At Apple’s World Wide Developers Conference last week, the message was all about Privacy. Apple has been more privacy-minded than other tech companies – that’s not news and it’s why I have an iPhone. They’ve introduced some interesting privacy features, such as showing location tracking, which I think is pretty cool. I don’t leave my […]
For years, organizations have recognized the need to pay close attention to and manage the access that their employees have with the help of identity governance and administration solutions. More recently, organizations are also being faced with the reality that they need to apply the same level of governance to non-employees as well. According to a 2018 Opus-sponsored Ponemon study, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. Many of these breaches go undetected. With most organizations agreeing that third-party cybersecurity incidents are on the rise, non-employee access management is more important than ever.
Access by non-employees like contractors, vendors, students, or consultants face additional challenges when it comes to entitlements. How does an organization ensure that a non-employee can get into the systems they need to do their job, while still enforcing enough limitations to avoid becoming a security risk? Read on to learn more about why non-employees present a unique challenge to identity and access management programs, how industries like healthcare handle managing their privileges, and best practices to find the balance between granting permissions and reducing risk.
What makes access for non-employee so challenging?
Non-employees often need to be onboarded quickly, since they may only be temporary members of the organization. Contractors or consultants, for example, need to quickly be able to log on and get to work. Organizations with no identity governance and administration (IGA) solution, or a very limited identity and access management (IAM) program, likely do not have a way to easily limit access or keep track of those with non-employee status. Oftentimes there is no “non-employee” designation in the system, or security teams lack a centralized inventory of users, allowing atypical IDs to slip through the cracks.
Even businesses with IGA solutions may end up quickly classifying consultants as employees as far as IT is concerned. Since these roles are typically not vetted as thoroughly as a full-fledged employee would be, giving them standard access may open the door to serious security issues. Providing a contractor with full employee access defies the principle of least privilege, since contractors don’t require access to nearly as many systems and applications but will be able to log into them anyway.
Additionally, non-employees may be not be working in your specific infrastructure as often, making them more prone to mistakes, making full access to sensitive information or data particularly risky. Some of the largest breaches have come from stolen non-employee credentials that allowed a hacker to get in through the front door.
Finally, non-employees tend to come and go far more frequently than employees, leaving behind an unused, but still active account. These orphaned accounts are key targets for threat actors looking for a way to get inside a system without setting off any alarms. Since the owner of the account isn’t using it, it may be too late before it’s noticed that it’s being utilized for malicious purposes.
Best practices for non-employee access
Luckily, there are a few tangible ways to solve the potential challenges related to non-employee access. An organization with a solid IGA program can safeguard their infrastructure by a few important guidelines:
- Have a way to identify and manage non-employees.
There are many ways to manage non-employees. For example, you could add non-employees to your HR system, segment them appropriately, and manage their contract status. If this is not possible within an organization, the right IGA solution can be configured to be the central repository for non-employee identities and have convenient methods for inputting relevant information about them as well as enforce appropriate controls to manage them more closely.
Whatever approach an organization chooses, the most important part is to regularly ensure these non-employee user accounts are correct and up to date. The work of a contract employee can often vary depending on the project. Without regular check-ins, entitlement creep and orphaned accounts may begin to occur. That is, a contractor simply gains additional access without removing privileges they no longer need, or the account is left active after the contractor has left the organization.
- Follow the principle of least privilege.
All IGA identity governance and administration programs should begin with the principle of least privilege. That is, no employee or non-employee should have more access than needed to get their job done. This is best achieved through role-based access, which provides permissions based on roles, instead of individual entitlements. Roles can easily be applied to well-managed non-employees as well as employees.
- Have processes in place for efficient, but accurate onboarding and offboarding.
Manual provisioning can be labor intensive and take weeks before a new employee has access to every area they’ll need. This can lead to a frustrating experience for both the employee and non-employee and will cost the organization time and money. However, sloppy onboarding for the sake of speed can lead to security risks. While off boarding does not seem as time sensitive since no one is waiting on access, it is even more important from a security perspective.
Use Case: Non-Employees in Healthcare
Healthcare is a perfect example of an industry that needs to have a comprehensive yet flexible way of managing non-employees. It is highly regulated industry with a significant number of non-employees Potentially challenging use cases include the following:
Many doctors and clinicians that work in hospital systems are not actually employed by the hospitals themselves. They may be employed by a clinic or medical group that has established a partnership allowing them privileges at the hospital.
While they may not be official employees, this group need access to many of the systems within the hospital network. Not having access to scheduling software, communication applications, alerting systems, and of course, electronic health records (EHR) can put lives as risk. It is also important to make certain that the status of a physician’s relationship with the hospital is up to date and that access is removed when it is appropriate.
However, these doctors do not require access to employee portals that provide benefit and payment information or other human resources related applications. Granularity and visibility into the access via roles is important.
Physicians are perfect examples of a non-employee who will require longer term access, but do not require full access. Best practices and role-based access would ensure that regular entitlement reviews would renew this access as needed, verifying compliance without disrupting patient care.
Whether it be as part of a program to interact with and assist patients, or as part of an emergency response plan, hospitals often have a need to allow volunteers to have access to their resources and patient data. Some may be long-term; others may only last a week. Some come in large groups, others volunteer on their own. Regardless, volunteers still require a certain amount of access. It may be very minimal, perhaps to sign in to track hours and verify that they’re in the building.
With volunteers, it is imperative that their access be managed to a level corresponding with the significance of data they require. Most will not have any medical certifications and should not have any access to health records. It is important to consider the definition of roles for volunteers as well as a repository that can be used to understand their precise needs in relationship with the healthcare systems. Removing even minimal access for volunteers is important when it is no longer needed.
Medical students provide a unique middle ground between physicians and volunteers when it comes to access. While they need access to the EHR system, they may not require the privileges that nurses and doctors are entitled to. For example, a medical student may not need to be able to put through an order for a test or send a prescription to a pharmacy.
Administrators face additional challenges because large groups of students typically start on the same day. Since the window in which they will be working at the hospital is so short, it is important for them to have all of their access needs sorted by day one. Similarly, most students have a shared end date, so offboarding must also be well organized and efficient. Automated deprovisioning is ideal in this scenario, so that orphaned accounts don’t linger for longer than necessary. Continuous review is also still necessary in case a student drops out or transfers.
Managing Everyone with Core Access Assurance Suite
The best way to manage non-employees is with a robust IGA solution that can manage non-employees in addition to standard full-time employee. Core Access Assurance Suite provides the complete context of relationships between users, access rights, resources, user activity, and compliance policies so that you can efficiently use access provisioning to manage a user appropriately from the beginning, using roles as necessary.
Automate the process of creating and managing non-employee accounts and identities as well as their associated access rights across the enterprise. Core Access Assurance Suite also ensures immediate disablement of access rights upon termination for increased security and regulatory compliance.
From long-term employees to short term contractors, our IGA solution will streamline access control and manage risk to provide a secure environment for your organization.
Core Access Assurance Suite provides complete identity, access risk, and compliance management, easily identifying, quantifying and managing the risks associated with information access.
Find out how to manage identites for everyone in your organization with the Identity Governance Toolkit.
The Chrome Extensions ecosystem has seen incredible advancement, adoption, and growth since its launch over ten years ago. Extensions are a great way for users to customize their experience in Chrome and on the web. As this system grows and expands in both reach and power, user safety and protection remains a core focus of the Chromium project.
In October, we announced a number of changes to improve the security, privacy, and performance of Chrome extensions. These changes include increased user options to control extension permissions, changes to the review process and readability requirements, and requiring two-step verification for developers. In addition, we’ve helped curb abuse through restricting inline installation on websites, preventing the use of deceptive installation practices, and limiting the data collected by extensions. We’ve also made changes to the teams themselves — over the last year, we’ve increased the size of the engineering teams that work on extension abuse by over 300% and the number of reviewers by over 400%.
These and other changes have driven down the rate of malicious installations by 89% since early 2018. Today, we block approximately 1,800 malicious uploads a month, preventing them from ever reaching the store. While the Chrome team is proud of these improvements, the review process alone can't catch all abuse. In order to provide better protection to our users, we need to make changes to the platform as well. This is the suite of changes we’re calling Manifest V3.
This effort is motivated by a desire to keep users safe and to give them more visibility and control over the data they’re sharing with extensions. One way we are doing this is by helping users be deliberate in granting access to sensitive data - such as emails, photos, and access to social media accounts. As we make these changes we want to continue to support extensions in empowering users and enhancing their browsing experience.
To help with this balance, we’re reimagining the way a number of powerful APIs work. Instead of a user granting each extension access to all of their sensitive data, we are creating ways for developers to request access to only the data they need to accomplish the same functionality. One example of this is the introduction of the Declarative Net Request API, which is replacing parts of the Web Request API.
At a high level, this change means that an extension does not need access to all a user’s sensitive data in order to block content. With the current Web Request API, users grant permission for Chrome to pass all information about a network request - which can include things like emails, photos, or other private information - to the extension. In contrast, the Declarative Net Request API allows extensions to block content without requiring the user to grant access to any sensitive information. Additionally, because we are able to cut substantial overhead in the browser, the Declarative Net Request API can have significant, system-level performance benefits over Web Request.
This has been a controversial change since the Web Request API is used by many popular extensions, including ad blockers. We are not preventing the development of ad blockers or stopping users from blocking ads. Instead, we want to help developers, including content blockers, write extensions in a way that protects users’ privacy.
You can read more about the Declarative Net Request API and how it compares to the Web Request API here.
We understand that these changes will require developers to update the way in which their extensions operate. However, we think it is the right choice to enable users to limit the sensitive data they share with third-parties while giving them the ability to curate their own browsing experience. We are continuing to iterate on many aspects of the Manifest V3 design, and are working with the developer community to find solutions that both solve the use cases extensions have today and keep our users safe and in control.
Compromised credentials are one of the most common causes of security breaches. While Google automatically blocks the majority of unauthorized sign-in attempts, adding 2-Step Verification (2SV) considerably improves account security. At Cloud Next ‘19, we introduced a new 2SV method, enabling more than a billion users worldwide to better protect their accounts with a security key built into their Android phones.
This technology can be used to verify your sign-in to Google and Google Cloud services on Bluetooth-enabled Chrome OS, macOS, and Windows 10 devices. Starting today, you can use your Android phone to verify your sign-in on Apple iPads and iPhones as well.
FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page, so that an attacker can’t access your account even if you are tricked into providing your username and password. Learn more by watching our presentation from Cloud Next ‘19.
On Chrome OS, macOS, and Windows 10 devices, we leverage the Chrome browser to communicate with your Android phone’s built-in security key over Bluetooth using FIDO’s CTAP2 protocol. On iOS devices, Google’s Smart Lock app is leveraged in place of the browser.
Until now, there were limited options for using FIDO2 security keys on iOS devices. Now, you can get the strongest 2SV method with the convenience of an Android phone that’s always in your pocket at no additional cost.
It’s easy to get started
Follow these simple steps to protect your Google Account today:
Step 1: Add the security key to your Google Account
- Add your personal or work Google Account to your Android 7.0+ (Nougat) phone.
- Make sure you’re enrolled in 2-Step Verification (2SV).
- On your computer, visit the 2SV settings and click "Add security key".
- Choose your Android phone from the list of available devices.
- On both of your devices, make sure Bluetooth is turned on.
- On your iPhone or iPad (iOS version 10.0 or up), sign in to your Google Account with your username and password using the Google Smart Lock app.
- Check your Android phone for a notification.
- Follow the instructions to confirm it’s you signing in.
We also recommend that you register a backup hardware security key (from Google or a number of other vendors) for your account and keep it in a safe place, so that you can gain access to your account if you lose your Android phone.
According to the SANS CTI 2019 survey results, 72% of organizations either consume or produce Threat Intelligence. Although most organizations have Intelligence data, they struggle with defining requirements and managing Cyber Threat Intelligence (CTI) as a program with measurable output. This likely results from threat data and intelligence being perceived as a technical function unrelated to business objectives.
We need to change this perception.
In my opinion, the key business objectives most closely related to threat intelligence are Risk Management and Cyber Resilience. Threat Intelligence can influence the outcomes of both.
Cyber Resilience itself requires risk management and adaptability. The need for businesses to become more resilient is driving the demand for an adaptable security architecture—one that not only effectively leverages threat intelligence to improve Security Operations, especially Incident Response, but also adapts cyber defenses such as endpoint and network controls to prevent the latest threats.
Meanwhile, regulations focused on improving cyber security are driving a continuous risk management approach. For example, in 2016, the European Union released the NIS (Network and Information Systems) Directive, which provides a legal framework to boost the overall level of cybersecurity in critical industries and calls specifically for threat intelligence and incident sharing among organizations and national authorities. With these drivers in mind, we now need to design a managed process with the goal of creating an efficient way to increase the business value of CTI. We can define this process as follows:
- Discovering the most valuable data sources
- Using automation to collect, investigate, respond and share
- Integrating CTI into cyber defense processes
- Measuring to prove the value of Threat Intelligence
1. Collection, Deduplication and Aggregation
The first step in the CTI Management Process is the collection, deduplication and aggregation of the data or feeds. One of the main gaps at the enterprise level is the collection of local produced Threat Intelligence. Local Threat Intelligence includes data generated from analytics solutions like sandboxes and from incidents. Sandboxes usually produce intelligence data in the form of Indicators of Compromise (IOCs). These local sources could expose targeted attacks, and therefore are potentially the most valuable threat data source.
McAfee’s Open Architecture allows for the production, consumption and sharing of threat intelligence in various ways. Here is an example of how our architecture automates aggregation of various CTI sources with an open-source tool, MISP. The MISP platform subscribes to the McAfee Data Exchange Layer messaging fabric to consume IoCs from McAfee’s Advanced Threat Defense sandbox in real time. Additionally, MISP consumes and manages feeds from open or paid sources, providing an entry-level tool to manage the threat intel process.
Here is another example of how our architecture supports the aggregation process, this time by working with a commercial vendor, ThreatQ.
2. Investigation and Hunting
The second step in the CTI management process is investigation and hunting. Here, the biggest task is figuring out how to make Threat Intelligence actionable, which can be done by answering questions like:
- Have we seen any related artifacts (IP address connections, Hash/File executions) in my enterprise in the past?
- Do we have, right now, any devices that have related artifacts?
Before answering these questions, the right data must be collected from the enterprise sensors. Fundamental information should include IP address connections, file hashes on endpoints, web proxy, DNS and Active Directory logs. These logs provide the necessary data for correlation and historical analysis. The following example demonstrates how the architecture can automate some of the key triage steps.
MISP can push Threat Intelligence into McAfee’s SIEM solution, ESM (Enterprise Security Manager), to automate historical analysis. There, it can query McAfee’s Threat Intelligence Exchange server to identify which systems executed related artifacts, and where and when they did so. Furthermore, MISP can run real-time queries against McAfee-protected endpoints with McAfee Active Response to identify any persistent artifacts that are currently in the enterprise network.
Here is another example working with ThreatQ. This time, ThreatQ interacts with McAfee ESM, Active Response and McAfee TIE to identify systems that have or had artifacts related to Threat Intelligence indicators. These various integrations support manual enrichment task and investigations.
The screenshot below highlights the various McAfee integrations as part of an investigation.
The third step in the CTI Management Process is response. Cyber Threat Intelligence is essential to prevent the latest threats and should be integrated into key cyberdefense countermeasures. The following example demonstrates an automated update process using McAfee’s Open Architecture, with the Data Exchange Layer (DXL) fabric as the key component.
ThreatQ can communicate via the DXL fabric with McAfee technologies. During this process ThreatQ is able to update key cyber defense countermeasure tools with Threat Intelligence to protect against the latest threats.
Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This includes TLP, STIX, TAXII and DXL. These protocols support the automated exchange and governance of the shared data.
Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This list includes TLP, STIX, TAXII and DXL, which feature protocols facilitating the automated exchange and governance of the shared data.
Finally, the value of Threat Intelligence can be proven by measuring a variety of outcomes. The following are some of the metrics commonly quantified and reported on:
- Number of duplicate Threat Intelligence Artifacts removed
- Impact on Mean-Time-To-Respond
- Number of IOCs generated from Threat Intelligence
- Number of incidents identified based on Threat Intelligence
- Number of attacks blocked via Threat Intelligence
The creation and implementation of the right process is critical to the success of Cyber Threat Intelligence within the enterprise. In this blog, we defined a CTI management process of Collection, Investigation, Response and Measurement. McAfee’s research, management platform and open architecture enable you to implement this process and get the best value out of Cyber Threat Intelligence, promoting resilience and enabling better risk management.
Links to additional resources
- MISP Summit 2018
- SECURE Conference
- RISK Conference
- McAfee ATR
- ThreatQ Whitepaper
- MISP Tools
The post Improving Cyber Resilience with Threat Intelligence appeared first on McAfee Blogs.
With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these “can’t-miss deals,” how do you know who to trust?
It turns out that this is a common concern among folks looking for a little summer getaway. According to our recent survey of 8,000 people across the UK, US, Canada, Australia, France, Germany, Spain, and Singapore, 54% of respondents worry about their identity being stolen while booking and purchasing travel and accommodation online. However, 27% don’t check the authenticity of a website before booking their vacation online. Over half of these respondents say that it doesn’t cross their minds to do so.
These so-called “great deals” can be difficult to pass up. Unfortunately, 30% of respondents have been defrauded thanks to holiday travel deals that were just too good to be true. What’s more, 46.3% of these victims didn’t realize they had been ripped off until they arrived at their holiday rental to find that the booking wasn’t actually valid.
In addition to avoiding bogus bookings, users should also refrain from risky online behavior while enjoying their summer holidays. According to our survey, 44.5% of respondents are putting themselves at risk while traveling by not checking the security of their internet connection or willingly connecting to an unsecured network. 61% also stated that they never use a VPN, while 22% don’t know what a VPN is.
Unfortunately, travel-related attacks aren’t limited to just travelers either; hotels are popular targets for cybercriminals. According to analysis conducted by the McAfee Advanced Threat Research team, the most popular attack vectors are POS malware and account hijacking. Due to these attacks, eager vacationers have had their customer payment, credit card data, and personally identifiable information stolen. In order for users to enjoy a worry-free vacation this summer, it’s important that they are aware of the potential cyberthreats involved when booking their trips online and what they can do to prevent them.
We here at McAfee are working to help inform users of the risks they face when booking through unsecured or unreliable websites as well as when they’re enjoying some summertime R&R. Check out the following tips so you can enjoy your vacation without questioning the status of your cybersecurity:
- Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to help keep your connection secure.
- Think before you click. Often times, cybercriminals use phishing emails or fake sites to lure consumers into clicking links for products or services that could lead to malware. If you receive an email asking you to click on a link with a suspicious URL, it’s best to avoid interacting with the message altogether.
- Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which includes McAfee WebAdvisor that can help identify malicious websites.
- Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.
The post Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel appeared first on McAfee Blogs.