Daily Archives: January 7, 2019

Championing Equality: McAfee to Achieve Gender Pay Parity in 2019

Recently, the World Economic Forum revealed it will take 202 years for women to achieve economic gender parity at our current rate. Two hundred and two. Let that sink in for a moment. Doesn’t quite seem right does it? At McAfee, we believe every single employee should be compensated fairly and equally for their individual contribution and impact to the company, regardless of gender. Which is why we’re committed to acting now to address any gender pay parity discrepancy in the first half of 2019.

This announcement underlines our unwavering commitment to inclusion and diversity. When McAfee reaches global pay parity in 2019, we will be the first pure-play cybersecurity company to do so. And while study after study reinforces the simple fact that diversity drives prosperity, we’re still falling short with just 11% female representation in cybersecurity.

 

Making significant progress is not going to happen overnight. It also won’t happen on its own. We need greater collaboration to help drive the actions that will change the conversation. So in the spirit of transparency and sharing best practice, here are five steps McAfee is undertaking to achieve gender pay parity:

  1. We define pay parity. At McAfee, pay parity means fair and equal pay for employees in the same job, level and location, controlling for pay differentiators such as performance, tenure and experience, regardless of gender.
  2. We review our employee data integrity. Audit employee job codes to ensure they appropriately represent the employee’s role.
  3. We analyze our data. Group employees by job code, level and location to evaluate any gaps outside of the predetermined controlling factors.
  4. We adjust pay. If a gap is found between females and males within the group, our purpose is to ensure nothing about a person’s gender is causing the discrepancy and to make adjustments if needed.
  5. We uphold pay parity. This will not be just a point in time review, but an annual analysis to stay the course. But maintaining pay parity also means keeping it at the forefront throughout the year—from our hiring practices to how we promote and reward our employees.

In these five steps lies a momentous promise to equality. Each day, I’m proud to work alongside a team dedicated to creating a workplace where all voices, perspectives and experiences are welcomed, where everyone can belong. But our investment in pay parity is among the most important steps in showing our people we value them, equally.

With this commitment, we continue to live our values, build an inclusive culture, create better workplaces and build stronger communities. I’m honored to join companies beyond the world of cyber already striving towards pay parity and I hope more will join us in reaching this milestone in equality.

Ready to work for a company committed to equality? McAfee is hiring!

Disclaimer: This blog was originally published on LinkedIn

The post Championing Equality: McAfee to Achieve Gender Pay Parity in 2019 appeared first on McAfee Blogs.

Marriott Confirms Less Than 383 Million Unique Guests Affected in Starwood Data Breach

Veracode Marriott Starwood Hotel Breach November 2018

Marriott has confirmed that the number of guests affected in the breach of Starwood’s guest reservation database is down from the originally estimated 500 million to “fewer than 383 million unique guests.” At this time, the hotel giant is unable to confirm an exact number of guests impacted.

According to the statement, approximately 5.25 million unique unencrypted passport numbers and 20.3 million encrypted passport numbers were stolen. Attackers also accessed 8.6 million unique payment card numbers, all of which were encrypted, but only 354,000 cards were active and unexpired at the time of the breach. In its earlier notice in November of last year, the hotel giant confirmed that there had been unauthorized access to the Starwood network since 2014.

Marriott said that it has completed the phase out of Starwood’s reservation database, and now runs guest bookings through its Marriott database, which wasn’t accessed in the breach.

A Breach of Immense Scale and Scope

According to an initial report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. At this time, the company was still trying to determine whether the encryption keys had also been stolen.

In a statement published on Nov. 30, Marriott said that it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US on Sept. 8, 2018. An investigation into the incident confirmed that an attacker had copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.

Marriott reported the incident to both law enforcement and regulatory authorities, and the UK's data regulator is investigating. While Marriott’s headquarters are in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR complianceIt’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach.

To read initial coverage of this story, with commentary from Veracode Co-Founder and CTO Chris Wysopal, click here.

Top Ways to Get ROI From Your AppSec Program

When you make an investment in an application security program, you’re expecting to derive value from the initiative; in other words, you’re expecting to get some kind of return on your investment. After more than 10 years working with organizations to implement and build out application security programs, we have a pretty clear sense of what that value is. We find that the value derived from an AppSec program stems from:

  • Cost-effectively scaling secure software delivery
  • Rapidly reducing the risk of breach from insecure software
  • Making security a competitive advantage
  • Meeting the compliance requirements of customers and regulators

But you won’t reap these benefits unless you follow best practices and implement certain facets of an application security program. Those who simply plug in a tool and focus on scanning only will not derive the value listed above, but might in fact hinder the progress and productivity of their development teams.

You won’t get a solid return on your AppSec investment unless you consider application security a program, not a tool, and work to incorporate several best practices that go beyond simply scanning your code. Those best practices include:

Secure coding education: Prevention is key to deriving value from application security, and the best way to prevent security-related defects in your code is to train your developers to identify and avoid them. Even better, provide targeted training that hones in on specific defects emerging in your code. This is especially important because the reality is that most developers simply don’t have the skills or experience to code securely. We recently conducted a survey that found that the vast majority of developers don’t get security training either in school or on the job. And we’ve seen first-hand the effects of educating developers on secure coding – our customers who take advantage of eLearning on secure coding improve their fix rates by 20 percent.

Integrated and automated testing: You will lessen the value derived from application security testing if it hinders and slows your development process. And human intervention will slow you down. True value lies in maintaining your development speed while producing high-quality, secure code. You won’t achieve this unless security testing is integrated into development processes, and automated as much as possible. For instance, embed testing into the development process as developers are writing code. In addition, automate testing in the CI/CD pipeline, and automatically open and close tickets related to security issues. The more you can automate and integrate, the more value you will see.

Remediation guidance: Ultimately, application security offers very little value if you aren’t fixing the defects you find and reducing your risk of breach. But, as mentioned above, most developers are not trained to identify or remediate security-related defects. With remediation guidance, developers will efficiently and effectively fix what they find, and learn to do so going forward. With this know-how, you’ll derive both real risk reduction and a real boost to your bottom line. We’ve found that our customers that take advantage of remediation coaching see a 70 percent improvement in fix rates over those that don’t.

Security champions: Security skills are hard to come by, application security skills even harder. Leverage your security team and its skills without adding headcount by creating security champions. A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either fix the issues in development or call in your organization’s security experts to provide guidance. In the end, security champions will help you derive more value from your application security program without incurring significant costs.

For more information

We know application security can produce a solid return on investment, but only if you understand what that return looks like and the best ways to achieve it. Get more details on boosting the ROI from your AppSec program, and measuring that ROI, in our eBook, Making Application Security Pay.

Kicking off CES 2019 with New Security Solutions and Collaborations

Today, we at McAfee are announcing some exciting new security solutions and integrations at CES in Las Vegas. For those of you who are unfamiliar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies. McAfee now delivers protection to more than 500 million customers worldwide, and we understand the importance of creating new solutions for those who want to live their connected lives with confidence. To help empower our customers to do this, we’ve added to our security lineup and are working with other tech innovators who understand the importance of protecting users’ online safety.

One addition to our lineup of security solutions is McAfee Gamer Security. In a recent gaming survey, we discovered that 75% of gamers are worried about the security of gaming as online threats continue to rise. To help combat these threats, we developed McAfee Gamer Security, which protects gamers while optimizing their gaming experience. Some of the product’s key features include Game Mode, a gamer-centric interface, and minimal security resource consumption. These features help optimize gamers’ computing resources, provide system status updates, and equip users with lightweight security protection.

In addition to our latest product advancements, we’ve also teamed up with other companies looking to better the cybersecurity landscape for consumers. The first is Google. In order to further simplify the process of securing today’s connected home, McAfee will provide McAfee Secure Home Platform voice commands for the Google Assistant. McAfee Secure Home Platform provides an extra layer of security to help automatically protect all of the connected devices on the user’s home network. Soon, Google Assistant users can easily manage their connected home security by just using their voice.

While it’s important to secure the connected home, it is also important to protect your mobile and IoT devices as well. According to McAfee Labs 2019 predictions, cybercriminals will leverage trusted devices like smartphones and tablets to try and access users’ IoT devices in the upcoming year. To help customers stay safeguarded from this threat, we’ve teamed up with Verizon to protect their home networks through Verizon Home Network Protection. This McAfee-powered solution helps Verizon Fios customers stay secured against malicious websites, provide parental controls, and protect all devices connected to their home network.

Furthermore, we at McAfee and Dell have teamed up to protect consumers and small businesses as they enjoy the benefits of today’s technology. To do this, we’ve expanded our collaboration to provide pre-installed McAfee software on PCs and laptops globally to both consumer and small business customers. Customers who purchase a new laptop or PC will also have the option to extend McAfee protection beyond their Dell device to their smartphones and tablets. This allows users to have a more robust security shield around all of their connected devices, creating a safer overall online experience. Dell consumer and small business customers who purchase Dell Inspiron, XPS, Vostro, and G-Series laptops will receive a 30-day or 1-year subscription. Customers who purchase Alienware, OptiPlex, Latitude, and Precision will have the option of adding a 30-day free subscription or purchasing a 1-year subscription.

Another one of our latest innovations is the addition of Cryptojacking Blocker to McAfee WebAdvisor. As we observed in our latest McAfee Labs report, coin mining malware is on the rise, growing more than  4000% in the last year. Cryptojacking Blocker helps protect users from having their devices hijacked without their knowledge or permission. The tool helps prevents websites from mining for cryptocurrency and is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

So far, CES 2019 has proven that innovation will continue to evolve, just as the cybersecurity landscape will continue to mature. By working together to improve the technology that protects connected devices, we can help users optimize their digital life without compromising their online safety.

To stay on top of McAfee’s CES news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Kicking off CES 2019 with New Security Solutions and Collaborations appeared first on McAfee Blogs.

How to data breaches happen

Data breaches happen.

Today, as never before, data plays a fundamental role in our real life. Everybody is both:  data producer and data consumer. We are data producer by simply moving from one building to another one, having a smartphone in our pocket or surfing the web or just by tapping on smartphone applications. We are data consumer when we buy things on Amazon or when we read information on social networks or again when we consume raw data through API. Somebody refers to data as the "new Oil"  (concept usually accredited to Clive Humby)  and data is what we let on the digital world and it's what we have very close to our physical life. Data is what we are on the cyber space. Data is what we need to protect. 

Protecting our private data is like protecting ourselves in the cyber world and for such a reason the protection needs to be regulated (GDPR teaches us).  So it might be very interesting to understand how data breaches might happen.

Unfortunately there is not a standard path to protect, for example a data breach might come through an insider attack, or by clicking on a malspam champaign or hitting eMail phishing or again through common vulnerabilities.  But one of the main path, so far, is driven by vulnerability. One of the most exploited vulnerability from attackers to illegally collect data is SQL-Injection. It is pretty easy to detect and to exploit even for not sophisticated attackers. But on the other side of the coin there are a lot of frameworks, designed patterns and methodologies to prevent and to block such a vulnerability. From here, I've started my research. I wanted to prove that SQLi vulnerabilities are quite "rare" (or difficult to find) in 2019, but -- unfortunately -- I acknowledged that I was wrong when I found these fresh pastes (here, here and here). The "possible attacker" exposed a set of "presumed" SQLi vulnerable websites harvested in a metter of 24h internet scanning. 

principal domain names with SLQi
According to the "pastes" the attacker harvest 327 circa vulnerable websites in less then a day ! So let's dig a little bit on them to see if we might find some interesting correlations.

A first interesting result comes from the first level domain names. Leaving out ".com" (which actually is the most common used domain name) it is possible to see additional interesting domain names such as ".ca", ".it", ".ir", ".ch", ".il" and so on, which are mostly "country" based domain names. I agree with those who might think that the used dataset could not be considered as a "significative dataset", since 24h of internet scraping is far-far-far away from having an internet significative view, but we might agree that it could be considered as an "indicative dataset". In other words if in only 24h of internet scraping he/she found 327 circa vulnerable websites, let's immagine what an attacker could do with weeks or months of scraping power. Still interesting to see that no specific geographic targets and/or country patterns emerged (for example: only richest/poorest countries or European countries,  or countries with cyber activists, or countries in a war conflict, etc..) suggesting that the issue (having vulnerable SQLi WebSite) is still quite spread all over the world.  The following map shows the geo-distribution domain names where domains such as: ".ld",".dk",".nz",".ug", "gk", ... , took a single hit, so are not visualised.

Domain Names Geographically Distributed

The following histogram shows the percentage of web server technology found in "presumed" vulnerable websites. Apache and Nginx are the most common used technology. I am not saying that Apache and Nginx are vulnerable to SQLi or that they might infer or enable  in somehow vulnerable webpages. Yet I am not saying that they are responsible in anyway of serving vulnerable applications. Indeed vulnerable applications does not have a direct link to the used web server, I am just observing the analysed data. It could be an "obvious consequence", since Apache and Nginx technologies are the most used over the web, or maybe not. 

Percentage of WebServer Technology in front of vulnerable websites
A little bit more interesting is the DB Technology distribution used in presumed SQLi vulnerable websites. It might highlight the application "type". For example we might believe that applications built on top of Microsoft Access are quite "old applications" (this is not always true, I'm aware of it, but it might be an indicative parameter to be considered on SQLi researches) or applications built on top of Oracle databases might be corporate applications and not opensource and/or "mockup" applications. Or we might stretch a little bit this concept by assuming that applications built on top of Microsoft SQL servers might be professional/company applications and so on and so forth. Of course we cannot walk the same way starting from MySql or PostreSQL since both of them are used into opensource/free applications as well as corporate and professional ones.

Percentage of DataBase Technology in of vulnerable websites backend
 Conclusions:
Everyday we read about personal data breaches. One of the least ones happened on German Politics (more info here, here and here). (P) Data breaches might sap our companies and our digital identities, regulations have been made trying to normalise and to block breaches, but unfortunately in 2019 is still easy to get random personal data out of internet. In this personal research started on the darkweb and finally ended up on "paste" website,  I've found out that a common and quite easy way to mine personal data, even in 2019, is through SQLinjection which is surprisedly still effective although hundreds of countermeasures (such as: frameworks, design patters, native parametrised queries, etc..). The main reason of the 327 circa vulnerable websites found in less then a day (according to the found pasties) are the un-patched software version. In fact it could be easy to find common google dorks on the attacker patterns. To block well-known SQLi vulnerabilities is pretty simple as patching your website. Please do it for the safety of your users.