastructure changes such as mobility, cloud adaptation, system upgrades, or new application rollouts.
- Business changes such as reorganizations, the addition of new products, or new partnerships
In addition to the stresses from business change, there are an increasing number of government regulations that require compliance, regardless of industry. From healthcare to banking, these regulations climb into the hundreds and assuring that you are fully compliant is more difficult than ever. This increase in regulations along with the increase in complexity of access rights makes identity and access governance a red hot priority.
Want to know more about how Identity and Access Governance can help lessen your risk? Read more by downloading our eBook and learn about:
- How to remain compliant with an IAM solution
- Preparing for an attack
- Automated provisioning
- And more
Four online casinos were asked to pay bitcoin ransoms to avoid cyber attacks
In a move that would make Danny Ocean proud, a new crop of casino robbers has left the Vegas strip and found new success online. According to the article "four New Jersey-based casinos were asked to pay a bitcoin ransom after being hit with distributed denial-of-service attacks." While it lacks the finesse of Ocean's 11, it does sound a lot easier than breaking into the Bellagio. Stan Higgens, Coindesk, Businessinsider.com
Email worries: providers name their top health data security risks
A few weeks ago, we brought you a blog on Healthcare's Unique Security Challenges, and it looks like we aren't the only ones diving into ways to increase security. The Advisory Board Company named email worries, compromised applications, and hackers as three of the top health data security risks. Read more to see if you agree. Advisory.com
It's time we stopped calling Millennials "dumb" about data privacy
Full disclosure: I am a Millennial so it's no surprise that I agree with this article. However – putting my bias aside – I think this is a great look into why security teams shouldn't confuse this generation's sense of self with its sense of security. John Zorabedian, nakedsecurity.com
Hacking Team 0-Day Shows Widespread Dangers of All Offense, No Defense
You've heard the old saying "the best offense is a good defense" and this article agrees. With last week's Hacking Team breach, we saw how the issue of strong password practices once again can help keep you safe. Read more on passwords and how to #DefendfromWithin. Sara Peters, Darkreading.com
The insane ways your phone and computer can be hacked-even if they're not connected to the internet
Do you know what's inside your smartphone? Learn about how these tiny machines can give away even more of your information than you thought possible as well as seven other ways your phone and computer can be hacked. Cale Gutherie Weissman, Businessinsider.com
This week the popular blog "Global Accountant" posted an article titled "The Cyber Threat Within- A Third of British Accountants Breach IT Policies". One third? Sad, but true. The article goes on to state that one of the biggest threats for cyber-attacks comes from inside their network due to employees ignoring their IT policy. Would you believe that over 40% of these accountants knew their IT policy but chose to ignore it?
What are they thinking? Don't they know better? Lifeline IT co-founder and Director, Daniel Mitchell, is quoted saying, "It’s clear that the majority of accountants are security conscious about IT on the home-front but have a different attitude at work."
This got me thinking - if one-third of your staff is breaching your IT policy, then what can you do to defend within? How do you protect your intellectual property when everyone has access and too many people aren't thinking about the consequences of their actions?
There are four ways that you can defend against internal attacks and we share them with you today.
1. Role-Based Access
With hundreds and thousands of users on your network, it can be overwhelming to try and provision everyone with the correct access in a timely fashion. With people moving into your system every day, it quickly becomes a game of numbers and/or unique identifiers all sending in requests for access they think they need resulting in a backlog of requests, a long wait for access, and too often unnecessary access rights being granted leaving you vulnerable to a breach.
Rather than dealing with these headaches, you could handle provisioning by role-based access. This way, if you are a member of the development team, once you go online to request access to network systems, you are led to the development applications rather than having to pick and choose from each and every application in the company. If you apply for an application that is within your role then you would be instantly granted access rather than waiting on approval for something as simple as email. Not only does this save time for the user by helping them choose what to ask for but it helps to eliminate the number of excessive access requests giving only the right people access to your critical applications.
2. Access Management
Every organization, no matter how big or small or what industry you are in, has the same three types of users: Joiners, Movers and Leavers. What do each of these have in common?
They need to have their access immediately changed with their status. Joiners need access to systems such as email, time cards, and internal network files on the day they start. Movers need to have access rights changed as soon as their role changes. While these two users are important to your organization the most important to your security are the Leavers.
In a study by scmagazine.com, 1 in 5 employees still have access to the internal systems of their previous jobs. 1 in 5! When an employee is terminated, regardless of reason, they need to have their access immediately terminated. Is your system set up to handle this?
3. Segregation of Duties
Wouldn’t it be great to be able to set and approve your own budget? What about requesting and approving a purchase order? While this does sound dreamy, it also sounds like nightmare for your finance department. In order for your organization to uphold the checks and balances of their systems, from budgeting to systems access, there needs to be segregation between requestors and approvers.
When you assign Segregation of Duties at the beginning of your project you are essentially saying what each user is allowed to do and not do and put in place barriers to keep these issues from happening.
4. Real-Time Monitoring
Auditing is most likely your least favorite time of the year. However, the fact that you only audit once or twice a year means that you are only giving yourself one or two chances to find errors in your system. With real-time monitoring, like the monitoring with an intelligent IAM system, you can see into your system at any time as well as be alerted when things look wrong. If four new users are granted access to a critical application in one week, would you notice? With real-time monitoring you would be alerted to this event so that you can investigate and mitigate the risk of a breach.
5. Build a Security-Aware Culture
This tip is a freebie. One of the best ways you can protect against a breach in your system is by building a security-aware culture. In Global Accountant’s article, they mentioned that 42% of the accountants knew the IT policy. That means 58% of them didn’t know the policy. Educated users make better decisions. By building a culture that is aware of the risks to themselves and the company, you expand your security team exponentially. When your organization buys in to your security strategy they become more aware of risks, take more precautions against them and become a new line of defense against attacks.
Are you currently monitoring these four internal risk factors? Have you experienced a breach by not following one of these? Do you even know what risks are currently in your system?
With an Identity and Access Management solution, you can keep up with all of these risks and more at the same time. Using our solutions, we can perform a quick scan of your system and tell you where your risks lie and how you can protect against cyber-attacks.
For more information on how to manage risk in your organization or to have a quick scan of your current systems, contact us today at firstname.lastname@example.org.
Happy #TechTuesday everyone! This week went a little password crazy, and we like it. Which method would you take to protect your password and how easy do you think it will be to hack these new processes? Let us know in the comments or tweet us @Courion.
We know that stolen credentials are the number one headache for security teams, and a lot of that has to do with the ease in which passwords are hacked. Medium is taking away the typical password and will now use your email address to send you a link to log in much like a password reset tool. While Medium claims this will be more secure, is it worth the extra time to log in?
Cale Gutherie Weissman, BusinessInsider.com
I'll admit it, this is my favorite news article of the week. Did you think the fingerprint scanner on your iPhone was cool? Well MasterCard is taking it a step further by allowing you to approve purchases by scanning your face. Marketed for the new "selfie generation", MasterCard believes that this will cut down on user fraud. Just make sure you're not having a bad hair day.
Jose Pagliery, @Jose_Pagliery, CNN Money
Have you seen the decorations proclaiming "Home is where your Wi-Fi connects automatically"? Well Microsoft is going a step further by allowing anyone who gets your Wi-Fi password for their PC to potentially let all of their friends onto your network as well. These "friends" could be of the Facebook, Outlook, or Skype variety. Microsoft says it’s a security feature, not a flaw; what do you think?
In possibly the most delicious hack ever, a team of Israeli security researchers at Tel Aviv University have developed a way of stealing encryption keys using a cheap radio sniffer and a piece of pita bread. Truly a sight to see.
Lee Munson, NakedSecurity.com
Flight delays just got a little more advanced. A Polish airline was hit by a cyber-attack grounding around 1400 planes. There was never any danger to passengers because the attacks happened while no planes were in the air. However, the company says that the hack could happen to anyone, at any time making this a worldwide issue.
Wiktor Szary and Eric Auchard, Reuters.com
If you liked last week's blog about the unique challenges facing healthcare today, then you'll love this look into how medical devices are becoming "key pivot points" in the war against hackers and cyberattacks.
Megan Williams, Business Solutions- bsminfo.com
Do you BYOD? As if security wasn't already difficult enough to control within your network and its devices, now security teams have to worry about the exponential threat of “bringing your own device”. This article gives 8 best practices for BYOD security and an insightful look at this new challenge.
Keith Poyster, ITPortal.com