Daily Archives: June 25, 2019

Catch a Ride Via Wearable

More often than not, commuters and travelers alike want to get to their destination quickly and easily. The advent of wearable payments helps make this a reality, as passengers don’t have to pull out a wallet or phone to pay for entry. Adding to that, users are quickly adopting wearable technology that has this payment technology embedded, causing transportation systems to take notice and adopt corresponding technology as a result. Unfortunately, there’s a chance this rapid adoption may catch the eye of cybercriminals as well.

Just last month, the New York City Subway system introduced turnstiles that open with a simple wave of a wearable, like an Apple Watch or Fitbit. Wearables may provide convenience and ease, but they also provide an open door to cybercriminals. With more connections to secure, there are more vectors for vulnerabilities and potential cyberthreats. This is especially the case with wearables, which often don’t have security built-in from the start.

App developers and manufacturers are hard-pressed to keep up with innovation, so security isn’t always top of mind, which puts user data at risk. As one of the most valuable things cybercriminals can get ahold of, the data stored on wearables can be used for a variety of purposes. These threats include phishing, gaining access to online accounts, or transferring money illegally. While the possibility of these threats looms, the adoption of wearables shows no sign of slowing down, with an estimated 1.1 billion in use by 2022. This means developers, manufacturers, and users need to work together in order to keep these handy gadgets secure and cybercriminals out.

Both consumers and transport systems need to be cautious of how wearables can be used to help, or hinder, us in the near future. Rest assured, even if cybercriminals utilize this technology, McAfee’s security strategy will continue to keep pace with the ever-changing threat landscape. In the meantime, consider these tips to stay secure while traveling to your destination:

  • Always keep your software and apps up-to-date.It’s a best practice to update software and apps when prompted to help fix vulnerabilities when they’re found.
  • Add an extra layer of security. Since wearables connect to smartphones, if it becomes infected, there is a good chance the connected smartphone will be impacted as well. Invest in comprehensive mobile security to apply to your mobile devices to stay secure while on-the-go.
  • Clear your data cache. As previously mentioned, wearables hold a lot of data. Be sure to clear your cache every so often to ensure it doesn’t fall into the wrong hands.
  • Avoid storing critical information. Social Security Numbers (SSN), bank account numbers, and addresses do not need to be stored on your wearable. And if you’re making an online purchase, do so on a laptop with a secure connection.
  • Connect to public Wi-Fi with caution. Cybercriminals can use unsecured public Wi-Fi as a foothold into a wearable. If you need to connect to public Wi-Fi, use a virtual private network, or VPN, to stay secure.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Catch a Ride Via Wearable appeared first on McAfee Blogs.

The $1.5 Million Email

Ransomware has been around since the late 1980s, but in recent years, it has emerged as one of the largest financial threats facing the public and private sector alike. According to the U.S. Department of Homeland Security, ransomware is the fastest-growing malware threat—and according to a report by Recorded Future in May, more than 170 state and local governments have been the victims of ransomware attacks since 2013.

In addition to improved ransomware capabilities, such as military-grade encryption algorithms, two key factors have emboldened cybercriminals to launch such attacks: the rise of hard-to-trace cryptocurrency such as Bitcoin, and the tendency of unprepared targets to continue meeting scammers’ demands, even as these demands become increasingly audacious.

One such target was the city of Riviera Beach, Fla., a waterfront suburb north of Palm Beach, which recently paid a near-record 65 Bitcoins to a gang of hackers after a ransomware attack brought the city to a halt.

On May 29, a city employee opened an email containing a piece of malware, which quickly infected nearly every city computer network. With the municipal computer system held hostage, all operations were hobbled—everything from the city’s website, email server and VoIP phones to the water utility pump stations. 911 dispatchers were forced to take down caller information on paper, employees and vendors had to be paid with paper checks, utility payments could only be accepted by snail mail or in person, and police officers had to resort to digging through closets at headquarters to find paper traffic citation pads.

City leaders were told they could make all of these problems go away—if they simply complied with the ransomers’ demand to remit 65 bitcoin (roughly $600,000) in exchange for the decryption key.

While the city had originally decided not to pay the ransom—opting instead to invest $914,000 into purchasing hundreds of new desktop and laptop computers and other hardware in an attempt to circumvent the issue—these measures ultimately failed. Three weeks after the original attack, based on the advice of an outside security consulting firm, the city council met to discuss next steps—and unanimously decided, after just two minutes of discussion, to acquiesce. The total cost, including the unbudgeted-for hardware, the consultation, and of course, the ransom itself, amounted to more than $1.5 million. For a city of just 35,000 residents, the cost was staggering, even after insurance paid its percentage.

While Riviera Beach was among the latest targets, it certainly won’t be the last, or the largest—according to a 2018 Deloitte-NASCIO survey, nearly half of states lack a separate cybersecurity budget, and a majority allocate under 3% of IT budgets to cyberthreat prevention.

But with ransomware attacks continuing to unleash a post-internet world on any unsuspecting target at any time, many targets are finding that, as much as they thought they lacked the resources to prevent such attacks, they’re even less prepared for the aftermath. Once infected, they’re left with two unsavory options: Pay the ransom, knowing that there’s no guarantee the hackers will decrypt the systems or that they’ll be decrypted perfectly. And even if they are, there are still the moral implications: When governments pay such ransoms, they’re not only putting taxpayer dollars directly into the hands of criminals, they’re also encouraging future ransomware attacks. The alternative, of course, is to try to rebuild…often from the ground up.

While cyberinsurance policies can give the illusion of protection, this solution will likely become less viable as the frequency of attacks continues to rise and the amount demanded continues to skyrocket. The goal, then, becomes for companies, government entities and individuals to prepare for and prevent these attacks before they’re targeted. While large-scale legislative solutions, such as outlawing the payment of ransomware demands, may eventually offer some relief, here are some steps that companies, individuals and government entities can take right now to prevent being victims:

  1. Learn: Resources such as NoMoreRansom.org—an initiative created by the National High Tech Crime Unit of Netherlands, Europol’s European Cybercrime Centre, and McAfee—aim to provide prevention education and help ransomware victims retrieve their encrypted data without having to pay criminals.
  2. Educate: When it comes to ransomware, knowing isn’t half the battle—it’s the entire battle. When millions of dollars hinge on your employees’ decision whether or not to open an email, organization-wide training on how to spot malicious emails and social engineering schemes may pay for itself many, many times over.
  3. Backup: There’s no reason to pay criminals to decrypt your data if you have access to a copy. Frequently back up essential data, ideally storing it both locally and on the cloud.
  4. Update: Always downloading the newest version of your operating system or apps helps you stay ahead of threats
  5. Defend: Sufficiently robust security solutions can protect you from known threats as well as those that have not yet been formally detected.

The post The $1.5 Million Email appeared first on McAfee Blogs.

Key Components to Consider When Kicking Off Your Veracode AppSec Program

I’ve been working as a Veracode security program manager since 2013, and have adopted AppSec best practices in those six years that contribute to successful AppSec programs. I started my journey here as a program manager and was fortunate enough to manage and lead some of Veracode’s largest and most complex customer programs. Today, I’m managing a team of program managers.

In this blog, I will walk through four key components to consider when kicking off your program with Veracode. These are all components I’ve implemented when managing large programs, and which have led to AppSec success by helping organizations understand what’s needed in order to have a successful, well-functioning application security program.  

Customer Engagement

The first component is Veracode customer engagement. You might be thinking, “of course, this is a given,” but in some cases I’ve seen (moreso in the past), it’s not. The No. 1 roadblock with the customers I’ve seen struggle has been lack of engagement. An established security team (on the client side) who can act as the liaison between the development organization and Veracode is very important. In some cases, increasingly so with the DevSecOps push, dev management is involved as well.

When I first began my journey with Veracode, security didn’t exist at many organizations, so an engaged team also didn’t exist. Today, when I go on-site and meet with my customers, I frequently thank them. I thank them for their dedication and engagement level, because without the primary, day-to-day contacts, it would be more difficult to get the necessary traction. At Veracode, we say it’s a team effort. Customers who identify teams who are willing and eager to work with their Veracode contacts is the No. 1 step toward success. This is also a team or individual who can act as a Veracode advocate and work with the Veracode SPM to tackle Veracode initiatives and be an internal presence that helps drive and motivate, making security No. 1 so that our clients’ customers are confident they’re using secure products and applications.

Cross-Functional Communication

My second on the list is cross-functional communication. It is imperative for a program to have cross-functional communication between the security team and main teams involved, including executives and the development organization. Communicating policy mandates, remediation plans, and automation plans across all functions, including developers and DevOps teams, early on in the program, is going to put a program ahead. Understanding what the best communication method is in order to circulate important plans across teams, whether it’s through email or a newsletter, and who should be delivering it, should be well thought out. Veracode Program Management acts as an extension of our customers’ teams and, therefore, can help with messaging and delivery.  

Ultimately, communication will prevent confusion and promote awareness, which is important to the health of a program. When a developer is introduced to security scanning requirements or remediation plans later in the development lifecycle, it can affect release dates. The team will be in a much better position if they know early on what they’re responsible for and when, and any consequences if they do not incorporate security into their SDLC.

Application Inventory

Next is application inventory, which is another major component. This is a list of your organization’s high-risk applications that are most critical to the business and could impact company brand or reputation if breached, OR application inventory could be all applications in the organization. If you do not know this information early on, it could cause delays when kicking off a program.

We recommend companies scan all their applications. However, many organizations start their programs with a baseline of only their high-risk applications. If you fall into this category, having that list ready and sharing it with your Veracode Security Program Manager will keep everyone in alignment. Your SPM will provide a list of the important information needed when gathering application inventory information, and prior to setting up application profiles in the Veracode platform.

Program Strategy

Finally, once you’ve identified your team, have a communication plan in place, and have created an application inventory, the next step is to map out program strategy. This is where your Veracode SPM will have a discovery session with you and your team to discuss the future of the program, and obtain key information to ensure success. He or she will also review the critical activities that need to take place in the security program to keep it on track. Additionally, the SPM will review measureable metrics with you and discuss what the key metrics are to the organization/teams in order to track program success down the road. The SPM will handle the operational effort to get you there and report back regularly to ensure that you are achieving your organizational goals through those metrics.

The SPM will ask several questions to help develop and kick off your program, including:

  • Details about your SDLC environment, development tools, and systems the development teams are using. This is imperative as the push to shift left and toward DevSecOps is a major focus for many organizations today. The end goal is to fully automate your application security program, because automating and integrating security into your CI/CD pipeline will make for a seamless program that will save you and your developers time and money.
  • Identifying development teams and setting onboarding schedules. Training users on how to use the Veracode platform will help immensely with developer adoption and awareness. Veracode provides training and always offers flexible schedules to accommodate developers globally.
  • Establishing a remediation process and workflow. The end goal is to bring down those very high and high flaws to get you closer to being compliant with your organization’s policies and standards.

Lastly, we will have discussions around automation and integration into your CI/CD pipeline. As mentioned, this will save time for developers by streamlining the scanning process through automation and having them consume Veracode scan results in their environment, rather than manually running scans and reviewing results in the UI.

Whether you’re an existing customer or potential customer, if all of these items are checked off at the beginning, then you will be on the right path to kick-starting a robust application security program that everyone at your organization will be onboard with.  

Learn More

Get more details on maturing your application security program in our guide, Everything You Need to Know About Maturing Your Application Security Program.

And you can always get valuable tips and advice on managing AppSec from other Veracode customers in our Community.

Endpoint’s Role in Enterprise Data Protection

Data is a big deal. As the foundation of a modern-day business, data drives organizations’ everyday operations. It provides insights, indicates trends, and informs business decisions. This means securing an organization’s data is of the utmost importance, especially when it comes to defending against attacks emerging out of today’s threat landscape. And though there are standards that have been published to protect customer data and data context, these rules are still incomplete and imperfect, given any published best practice that works for organizations may also create immediate targets for an attacker to bypass. Let’s examine some key threats that compromise enterprise data, and the role endpoint security plays in safeguarding that information.

Means to an End

For many cybercriminals, data is the end goal and endpoint devices are the avenue for getting there. Whether it’s through a compromised app, credential theft, malware, ransomware, or a phishing attack – cyberattacks are consistently testing enterprises in an attempt to find a weakness. That’s because the endpoint acts as the ultimate gateway to critical enterprise data. If compromised, it could cause ripple effects on an organization’s day-to-day functions, causing downtime or a longer attack dwell time, permitting cybercriminals to harvest more sensitive data.

The good news? Doors work both ways. Just as endpoints can create gateways to important data, they can also stop cybercrime in its tracks, if properly secured.

Keeping the Door Locked

The best option for safeguarding your data is securing it at the start – the endpoint. By implementing agile and adaptive endpoint security on every device in your organization, enterprises can ensure data stays locked down. The key is leveraging endpoint solutions that go beyond the more traditional deterministic security feature like anti-malware and include predictive technology like artificial intelligence (AI) and machine learning (ML). This type of technology can quickly sift through security incidents in order to identify the real threats posed to endpoint devices, which helps security teams automatically reduce the time required to address threats. Security teams should also ensure they leverage endpoint security solutions that provide increased, centralized visibility into all of their organization’s devices. This kind of visibility is crucial for not only rapid detection, but also to ensure user behavior is being tracked and policies are being enforced.

For security teams aiming to stop modern-day cyberthreats at the start, adopt security solutions such as McAfee MVISION Mobile and McAfee MVISION Endpoint, which have machine learning algorithms and analysis built into their architecture to help identify malicious behavior and attack patterns affecting endpoint devices. To add to that, teams should also leverage solutions such as McAfee DLP Endpoint, which empowers IT staff with increased visibility, giving them knowledge of what all their users are doing at all times.  With this kind of technology in play, enterprise data won’t be anyone else’s business other than the organization it belongs to.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Endpoint’s Role in Enterprise Data Protection appeared first on McAfee Blogs.

Veracode to showcase DevSecOps solutions at inaugural AWS re:Inforce

Developers and security professionals from around the world are descending on Boston this week to attend the first AWS security conference, re:Inforce, for what promises to be one of the most exciting events in recent memory in the industry.

As a pioneer of application security that is helping educate both security and dev teams in building more secure code, Veracode is proud to be a platinum sponsor of AWS re:Inforce here in Boston, a world renowned hub of cybersecurity innovation.

With so many security conferences taking place throughout the year around the world, and with more companies entering the market and crowding niches, it can have a dizzying effect for companies buying security solutions.

What makes AWS re:Inforce different?

Companies seeking to change the world are using software to push entire industries forward with new advancements, better insights and greater efficiencies. At the same time, new threat vectors appear, and new languages and frameworks change how we create software, causing cyberattacks to evolve and become more sophisticated. The security of software is just as critical as the function of the software itself. But, if the software you are developing or buying is insecure, you can’t achieve your vision – no matter how important or innovative it is.

Two movements that are allowing innovation and security to evolve in harmony – the shift to cloud-native solutions and the evolution of DevSecOps – will be on full display at AWS re:Inforce. That’s because we’ve moved from a world where applications were only run in the cloud to one where they are written and live in the cloud throughout their lifecycle. As a result, we are experiencing a dramatic increase in scan frequency and our customers are adopting application security practices earlier in their continuous integration pipeline. More frequent, incremental scans in the SDLC – a pillar of DevSecOps – allow companies to fix flaws more than 11 times more quickly than the typical organization. Fundamentally, when a company’s applications are more secure and their development teams are not slowed down by security, they achieve a competitive advantage.

Veracode is evolving its SaaS architecture by leveraging the power of AWS to better meet increased demand for DevSecOps practices from customers. Development teams are looking for fast, accurate application security tools integrated directly into their CI/CD work cycles. Veracode processes an average of more than 400,000 scans per month for customers around the world, and companies expect fast scan times and the ability to rapidly scale their volume of scanning given that developers scan at every code check in. Veracode’s combination of technology, expertise, and services backed by AWS cloud services helps organizations more effectively find and fix the vulnerabilities in their software.

Veracode has also achieved Advanced Technology Partner Status in the AWS Partner Network (APN). This achievement is the highest tier within the AWS Partner Network. It recognizes a rigorous qualification process that includes AWS technical certification and validation with a wide range of customer references. The technical certification included an extensive review of the Veracode architecture leveraging AWS services against AWS published best practices and benchmarks for security, scalability and availability.

At AWS re:Inforce, attendees can visit the Veracode booth (#813) to learn more about the company’s application security testing platform, get a Veracode t-shirt and participate in an interactive experience designed to test developers’ secure programming knowledge.

On the evening of Tuesday, June 25, Veracode is hosting a “Conquer the Cloud” afterparty at City Tap House in Boston. Securing the cloud takes a tribe of AppSec heroes, and we’d love your tribe to meet ours over beers, games, and live music during AWS re:Inforce. Take a moment to register here.

Finally, don’t miss a presentation at re:Inforce by John Maski, Veracode Application Security Consultant and former director of DevSecOps at AT&T, titled “Integrating AppSec Into Your DevSecOps on AWS.” John will describe securing CI/CD pipelines in enterprise environments and “shifting left” with security. This talk is taking place at 10:15 am, Wed., June 26 in the Solutions Theater.