Daily Archives: August 19, 2019

Are you taking your enterprise mobility management seriously?

Estimated reading time: 2 minutes

A stark contrast to yesteryears with strict office hours, today’s business trends are permitting employees flexibility when it comes to office hours, remote working and devices through which they can work from.

It is in this context, many leading enterprises all over the world have adapted to a Bring Your Own Device (BYOD) policy – employees can use their own devices (phones, tablets, laptops, etc.) to connect to enterprise networks and work on their deliverables.

And, employees love BYOD because –

  • Own device familiarity
  • Increased productivity
  • Ability to work in a preferred location

From an employer perspective, the cost of procuring new devices for each employee is saved which leads to higher cost savings for an enterprise.

The flipside to this otherwise brilliant arrangement is the security lapse that may occur if BYOD policy is not formulated properly. A weak BYOD policy significantly opens enterprise networks to cybersecurity challenges considering traditional enterprise security norms on devices do not apply anymore. This can snowball into a disaster!

Mentioned below are some of the common risks if enterprise mobility is jeopardized.

  1. The Risk of Data Loss

The risk of data loss rises exponentially when it comes to employees using their own devices to access and work in the business networks. Enterprises, typically are not able to deploy the same level of data controls on personal devices as they can on enterprise devices. This leaves personal devices susceptible to data loss through malware, ransomware and various other threats.

  1. Insecure usage

Personal devices are prone to be used in plenty of insecure ways if unsolicited users gain access to them- something which is difficult to do for enterprise devices in a conventional business security ecosystem. Personal devices connecting to potentially risky public Wi-Fi networks (airports, public restaurants, etc.) or shared within other people can cause huge risks to business-critical data.

  1. Personal & professional data on the same devices

An increasingly grey area in the context of BYOD, since personal devices contain both personal and professional data and are used for both professional and personal purposes, important business details are threatened. Humans commit mistakes – for instance, sending professional information accidentally to unwanted users.

  1. Increased risk of sabotage

All enterprises face the risk of sabotage by disgruntled employees – it is a serious risk with enterprises addressing it through various means. For companies permitting BYOD, the risk of sabotage through angry or dissatisfied employees is high. A former employee may still have access to company data on his/her device – leaking it to competitors or any other sources could create havoc for the company.

  1. Lost devices

Mobile devices facilitated by businesses operating in the business network can be safeguarded from a plethora of threats by applying policies such as frequent backups, encryption, etc. However, the same may always not be true for personal devices which make it a big risk in cases when employees report a theft of personal devices.

  1. Unrestricted access

All enterprises have content policies which regulate the kind of content their employees can access. While this can still be easier to regulate and moderate on work devices, it may not be possible on personal devices allowing employees to access and view all kinds of content. This opens up wider enterprise threats in the form of malware, ransomware, etc. which is notoriously hidden in unrestricted content.

The key to managing BYOD is deploying an Enterprise Mobility Management solution which understands and addresses the aforementioned risks. Enterprises can consider Seqrite mSuite which increases the productivity of enterprises by mobilizing the workforce while ensuring that critical data remains absolutely secure.

The post Are you taking your enterprise mobility management seriously? appeared first on Seqrite Blog.

Introducing the New Veracode Software Composition Analysis

Veracode Software Composition Analysis Announcement

Open source technology empowers developers to make software better, faster, and more efficiently as they push the envelope and delight users with desired features and functionality. This is a trend that is unlikely to fade – at least not in the foreseeable future – and has further fueled our passion for securing the world’s software. This is also why Veracode acquired SourceClear – we had a vision for the impact that integrating our software composition analysis (SCA) technologies would have on our customers’ ability to develop bold, revolutionary software using open source code – without risking their security posture.

Today, our customers have access to an industry-leading, scalable SCA solution that provides unparalleled support for SCA in DevSecOps environments through the cloud-based Veracode Application Security Platform. Veracode SCA offers a unique vulnerable method detection technology that increases the actionability of SCA scan results, as well as the ability to receive continuous alerts on new or updated vulnerabilities without rescanning an application.

Further, our solution relies on a proprietary library and vulnerability database, built using true machine learning and data mining, which has the ability to identify vulnerabilities not available in the National Vulnerability Database (NVD). In addition to CVEs, the database now also includes Reserved CVEs and No-CVEs detected with our data mining and machine learning models. These results are verified by our expert data research team for all supported languages.

Software Composition Analysis for DevSecOps Environments

Veracode SCA offers remediation guidance, SaaS-based scalability, and integration with Continuous Integration tools to provide users with visibility into all direct and indirect open source libraries in use, known and unknown vulnerabilities in those libraries, and how they impact applications, without slowing down development velocity. 

Additionally, it is the only solution in the market that offers two options to start an SCA scan that offers insight into open source vulnerabilities, library versions, and licenses:

Scan via Application Binary Upload

Through the traditional application upload process, you’re able to upload your applications or binaries to the Veracode Application Security Platform so that you can run scans via the UI or an API.

SCA scans continue to run alongside Veracode Static Analysis. During the pre-scan evaluation for static scanning, Veracode executes the SCA scan to review the application’s composition, and the results are delivered while the static scan continues. Bill of materials, scores, policy definition, and open source license detection remain available for those application upload scans.

Veracode has also added language support for applications developed in Golang, Ruby, Python, PHP, Scala, Objective-C, and Swift, in addition to the existing support for Java, JavaScript, Node.js, and .NET applications.

Agent-Based Scanning

Agent-based scanning, integrated within the Veracode Application Security Platform, enables you to scan your source code repositories directly, either manually from the command line or in a Continuous Integration pipeline. The agent-based scanning process has been enhanced to include more open source license types available for detection in open source libraries. The libraries and vulnerabilities database has been enhanced with an increase of new vulnerabilities detected, and the ability to link project scans with application profiles for policy compliance, reporting, and PDF reports. Customers using Veracode SCA agent-based scanning can conduct:

  • Vulnerable Method Detection: Pinpoint the line of code where developers can determine if their code is calling on the vulnerable part of the open source library. 
  • Auto Pull Requests: Veracode SCA identifies vulnerabilities and makes recommendations for using a safer version of the library. This feature automatically generates pull requests ready to be merged with your code in GitHub, GitHub Enterprise, or GitLab. It provides the fix for you.
  • Container Scanning: Scan Docker containers and container images for open source vulnerabilities in Linux distributions and base libraries. 

Users have the flexibility to use both scanning types for the same application. Agent-based scanning can be used during development, and a traditional binary upload scan can be conducted before the application is put into production. Scan results continue to be assessed against the chosen policy and prompt users to take action based on the results. These actions can be automated with integration to Jenkins (or another Continuous Integration tool) to either break the build because of a failed policy scan, or to simply report the failed policy.

It’s no exaggeration to say that every company is becoming a software company, and the adoption of open source is on the rise. Having clear visibility into the open source components within your application portfolio reduces the risk of breach through vulnerabilities. The new Veracode Software Composition Analysis solution helps our customers confidently use open source components without introducing unnecessary risk. 

To learn more about Veracode Software Composition Analysis, download the technical whitepaper, “Accelerating Software Development with Secure Open Source Software.”

How Identity Governance and Administration (IGA) Improves Security, Efficiency, and Compliance

Undefined

In the complicated, tangled web of managing user rights, permissions and accounts, keeping track of who has access to different resources can seem nearly impossible. Organizations today are facing increasing demands, mandates, and compliance regulations as they manage access and support countless devices and systems that contain data critical to the organization. Identity Governance and Administration (IGA) solutions have provided the capability to create and manage user accounts, roles, and access rights for individual users in an organization. This means companies can more easily oversee user provisioning, password management, policy management, access governance, and identity repositories.

According to the latest Cybersecurity Insiders Identity and Access Management (IAM) Report, which examines key trends, challenges, gaps, and solution preferences for IAM and IGA programs, 86 percent of organizations surveyed reported that Identity and Access Management is extremely important. However, just over half of all organizations rate themselves as effective in managing user access. So what explains this gap and what can organizations do to improve the efficiency and effectiveness of their identity programs? In this blog, we will explore how leveraging an effective Identity Governance and Administration program enables you to mitigate risk, improve compliance, and increase efficiencies across your entire organization.

Improving Security and Mitigating Risk  

When it comes to managing access within the organization, the Cybersecurity Insiders report found that 70 percent of users have more access privileges than required for their job. This typically results from bulk approvals for access requests, frequent changes in roles or departments, and not periodically reviewing user access. Additionally, the lack of staff and suitable processes and solutions also contributes to excessive privileges across the organization. Too much access privilege and overprovisioning can open an organization up to insider threats and magnify risk throughout the business.

Making sure that users have the appropriate access goes a long way towards bolstering an organization’s risk management and its security posture. In previous years, a good outer perimeter with security was the most effective way to provide security and risk mitigation for the organization. But today, companies are also faced with insider threats. Phishing and other social engineering activities, which can provide threat actors with user credentials, underscore the importance of ensuring that users are operating within well-defined roles and are not overprovisioned.

Another effective way to leverage IGA to decrease risk is by embracing role-based access controls (RBAC). This means having solid, well-defined roles in place and knowing specifically which access privileges each role needs. As organizations grow and evolve, the right IGA solution can allow for more efficient changes and decrease risk by focusing on role definitions and role assignments rather than on individual accounts. IGA solutions can then be leveraged to find exceptions. The strategy of RBAC works well to decrease the timeline in executing bulk additions where a lot of change is happening at once, like during mergers, acquisitions, seasonal staffing requirements, and corporate reorganizations. This strategy also works well to improve the efficiency of staffing assignments in high turnover areas of a business.

Using an industry-leading role designing tool with cluster analysis and a ‘visual-first’ approach to group like-access privileges together, you can better understand the access that individuals have in common and what outliers might be present, rather than trying to use a spreadsheet to make sense of the data. In fact, the recently published 2019 Insider Threat Report from Cybersecurity Insiders showed that 50 percent of organizations indicate that Identity and Access Management programs are the most effective security tool to protect against insider threats, particularly when they are easy to use, easy to understand, and leverage a visual approach. Similarly, 75 percent of organizations surveyed in the IAM Report that use Identity and Access Management solutions had seen a reduction in unauthorized access incidents. Clearly, the impact of an effective IAM program has a positive impact on reducing risk.

Enhancing Compliance, Review, and Certification Processes

Companies today not only have to manage customer, vendor, and board member demands, they also must make sure they are compliant with any number of governing boards and regulations—from GDPR, HIPAA, and SOX to the Payment Card Industry Data Security Standard (PCI-DSS) and countless others. Organizations are also trying to implement security frameworks, such as NIST SP 800-53, COBIT or the ISO 27000 series. Each of these all create unique challenges for organizations. The increasing number of federal regulations and industry mandates that organizations face today means there is also more auditing, compliance reviews, and reporting to be completed by each organization. While this can be a very manual and time-consuming process, more savvy organizations use solutions that automate data collection, reporting, and the review process, particularly in highly regulated industries like financial services and healthcare.

Those organizations that view regulatory compliance through the lens of an IGA program recognize this means more continuous monitoring and limiting access to only those individuals that need it, enabling companies to stay more compliant. IGA solutions not only ensure access to information like patient records or financial data is strictly controlled, but also enable companies to prove they are taking actions to meet compliance requirements.

Because organizations can receive audit requests at any time, IGA solutions make the review process easier and more effective with built-in reporting capabilities to meet relevant government and industry regulations. Remember, a good compliance program allows for frequent and multiple access reviews to take place at any given time to meet ever-increasing auditor demands without engaging numerous resources from the organization. Leading-edge IGA solutions also do this with a highly visual approach, enabling users to see privileges and certifications in a user-friendly, graphical display. This minimizes the risk of errors and reduces the chance of access not being fully understood.

Increasing Efficiencies Across the Business

According to the Identity and Access Management Report by Cybersecurity Insiders, 49 percent of organizations surveyed viewed operational efficiency as an IAM program driver, second only to security. An effective IGA solution enables organizations to do more with less. Many security teams today are understaffed and are being asked to increase their responsibilities. Yet they just don’t have the time or budget to do more, nor can they afford to hire people to do things manually.

Leveraging IGA solutions for automated user lifecycle provisioning, implementation of role-based access controls, and periodic user access reviews and certification saves time and streamlines the entire process. Perhaps most interesting is that increasing operational efficiency goes hand-in-hand with organizations that want to increase their security posture.

One key takeaway, however, is that while some security teams may view IGA as a one-time project, it should be viewed rather as an ongoing initiative, with focused, achievable goals along the way. This enables your business to become more secure, do more with less, and prepare for growth and change—no matter what form it takes.

Ready for IGA Solutions That Move You Forward?

The primary reason for implementing an IGA solution is to ensure that users only have access to the resources they need. Making sure you provide appropriate access goes a long way in mitigating risk and improving the overall security posture of your organization. But many companies today may not view this as a strategic priority. Don’t wait until you are reacting to a security incident. See how our IGA Solutions are the foundation for a solid Identity and Access Management program in your organization. 

cs-how-identity-management-improves-security-blog-700x350

Identity Governance Improves Security
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Are you ready to be proactive in your security approach?

Get a live demo of our IGA Solutions from one of our experts today.

Alert! 27 apps found on Google Play Store that prompt you to install Fake Google Play Store

Quick Heal Security Lab spotted 27 malicious apps of dropper category on official “Google Play Store”. These apps have been removed from Play Store after Quick Heal Security Lab reported it to Google last week. These apps continuously show installation prompt for fake “Google Play Store”. If any user falls…

IoT Security in 2019: Things You Need to Know

In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.

IoT visibility & security in 2019:

1. IoT endpoint security vs network security

Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.

Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.

2. “Cryptography is typically bypassed, not penetratedShamir’s law

In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should  now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.

3. 3rd party IoT vulnerabilities

One of the main issues in IoT security is the heavily reliance of IoT devices on third-party components for communication capabilities, cryptographic capabilities, the operating system itself etc. In fact, this reliance is so strong that it has reached a point where it’s unlikely to find an IoT device without third-party components within it. The fact that third-party libraries are commonly used across devices, combined with the difficulty to secure them, makes them a sweet spot for hackers to look for IoT vulnerabilities and exploit many IoT devices through such 3rd party component.

Vulnerability in third-party components is very dangerous. In many IoT devices, there is no separation and segmentation between processes and/or tasks, which means that even one vulnerability in a third-party library is compromising the entire device. This could lead to lethal results: attackers can leverage the third-party vulnerability to take control over the device and cause damage, steal information of perform a ransomware attack on the manufacturer.

it’s not only that third-party components are dangerous, but they are also extremely difficult to secure. Many third-party components are delivered in binary form, with no source code available. Even when the source code is available, it’s often hard to dive into it and asses the security level or vulnerabilities inside it. Either way, most developers use the open-source components as black-boxes. On top of that, static analysis tools and compiler security flags lack the ability to analyze and secure third-party components and most IoT security solutions cannot offer real-time protection into binary code.

VxWorks vulnerabilities

A recent example of such third party vulnerability that affects millions of devices can be found in the security bugs found in the VxWorks embedded operating system. These vulnerabilities exposed every manufacturer that used VxWorks operating system, even if security measures like penetration testing, static analysis, PKI and firmware analysis were taken.

To summarize, in order to provide strong and holistic IoT protection, you must handle and secure all parts of the device, including the third-party components. Sternum IoT security solutions focus on holistically securing IoT devices from within and therefore offers a unique capability of embedding security protection & visibility into the device from end-to-end. Sternum’s solution is also operating during real-time execution of the device and prevents all attack attempts at the exact point of exploitation, while immediately alerting about the attack and its origins, including from within third-party libraries.

4. Regulation is kicking in

In the past two years, we’re seeing a across industries effort to create regulations and standards for IoT security. We are expecting to see more of these efforts shaping into real regulations that will obligate manufacturers to comply with them.

A good and important example is the FDA premarket cybersecurity guidance that was published last year and is expected to become a formal guidance in 2020. The guidance includes different aspects of cybersecurity in medical devices (which is in many cases are essentially IoT devices) such as data integrity, Over-the-air updates, real-time protection, execution integrity, third-party liabilities and real-time monitoring of the devices.

Another example is the California Internet of Things cybersecurity law that states: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure.

We expect to see more states and countries forming regulations around IoT security since these devices lack of security may have a dramatic effect on industry, cities, and people’s lives. Top two regulations that are about to be released are the new EU Cybersecurity Act (based on ENISA and ETSI standards) and the NIST IoT and Cybersecurity framework.

The post IoT Security in 2019: Things You Need to Know appeared first on CyberDB.