Category Archives: business

Intelligence Sec

intelligence-sec.com - Cyber Security is still a major concern for many European governments. Cybercrime is at an all time high and with many leading European cities becoming “Smart Cities” this is creating new opportuniti…


Tweeted by @conciseonline https://twitter.com/conciseonline/status/1020428412282974208

Uber Drivers ‘Employees’ For Unemployment Purposes, New York Labor Board Says

An anonymous reader quotes a report from Ars Technica: New York City's largest taxi driver advocacy group is hailing a legal decision by the New York State Unemployment Insurance Appeal Board, which ruled last Friday that three out-of-work Uber drivers can be considered employees for the purpose of unemployment benefits. The decision was first reported Thursday by Politico. In other words, three men -- and possibly other "similarly situated" Uber drivers who had quit over low pay or who were deactivated from the Uber platform -- can get paid. "The decision means that New York Uber drivers can file for unemployment insurance and likely receive it," Veena Dubal, a labor law professor at the University of California Hastings College of the Law in San Francisco, emailed Ars. "Uber may appeal the decision to state court, but for now, it's good law."

Read more of this story at Slashdot.

New Zealand Firm’s Four-Day Week an ‘Unmitigated Success’

An anonymous reader quotes a report from The Guardian: The New Zealand company behind a landmark trial of a four-day working week has concluded it an unmitigated success, with 78% of employees feeling they were able to successfully manage their work-life balance, an increase of 24 percentage points. Two-hundred-and-forty staff at Perpetual Guardian, a company which manages trusts, wills and estate planning, trialled a four-day working week over March and April, working four, eight-hour days but getting paid for five. Jarrod Haar, professor of human resource management at Auckland University of Technology, found job and life satisfaction increased on all levels across the home and work front, with employees performing better in their jobs and enjoying them more than before the experiment. Work-life balance, which reflected how well respondents felt they could successfully manage their work and non-work roles, increased by 24%. In November last year just over half (54%) of staff felt they could effectively balance their work and home commitments, while after the trial this number jumped to 78%. Staff stress levels decreased by 7 percentage points across the board as a result of the trial, while stimulation, commitment and a sense of empowerment at work all improved significantly, with overall life satisfaction increasing by 5 percentage points.

Read more of this story at Slashdot.

Two US Hyperloop Startups Line Up Financing From China

Los Angeles startups Arrivo and Hyperloop Transportation Technologies have reportedly secured financing from Chinese state-backed companies. "Lining up potential funding helps solve one of the biggest obstacles for hyperloop systems: They will be extremely expensive to build," reports Bloomberg. From the report: Arrivo, founded by a former senior engineer at Elon Musk's Space Exploration Technologies Corp., said it secured a $1 billion credit line with Genertec America Inc., a subsidiary of a Chinese state-owned entity based in Beijing that has helped finance and build high-speed rail and other infrastructure projects in Iran, Turkey and elsewhere. The credit line will go to backers of a future project using Arrivo technology, not to the startup itself. [The Genertec debt could be used to construct a project using the company's technology anywhere in the world, not necessarily in China.] Separately, Hyperloop Transportation Technologies said it plans to work on a 10-kilometer test track in Tongren, part of China's Guizhou province, at an initial cost of about $300 million. State entity Tongren Transportation & Tourism Investment Group will provide half the funds and seek private investors for the other half, HyperloopTT said. The precise route is yet to be determined.

Read more of this story at Slashdot.

Impact of Cybersecurity in Tourism Industry Size, Growth Cyber Technology Cycles, Network Security Appliances, Cloud Security, and Artificial Intelligence (AI) Forecast Over Next Two Years.

express-press-release.net - Albany, US, 2018-Jul-20 — /EPR Network/ —Market Research Hub (MRH) has recently broadcasted a new study to its broad research portfolio, which is titled as “Cybersecurity in Tourism – Thematic Resear…


Tweeted by @eprnetwork https://twitter.com/eprnetwork/status/1020211255972425728

Cyber Security Engineer – Recruiter Loop

recruiterloop.com - Leading uniquely at the intersection point of technology and social good, Blackbaud provides software, services, expertise, and data intelligence that empowers and connects people to advance the soci…


Tweeted by @Texas_HR https://twitter.com/Texas_HR/status/1020124393760960512

Best Buy Is Thriving In the Age of Amazon

Best Buy is turning to in-home consultants to help distinguish it from Amazon. The advisors act as "personal chief technology officers," helping people make their homes smart or merely more functional. "Unlike the Geek Squad and blue shirts working in stores, they'll be paid an annual salary instead of an hourly wage," reports Bloomberg. "Their house calls are free and can last as long as 90 minutes. [...] They're supposed to establish long-term relationships with their customers rather than chase one-time transactions." From the report: With more than 1,000 big-box stores in North America and about 125,000 employees, Best Buy was supposed to have succumbed to the inevitable. "Everyone thought we were going to die," says Hubert Joly, who was hired as chief executive officer in August 2012 after profits shrunk about 90 percent in one quarter and his predecessor resigned amid an investigation into his relationship with an employee. Instead, Best Buy has become an improbable survivor led by an unlikely boss. The in-home advisors went national in September. When one of the trainees at the session in Minneapolis asked Joly how big he hoped the program could become, he said: "I don't have a specific goal. I don't think it would be helpful. McKinsey never had a goal of how many clients. It was how good was the work." Another employee said: "This is why Amazon can't compete with us. They can't dispatch an army of in-home agents." Joly wasn't as sure. "Amazon is an amazing company," he replied. "They kill companies. Maybe they will do this. But we have an incredible opportunity. If someone wants to copy, that's fine." Amazon has started offering free smart-home consultations and installations. It doesn't have a chain of big-box stores in which to meet customers, but that didn't bother investors. Best Buy's stock dropped 6.3 percent when Amazon announced its plans a year ago.

Read more of this story at Slashdot.

FCC Vote Likely Dooms Sinclair-Tribune Merger

FCC commissioners unanimously voted on a Hearing Designation Order (HDO) to send the proposed sale of Tribune Media properties to Sinclair to a judge, where the merger is expected to cease. Engadget reports: Earlier this week, FCC chairman Ajit Pai raised "serious concerns" about Sinclair's selloff of 21 stations it had proposed in order to remain under station ownership limits post-merger. Had Sinclair declined to sell off some stations, its 173 broadcast stations in 81 markets, combined with Tribune's 42 stations in 33 markets would reach 72 percent of U.S. TV households. The FCC's National TV Ownership rule "does not limit the number of TV stations a single entity may own nationwide so long as the station group collectively reaches no more than 39 percent of all U.S. TV households." But the rule is more flexible for stations that broadcast using UHF frequencies. Pai, who has been accused of aiding the merger by relaxing the ownership regulations, said Monday that Sinclair's plan would allow the company "to control those stations in practice, even if not in name, in violation of the law." He noted that, "When the FCC confronts disputed issues like these, the Communications Act does not allow it to approve a transaction."

Read more of this story at Slashdot.

Product Enquiry

internationalsecurityexpo.com - Please fill out the below to let us know which products you are interested in.


Tweeted by @ISExpo18 https://twitter.com/ISExpo18/status/1019999062446223360

5 Reasons Why Spanish Denver Businesses Need SEO To Improve Their Bottom Line

Over the last two decades, the concept of SEO has gained enormous significance after its invention in the early 1990s. Nowadays, SEO is considered as a basic activity just like sending or receiving emails if not conducting any other activity online. Just like other businesses, Spanish Denver businesses need local SEO to improve their brand and have clients buy their products or services. By looking at the concierge for the network ecology, Denver SEO needs to offer its users with access to huge information to improve their bottom line. There are many other benefits but with these five reasons, one will know why Denver businesses need SEO most:

  1. Organic Search for Businesses in Denver Are Always the Primary Source of Web Traffic

Organic search plays a crucial part in most businesses’ web performance in Spanish Denver. Many people know that Google owns a good number of search market than any other competitors in the world. In fact, Google owns close to seventy-five percent of the overall search market, but the remaining twenty-five percent is owned by other search engines like Bing, Yahoo, Baidu, DuckDuckGo, Yandex and many others. Since Spanish Denver businesses need traffic, it must make use of organic search. Denver SEO is therefore required to achieve this goal.

  1. Denver SEO Builds Credibility and Trust

On grounds that SEO builds credibility and trust, Spanish Denver business would look for trust and credibility in their websites. This can only be achieved through Denver SEO. Just like any other SEO firm, the main goal for Denver SEO is to establish a strong foundation for the beautiful web experience with an effective and clean experience. This experience should be discoverable in search of the credibility and trust of its digital properties as well as its brand. For this reason, Spanish businesses will be able to promote their brands despite meeting the expected quality of the product of not services.

  1. Denver SEO Offers a Better Experience

We all need better organic visibility and ranking for our businesses. Very few people acknowledge that optimum web experience is part of the optimum experience they need. As a matter of fact, SEO makes it possible to establish optimum experience which clients needs. For this reason, Denver SEO has learned to interpret the favorite experiences as the pivot element of a website’s success to achieve what clients expect. By virtue that Denver businesses need better experiences, it implies that they have to use Denver SEO to improve services.

  1. Denver SEO Is a Local SEO in Spanish That Offers Better Traffic and Engagement

With a local SEO, one can optimize his/her firm’s digital properties for certain vicinity so that users can find it easily and quickly. One ground that clients can find what they need easily and quickly, they can quickly engage thus, improving the site’s traffic. With a better traffic and engagement, Spanish Denver businesses will be a step closer to a customer’s transaction. For this reason, Denver SEO focuses on specific cities, towns, regions, as well as states. This is what is needed for most businesses to prosper.

  1. Denver SEO Improves the Buying Cycle

One of the biggest advantages of the internet is that it provides research from a client’s view. With the help of a Denver SEO, your business can get good traffic and engagement which will definitely improve your business buying cycle since customers will be satisfied with the services offered. In this manner, brands should be visible where users need them for a worthy connection to be established. Denver SEO enhances visibility which makes it possible for clients to look for them and it’s only Denver Spanish businesses that can offer those answers.

In an nutshell, Spanish Denver businesses need Denver SEO to enable a user to get to a site with ease by increasing its visibility as well as ranking. Therefore, the overall goal of Denver SEO is to have a better search ranking observed when someone searches for information online. Owing to these facts, businesses in Spanish Denver needs to be ranked well for better visible. with these reasons at hand, I believe you know why your business needs a local SEO which is none other than Denver SEO best place human beings can relax and have a decent.

The post 5 Reasons Why Spanish Denver Businesses Need SEO To Improve Their Bottom Line appeared first on TechWorm.

Counter Espionage Services

international-intelligence.co.uk - A successful security policy does not need to be expensive nor difficult to implement, often the simpler the policy the better and more effective it is. International Intelligence Limited can help yo…


Tweeted by @IntIntelligence https://twitter.com/IntIntelligence/status/1019899302880186371

Acronis revolutionizes data security

greaterzuricharea.com - Data are the backbone of all business processes in companies today and their storage and protection are becoming increasingly complicated. Simple, reliable solutions that can identify and ward off po…


Tweeted by @SWollkopf https://twitter.com/SWollkopf/status/1019853862373556224

eBay Is Conducting a ‘Mass Layoff’ In the Bay Area

eBay is planning to slash nearly 300 jobs from Bay Area locations by July 20, calling the cuts a "mass layoff." Those being laid off were informed at the end of June, reports The Mercury News. The San Jose-based company estimated that it would eliminate 224 jobs in San Jose, 41 in San Francisco, and five in Brisbane. From the report: "This action is expected to be permanent," eBay stated in the Employment Development Department filing. "No affected employee has any bumping rights." Over the one-year period that ended in March, eBay lost $1.64 billion on revenues of $9.84 billion, according to information posted on the Yahoo Finance site. During the first quarter that ended March 31, eBay earned $407 million on revenues of $2.58 billion. Compared to the year-ago first quarter, profits were down 60.7 percent and revenue rose 12 percent.

Read more of this story at Slashdot.

Why Startups Aren’t Pushing the Feds To Break Up Big Tech

An anonymous reader shares a report: Today's tech startups have largely stayed out of the debate over whether antitrust law should be used to humble -- and possibly break up -- giants like Facebook, Google and Amazon. Startups are often in position to lead the antitrust charge against major competitors. But entrepreneurs face a dilemma: If they go running to regulators, they have to admit they're in danger and tick off a powerful player in their world. If they do nothing, they risk bleeding out. [...] Tech giants have immense leverage over startups. "The tech hypercaps have never been more powerful relative to startups, including Microsoft in the '90s," said Sam Altman, the president of startup accelerator Y Combinator. "[T]he resources are so mismatched it's an unfair fight." Startups (or larger competitors) can confidentially press their case before staff members at the Department of Justice or the Federal Trade Commission, or the startups can go public with their concerns. With the exception of Yelp, there are no major startups in the U.S. that have turned to regulators to take on today's biggest companies, like Facebook, Amazon, or Google. [...] Why startups don't lodge antitrust complaints: "Running a startup, running a growth company there's so many things to do, and every hour is precious," said Albert Wenger, a managing partner at Union Square Ventures.

Read more of this story at Slashdot.

SA Career Guide Gauteng 2018

issuu.com - The automotive industry needs qualified technicians. We provide them. Entry criteria: Grade 12 with Pure Maths, Science and English and a 50% average, or, N2 Maths and Science to get an apprenticeshi…


Tweeted by @SACareerGuide https://twitter.com/SACareerGuide/status/1019598161122353152

Crypto Credit Card? MasterCard Wins Blockchain Payments Patent

MasterCard has moved one step closer to developing a cryptocurrency-backed credit card after one of its patents was approved by U.S. regulators. Patent Approved According to the filing with the U.S. Patent and Trademark Office, MasterCard has received the green light to develop a proprietary method for “managing fractional reserves of blockchain currency.” The new […]

The post Crypto Credit Card? MasterCard Wins Blockchain Payments Patent appeared first on Hacked: Hacking Finance.

BU Research Blog | Dr Sascha Dov Bachmann invited to give a keynote speech at the 14th International Conference on Cyber Warfare and Security (ICCWS) Stellenbosch RSA

blogs.bournemouth.ac.uk - Dr Sascha Dov Bachmann, Associate Professor in International Law (BU) and War Studies (Swedish Defence University – FHS), Research Fellow at CEMIS, Stellenbosch University and Director of BU’s Centre…


Tweeted by @SdBachman https://twitter.com/SdBachman/status/1019588703688314880

Government of India to give preference to cybersecurity products manufactured by domestic companies | OpenGovAsia

opengovasia.com - ‍Earlier in July, the Ministry of Electronics and Information Technology (MeitY) mandated giving preference to locally manufactured cybersecurity products in all public procurement where intellectual…


Tweeted by @CYSPA_Alliance https://twitter.com/CYSPA_Alliance/status/1019542192287862784

Six Things your Enterprise Needs to Learn from the DNC Hacking Indictment

All politics aside, the United States Department of Justice on Friday unsealed a judicial indictment against a number of individuals alleged to be from Russia’s intelligence services engaged in activities in 2016.

Stepping outside of the context of this party or that party, and politics as a whole – McAfee’s CTO, Steve Grobman noted, “Attribution is amongst the most complex aspects of cyberwar and the US government is in a unique position to make this attribution assessment.  Technical forensics combined with information from trusted intelligence or law enforcement agencies are needed to provide confidence behind identifying actors in an attack or campaign.  These indictments clearly show the US has reason to believe Russia interfered with the election process. “

The level of technical detail also offers practical insight for aspects of organizations’ readiness to react to the threat environment.

1) Nation State Activity is Real

At McAfee, we operate our own Advanced Threat Research.  We employ many professionals whose entire job it is to find ways to break things, to learn how others have already broken things, and to make decisions on the level of risk it represents to our customers and future customers.  Our hope is that our activity is both non-disruptive, ethically conducted, and consistent with our corporate values and our commitments to our customers.  In today’s threat environment, countries throughout the globe are investing in the cyber capabilities to practice intelligence, deception, counter intelligence, and in the past few years, we have documented the crossover from the cyber capability into kinetic effects.

While matters of one service’s actions versus another’s being perceived as “good” or “bad”, a matter of “criminal conspiracy” or “policy” involves many factors and points of view, as a profession it is critical that we recognize this rapidly growing reality for the fact that it is.

This judicial action is another breadcrumb reminding us as enterprise leaders that sophisticated adversaries need resources to act, especially those enterprises involved in services to organizations of public importance.  Organizations should evaluate their customer base, and the services that they provide for relative risks.  Risk has upside opportunity (“Revenue”) but should also prompt questions internally as to whether an organization or subset requires advanced security controls, or more proactive threat detection and resistance measures.

2) Geo-Location is Practically Irrelevant

For many professionals engaged in the early days of information security, we could leverage aspects of connection metadata to make snap judgements about the trustworthiness of requests.  The days of first-jump relays to command and control servers going to a given country’s public IP space or a two- letter country-associated domain are mostly over.

Instead, the organization needs to transition, looking more directly at the behavior of not just users, but of systems, and the access of resources.  At McAfee, we have evolved our own offerings in this space to establish McAfee Behavioral Analytics to discern elevated risks that break established patterns and to put advanced tools like McAfee Investigator in the hands of threat hunters.

Whether using our products or not, today’s enterprise needs to rely on security behaviors that do not look for traditional geographic or demographic identifiers as a means of making a strong determination of trust for access and/or threat identification.

When it comes to identify mis-use, where multi-factor authentication is possible, it should be implemented, with a decreased emphasis on means which are easily open to interception by opponents (like SMS based message codes).  Yubikey, TOTP based generators, and interactive application confirmation by providers like Duo Security are all effective measures to make it more difficult to apply credentials intercepted or cajoled from end users by other means.

3) URL Shorteners can be a Risk Indicator

While for many organizations – especially in the realm of social media analytics – the use of URL shorteners has enabled short-format messaging with business intelligence potential, they are often a means to obscure potentially malicious targets.  The indictment released by the United States Department of Justice highlights the continuing threat that the combination of URL Shortening and the user-focused technique of Spear Phishing continue to present as a means to attack the enterprise.

Aside from education campaigns to help users distinguish legitimate links and to help them become more sensitive to the risk, the organization can also consider web access methods for greater control and recognition of potential threats.

Systems like User Entity Behavioral Analytics (UEBA) can identify outlier websites not otherwise accessed at the organization and the presence or use of unknown URL shorteners can itself be a risk indicator.  The security operations team may want to look at the identification/risk management of certain URL shorteners over time to aid in determining which become commonly seen in the wild in the organization’s recent incidents, and thus could or should be managed in email and web access hygiene.

4) Vulnerability Management is a Key Risk Mitigation

I’ve never known a security professional who skips into the office with their coffee and announces, “I love patching servers.”  Never.  As experienced security leaders, we know how hard it can be to manage the impact to production systems, to identify system owners, to work together to maintain a cadence of patching.  Sometimes, even just the heterogeneous nature of the modern operating environment can be its own challenge!

The alleged activity of the identified conspirators reminds us how critical the public attack surface remains in protecting the enterprise as a whole.  Try as we might, each of our public infrastructure will maintain a footprint.  We “leak” details of our enterprise systems as a necessary byproduct of creating the ability for those systems to technically operate.  DNS Records.  Public IP block ownership.  Routing advertisements.  Job listings.  Employee CVs.  Employee social media profiles.

Vulnerability management requires an organization to think about more than patching.  Your organization’s threat surface has to be considered in a broader sense to manage holistic threat consideration and remediation.  The organization can also use public models as a means to check the organization’s readiness to defend against new vulnerabilities ahead of patching or other long-term remediation.

5) Response Threat Hunting is Hard – Trust Nothing

Despite the best efforts of technical security teams, sometimes intelligence and cues are missed.  The reality is that sophisticated adversaries have sophisticated skills and multiple means to stay engaged.  They also have reason and/or desire to hide from security teams.  As security professionals, we have to put personal ego and hubris aside.  Threat hunting in an incident is a time for humble approaches that recognize the adversaries are at or above our own skill level (and hope that is not the case).

In such a case, we go back to a few core fundamentals: we trust nothing.  We require validation for everything.  Each piece of intelligence goes into the picture, and through our tools to identify additional leads to pursue, and is evaluated for potential remediate actions made possible.  While we have talked at length prior about the cyber kill chain, a fundamental truth illustrated in today’s Department of Justice action is that where advanced activity occurs, the entire environment needs to be suspected and become zero trust.

Can you force each network flow to be validated for a time?  Can someone form the organization vouch for a piece of software or a specific node on the network?  Do your pre-work ahead of time to create the space so that when company brand is on the line, you can use maintenance windows, incident response policies, and similar corporate buffers to buy the “right” to shut down a segment, temporarily block a network flow and see what happens, etc.

6) Your organizational data is in the cloud. Your Incident Response needs to be, too.

The cloud was a key opportunity for the organizations compromised in these activities to continue to lose information.  Indications are that when the identity and initial incident was addressed “on premise”, the cloud systems were not connected to those changes.

Your organization has leveraged the advanced capability and time to market of the cloud.  Our recent survey of organizations worldwide indicates that the typical enterprise class organization has dozens of distinct providers hosting corporate data.  Just as your sensitive information may be stored in those providers, yet is part of your brand value and your delivery strategy, your response plans need to integrate intelligence from those providers – and to those providers – for investigation and mitigation.

Building unified visibility across cloud providers requires a deliberate approach and investment from the organizations.  Incident response procedures should include looking at cloud sources for activity from potential Indicators of Compromise, as well as an incident step of considering what actions are needed to manage the risk in cloud providers.

Your cloud is part of your holistic data and threat stance, it also needs to be part of your remediation and resilience plan.

Nation State Actors Remind us of the Fundamentals

The indictment released by the United States Department of Justice describes a multi-faceted effort that involved target research, user-focused phishing, exploiting vulnerable software, malware, and making use of the disconnect between on-premise and cloud management.

For literally years, McAfee has focused on a platform approach to security in our products.  We offer software with advancements like OpenDXL and an actively managed ecosystem of Security Innovation Alliance offerings.  We make these investments for the simple reason that in order to protect and adapt to continuing threats, your organization needs rapidly available, actionable intelligence.  Your organization’s approach to information security should return periodically to verify fundamental information sharing and basic controls, even as advanced capabilities are implemented.

 

The post Six Things your Enterprise Needs to Learn from the DNC Hacking Indictment appeared first on McAfee Blogs.

Will influencer marketing last?

businessesgrow.com - For the last few years “influencer marketing” has been the hottest topic around so it is only reasonable that we would hit a period where people start to question what this is all about. Quite a bit …


Tweeted by @ma_martin https://twitter.com/ma_martin/status/1019279314146217984

IBM Goes All In On Stablecoin Project as Mainstream Crypto Adoption Grows

Dow blue-chip IBM (IBM) has teamed up with a financial technology startup to launch a new stablecoin that will be pegged to the U.S. dollar. The announcement is the latest in a series of positive developments linking mainstream business to the bustling world of cryptocurrency. IBM Backs Stablecoin IBM and fin-tech startup Stronghold are developing […]

The post IBM Goes All In On Stablecoin Project as Mainstream Crypto Adoption Grows appeared first on Hacked: Hacking Finance.

5 ways to find and fix open source vulnerabilities

Guest post by Limor Wainstein

A recent discovery of surreptitious execution of cryptomining code by a sandboxed app, riding piggyback on the open source software (OSS) ecosystem, raises pertinent questions about the security of open source code and its dependencies. Programmers often use OSS as a jump-off for creating their software—and that includes malware authors.

The rogue app, which was found to be mining customers on May 11, was delivered through snapstore, the new cross-distribution, sandboxed application ecosystem initiated and promoted by Canonical, the developers of Ubuntu. In follow-ups to that incident, Canonical said:

It’s impossible for a large-scale repository to only accept software after every individual file has been reviewed in detail. That’s true whether source code is available or not, as no institution can afford to review hundreds of thousands of incoming source code lines every single day.

As noted by Canonical, reviewing and analyzing open-source dependencies isn’t an easy task. But it’s an important one for programmers who want to make sure their software isn’t infiltrated by bad actors, whether that’s to mine cryptocurrency or to conduct even more nefarious business.

Why do you need to secure your open source libraries?

Developers rely heavily on open source software, and organizations are inclined to use free popular libraries. However, according to Barkley’s 2016 Cybersecurity Confidence Report, only 22 percent of organizations have a framework to regularly identify and analyze the various components built on their applications. With the growth in use of open source code, the risk exposure expands as well.

New vulnerabilities are constantly being unearthed in different open source code and, worryingly, a number of projects have little or no mechanisms in place to identify and fix those problems. According to a recent Snyk survey of open source maintainers, 44 percent have never undergone a security audit of any kind, while only 17 percent can claim to have a high level of security know-how.

In addition, there is no standard operating procedure for documenting security on open source projects. Among the top 400,000 publicly available repositories on GitHub, only 2.4 percent have a form of security documentation in place.

Since an open source dependency might be heavily deployed in a number of web applications, a bug or vulnerability will open up all of those projects to security risks. To improve the security of your open-source components, we recommend the following five best practices for reviewing dependencies, finding vulnerabilities, and patching those vulnerable open-source components once found.

1. Set strict security rules and standards before using a dependency

A good way to improve the security of your open source components is to build and enforce policies that require the developers using them to prove that they do not have any known vulnerabilities.

A lot of developers are largely still unaware of the risks posed by different open source components. It is of utmostimportancet to help them understand that vulnerabilities brought from open source components into the application puts the whole app at risk, if not the organization as a whole.

By creating and enforcing policies that either require the security team to approve of open source components, or require developers to prove the security of the tool, you automatically improve the security of your application—just by making developers aware of such risks.

2. Keep track of security updates for dependencies

Another crucial aspect to the security of open source components is to have an updated inventory of your organization’s open source libraries, both in development as well as in production. There are a fairly large number of organizations that do not have updated information on which open source components are currently under use in their applications. This poses a major security threat.

A lot of the popular proprietary applications contain indirect open source components that might not be in active development. Most of these open-source components remain unpatched and become insecure over time. This is usually because the developers spend their resources on securing and improving the in-house components. However, ignoring the security updates for your OSS components can open up loopholes that will go unnoticed.

A good place to begin rectifying this is by surveying the organization’s development teams on what open source components they use and the last time these were updated. This provides a window into assessing how updated the development team is with open source component security, as well a list of projects in use.

If your organization has the required infrastructure, you can also create a central repository of open source components where security updates and licenses can be managed. Similar to any other security process, managing an open source component is not a one-time effort. It is a continuous process for as long as the app is in deployment. Review, rinse, and repeat.

By ensuring that your policies on open source libraries are being followed, and by monitoring how these are being used, as well as managing your inventory, your overall application security program should be in good stead.

3. Test your components and dependencies

Probably the surest method of improving and ensuring the security of your open source code, and in the process your overall application, is to test the security of open source components being used within your organization once they’ve been identified.

Open source analysis is as important as proprietary code. This is not only because the code could hold unknown security vulnerabilities, but also because its dependencies and functions may differ between different use cases. This could mean that a component may be secure in one application, but found to be insecure when used in a different application. In cases like this, only testing and code review can identify these issues.

4. Build in-house tools instead of unsupported (expired) libraries

For expired libraries, or libraries that no longer have active developer maintenance systems, it is better to build your own in-house tools that you can use to actively check for and fix vulnerabilities. Though the initial cost and time spent might deter some organizations and development teams, in the long run, the functionality of an in-house tool can be an asset to developers.

You can also consider giving your in-house effort back to the community, making the open-source ecosystem stronger. This will encourage more developers to submit patches and revisions and therefore improve the overall security of the library. Apart from that, you will earn the respect of open source developers, which will help you grow as an individual and a business. For instance, over the last couple years, Microsoft has released tons of libraries under an open-source license that have helped them earn the trust of OSS developers and users.

5. Use security tools to check for security vulnerabilities

A number of different open source and commercial tools have been developed over the years to tackle the problem of identifying security vulnerabilities in open source components. Each tool or service tackles the problem a little differently.

Node Security Project (NSP)

The NSP is known largely for its work on Node.js modules and NPM dependencies. The latest version of npm integrates NSP to implement the npm audit script. It checks for any known vulnerabilities in your node modules and related dependencies, and offers support for patching those vulnerabilities.

RetireJS

RetireJS is an open source dependency checker specific to JavaScript. Its unique selling proposition (USP) is its ease of use. RetireJS contains multiple components, including a command line scanner, as well as plugins for Chrome, Firefox, Grunt, Gulp, ZAP, and Burp.

OSSIndex

OSSIndex is a tool that supports several different technologies. It effectively covers JavaScript, .NET/C#, and Java ecosystems. It also provides API vulnerability for free.

Dependency-check

Dependency-check supports Java, .NET, and JavaScript, as well as Ruby. It pulls its vulnerability information from the NIST NVD.

Commercial tools

Apart from the free tools, there are a few commercial tools that you can use to help find vulnerabilities in your open-source code. The popular ones include:

  • Hakiri: a commercial tool that provides dependency checks for Rub-y and Rails-based GitHub projects via static code analysis
  • Snyk: a commercial service focusing on JavaScript npm dependencies
  • WhiteSource: currently supports Ruby, NPM, PHP, Python, and Bower
  • SRC:CLR: Source Clear comes with a load of plugins to several IDEs, deployment systems, and source repositories, as well as a command-line interface

Open-source components are generally safe when there are a large number of people reviewing the code. However, making the source code available or having many users look at the source code doesn’t guarantee that all the security issues have been found and fixed. That’s why it’s important to integrate industry standard security policies into your application.

In this post, we’ve covered some of the best possible ways to secure your open source components against vulnerabilities and other security exploits. So, what are your thoughts on securing open source components? Share them in the comments below.

Limor Wainstein is a technical writer and editor at Agile SEO, a boutique digital marketing agency focused on technology and SaaS markets. She has over 10 years’ experience writing technical articles and documentation for various audiences, including technical on-site content, software documentation, and dev guides. 

The post 5 ways to find and fix open source vulnerabilities appeared first on Malwarebytes Labs.

EOS Developer Secures New Funding from Bitmain, PayPal Co-Founder in Major Investment Deals

Despite its recent struggles, the development firm behind EOS has received new backing from several big-name investors, including Bitman and PayPal co-founder Peter Thiel. The deals solidify EOS’ emergence as a major player in the booming market for decentralized applications. EOS Backing Bitmain, the world’s largest blockchain company, announced its investment stake in EOS on […]

The post EOS Developer Secures New Funding from Bitmain, PayPal Co-Founder in Major Investment Deals appeared first on Hacked: Hacking Finance.

Travel cyber risks ‘rising exponentially’

travelweekly.co.uk - Cyber resilience has become “fundamental” to travel, but there is insufficient perception of the risks according to a leading specialist in disaster management. Professor Lee Miles of Bournemouth Uni…


Tweeted by @bcdtravelnl https://twitter.com/bcdtravelnl/status/1019192525020647425

Netflix’s Subscriber Growth Stalls

Netflix shares plunged by more than 14% on Monday, after the firm reported disappointing subscriber growth. While the entertainment service added 5.2 million subscribers last quarter, it forecasted a growth of 6.2 million. BBC reports: Investors are worried about Netflix's growth potential in the face of increased competition from tech giants such as Apple, YouTube and Amazon, as well as traditional firms, which have started to invest more in online streaming. Disney, for example, plans to launch its own streaming service and stop licensing some of its material to Netflix. In a letter to investors, Netflix called it a "strong but not stellar quarter," ending with about 130 million subscribers globally. The firm added just 670,000 subscribers in the U.S. -- far short of the more than one million it added in the second quarter of 2017. It added 4.5 million subscribers internationally, fewer than the two most recent quarters but up 8% year-on-year. However, it said its finances were strong. The company reported $3.9 billion in quarterly revenue, up 40% compared to the second quarter of 2017. Profits totaled $384.3 million, almost six times the figure during the same period a year ago.

Read more of this story at Slashdot.

AT&T to expand threat detection and response to its business customers with acquisition of AlienVault – IoT Now – How to run an IoT enabled business

iot-now.com - AT&T announced its plans to acquire AlienVault, a privately held company based in San Mateo, Calif. The agreement has been approved by both companies. The acquisition of AlienVault will enable AT&T t…


Tweeted by @Semiotis https://twitter.com/Semiotis/status/1019096686080200705

MVISION: Managing Device Security in the Sunshine

Over the years, cybersecurity vendors have created a storm of complexity to defend devices and put the burden on one load-bearing support beam – the administrator.  The expansion of devices, operating systems, attack surfaces, and forms of attack have spawned a storm system on our devices:  a tsunami of clients, tornado of management consoles, and a monsoon of administrative overhead to keep everything updated and running.

It’s time for us to play nice together to mount collective defenses that control the weather and clear the clouds for our device security admins.  McAfee is leading the way on this mission with McAfee® MVISION, bringing new innovative experiences to the way your security admins manage PC and mobile threat defenses.  McAfee MVISION embraces with open arms native security controls and third-party technologies to deliver a new level of “Together Is Power” integration, eliminating overlaps, overhead, and complexity.

Clearing the Way with MVISION

McAfee believes in efficient security solutions that reduce overhead while still delivering the peace of mind of layered threat defenses.  If you have it in the operating system, then you should be able to use it.  But you should not have to give up one area to gain the other.  The new McAfee® MVISION Endpoint product orchestrates the native security controls in Windows 10 with targeted advanced threat defenses in a unified management workflow to visualize and investigate threats, understand compliance, and pivot to action.  First, the new client simplifies the administrator experience by managing built-in security controls and eliminates the maintenance overhead with automatic updates.  Next, the unified management workflow provides integrated policy configuration, integrated threat event visibility, and integrated compliance.  Finally, it provides the comprehensive threat defense needed against sophisticated attacks with targeted McAfee advanced detection and automated remediation controls.  It enables your security admins to start each day without a cloud in the sky, to see the threats on the horizon, and to focus on reducing security risks on your endpoints.

With more employees working off the corporate network (mobile data, public WiFi, offline… and even in a real storm), McAfee® MVISION Mobile lets you protect against threats to your employees and your data on Apple iOS and Google Android devices like you do on your PC’s.   You can now manage the defense of your mobile devices alongside your PCs, IoT devices, servers, and cloud workloads inside McAfee ePO with unified visibility to threats, integrated compliance reporting, and threat response orchestration.

New task-oriented workspaces inside McAfee® MVISION ePO, a SaaS service, eliminate the console tornado complexity by elevating management above the specific threat defense technologies with simple, intuitive workflows for security threat and compliance control across devices.  In addition, this SaaS service removes the admin overhead of maintaining infrastructure and ensures you are always running the best security available.  This dedicated focus to clear situational awareness and control allows administrators to complete tasks in 50% less time and less chance of creating an undesirable storm for themselves.  And, if you are not ready for SaaS, these simplified, task-oriented workspaces are also available for McAfee ePO deployed on-premise or in Amazon Web Services (AWS) with Quick Start guides that reduce deployments from days to less than one hour.

The McAfee Forecast

We want to be your #1 security partner and not part of the storm you have to fight.  A true partner is flexible and works openly with everyone to clear the way to the best protection for your business.  To McAfee, it doesn’t matter if it is ours or theirs; it’s yours.  “Together is Power” is more than a tag line.  It means that every layer — from devices, operating systems, environments, and security software vendors — should take a stand and work together so we can fight the real storm constantly threatening us:  cyber criminals.  McAfee is working diligently with partners from OS providers to McAfee’s Security Innovation Alliance (SIA) of more than 125 security vendors, even with those seen as competitors.  Sharing information and intelligence openly with McAfee Data Exchange Layer (DXL) and creating integrated augmented defenses enables you to eliminate the storms and see the rainbow in the resulting sunshine.

Simplify.  Integrate.  Comprehend.  Together Is Power.  Together let’s get device security to that beautiful, clear, sunny day.

Learn more in our upcoming MVISION webcast on Aug. 22.

The post MVISION: Managing Device Security in the Sunshine appeared first on McAfee Blogs.

Big Data in Oil and Gas Market Expected to Reach US$ 10,935.2 Mn by 2026: Transparency Market Research | Markets Insider

markets.businessinsider.com - According to a new market report published by Transparency Market Research, the "Global Big Data in Oil and Gas market" is expected to reach a value of US$ 10,935.2 Mn by 2026 on account of digitizat…


Tweeted by @armaninspace https://twitter.com/armaninspace/status/1019045525667090434

T71 – treadstone71.com

treadstone71.com - Treadstone 71 YouTube Channel The Cyber Intelligence Training adds rapid returns to both Cyber Intel Analysts, and Security Ops Centers. Each student receives quality instruction and hands-on experi…


Tweeted by @AnonBinary https://twitter.com/AnonBinary/status/1019024565652066304

Amazon’s Curious Case of the $2,630.52 Used Paperback

Many booksellers on Amazon strive to sell their wares as cheaply as possible. That, after all, is usually how you make a sale in a competitive marketplace. Other merchants favor a counterintuitive approach: Mark the price up to the moon. From a report: "Zowie," the romance author Deborah Macgillivray wrote on Twitter last month after she discovered copies of her 2009 novel, "One Snowy Knight," being offered for four figures. One was going for "$2,630.52 & FREE Shipping," she noted. Since other copies of the paperback were being sold elsewhere on Amazon for as little as 99 cents, she was perplexed. "How many really sell at that price? Are they just hoping to snooker some poor soul?" Ms. Macgillivray wrote in an email. She noted that her blog had gotten an explosion in traffic from Russia. "Maybe Russian hackers do this in their spare time, making money on the side," she said. Amazon is by far the largest marketplace for both new and used books the world has ever seen, and is also one of the most inscrutable. The retailer directly sells some books, while others are sold by third parties. The wild pricing happens with the latter. [...] Third-party sellers, Guru Hariharan, chief executive of Boomerang Commerce, said, come in all shapes and sizes -- from well-respected national brands that are trying to maintain some independence from Amazon to entrepreneurial individuals who use Amazon's marketplace as an arbitrage opportunity. These sellers list products they have access to, adjusting price and inventory to drive profits. Then there are the wild pricing specialists, who sell both new and secondhand copies. "By making these books appear scarce, they are trying to justify the exorbitant price that they have set," said Mr. Hariharan, who led a team responsible for 15,000 online sellers when he worked at Amazon a decade ago. [...] A decade ago, Elisabeth Petry wrote a tribute to her mother, the renowned novelist Ann Petry. "At Home Inside," published by the University of Mississippi Press, is now out of print, but late last week secondhand copies were for sale on Amazon. A discarded library copy was $1,900. One seller offered two copies, each for $1,967, although only one was described as "Nice!" All these were a bargain compared with the copy that cost $2,464.

Read more of this story at Slashdot.

Jeff Bezos Becomes the Richest Man In Modern History, Topping $150 Billion

An anonymous reader quotes a report from Bloomberg: Jeff Bezos is the richest person in modern history. The Amazon founder's net worth broke $150 billion in New York on Monday morning, according to the Bloomberg Billionaires Index. That's about $55 billion more than Microsoft co-founder Bill Gates, the world's second-richest person. Bezos, 54, has now topped Gates in inflation-adjusted terms. The $100 billion mark that Gates hit briefly in 1999 at the height of the dot-com boom would be worth about $149 billion in today's dollars. That makes the Amazon chief executive officer richer than anyone else on earth since at least 1982, when Forbes published its inaugural wealth ranking. Bezos crossed the threshold just as Amazon prepares to kick off its 36-hour summer sales event, Prime Day. The company's share price was $1,825.73 at 11:10 a.m. in New York, extending its 2018 gain to 56 percent and giving Bezos a $150.8 billion fortune. A little more than a week ago, Facebook co-founder Mark Zuckerberg overtook Warren Buffett to become the world's third-richest person.

Read more of this story at Slashdot.

Prime Down: Amazon’s Sale Day Turns Into Fail Day

It's not just you. Amazon Prime Day started 15 minutes ago, and so far, it's not going well for Amazon. From a report: The landing page for Prime Day does not work. When most links are clicked, readers are sent to an error page or to a landing page that sends readers back to the main landing page. Direct links to the product pages, either from outside links or the single product placement on the landing page, seem to work fine. This is a huge blow to Amazon and its faux holiday Prime Day. The retailer has been pushing this event for weeks and there are some great deals to be had. It's not a good look for the world's largest retailer.

Read more of this story at Slashdot.

Skype 8.0 Launches on Desktop With Full-HD Video; To Soon Get Encryption and Call Recording Features

Skype's redesign launched last year was met with mixed reviews, but the company is forging ahead by rolling out a number of its new features to other platforms, including the desktop. From a report: Microsoft today is launching Skype version 8.0 that will replace version 7.0 (aka Skype classic), the latter which will no longer function after September 1, 2018. The new release introduces a variety of features, including HD video and screen-sharing in calls, support for @mentions in chats, a chat media gallery, file and media sharing up to 300 MB, and more. It will also add several more features this summer, including most notably, supported for encrypted audio calls, texts, and file sharing as well as built-in call recording. The 8.0 release follows on the update to Skype desktop that rolled out last fall, largely focusing on upgrading the visual elements of new design, like the color-coding in chat messages and "reaction" emojis. This release also included the chat media gallery and file sharing support, which are touted as new today, but may have already hit your desktop.

Read more of this story at Slashdot.

Instapaper is Going Independent

Popular bookmarking and read-it-later app, Instapaper made the following announcement in a blog post: Today, we're announcing that Pinterest has entered into an agreement to transfer ownership of Instapaper to Instant Paper, Inc., a new company owned and operated by the same people who've been working on Instapaper since it was sold to betaworks by Marco Arment in 2013. The ownership transfer will occur after a 21 day waiting period designed to give our users fair notice about the change of control with respect to their personal information. We want to emphasize that not much is changing for the Instapaper product outside the new ownership. The product will continue to be built and maintained by the same people who've been working on Instapaper for the past five years. We plan to continue offering a robust service that focuses on readers and the reading experience for the foreseeable future.

Read more of this story at Slashdot.

Amazon Admits Prime Day Deals Not Necessarily the Cheapest

Shoppers taking part in internet giant Amazon's Prime Day are being told that the deals on offer may not be the cheapest available. From a report: Amazon said it has never claimed that Prime Day is necessarily the cheapest time to shop on its site. It comes after consumer group Which? warned customers that apparent bargains are not always as good as they seem. It said some goods can actually be cheaper at other times of the year, and advised shoppers to do their research. The 36 hour sale -- aimed at subscribers to the Prime shopping service -- offers discounts on a range of goods. The deals are time-limited, with shoppers being told that some items are only available while stocks last.

Read more of this story at Slashdot.

H.R.3162 – 107th Congress (2001-2002): Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001

congress.gov - (Sec. 102) Expresses the sense of Congress that: (1) the civil rights and liberties of all Americans, including Arab Americans, must be protected, and that every effort must be taken to preserve thei…


Tweeted by @RealBasedBlonde https://twitter.com/RealBasedBlonde/status/1018603400513097728

Anti-Amazon Graffiti Increasing In Seattle (with Photos)

Long-time Slashdot reader reifman writes: If you're eagerly awaiting your city's selection for HQ2, you may want to check out GeekWire's photo gallery of anti-Amazon graffiti images from around Seattle. Animosity towards Amazon has grown in the wake of its threats over a per head tax on employees, which the city council passed and then repealed shortly after. The tax would have increased the budget for services for our 12,000+ homeless. Amazon's CEO Jeff Bezos also fought the state income tax on the wealthy in 2010.

Read more of this story at Slashdot.

How Good Are China’s Cyber Defenses?

thediplomat.com - With discussion at the recently concluded Shangri-La Dialogue in Singapore heavily focused on the Korean summit and the U.S./China spat over the South China Sea, it would be easy to forget about Chin…


Tweeted by @Diplomat_APAC https://twitter.com/Diplomat_APAC/status/1017308829451616256

So you’ve been asked to start a threat intel program

Ever since the Mandiant APT1 report landed like a bomb in private sector security reporting, threat intelligence has been a hot buzzword many companies have been chasing over. But what is threat intelligence? What do you need to execute it well? And how many new tools do you need to buy? The ambiguity around these questions leaves many people wondering “How on earth do I start a threat intel program?”

Maybe don’t?

Threat intelligence is a very new, very popular buzzword in the security industry. But as a capability, it’s both very expensive, and meant to sit on top of a mature security program. Do you have mitigations in place against the OWASP top 10? Have you vetted your existing vendors for efficacy?  Do you have a fully staffed and trained SOC, or are your analysts working double shifts? If you don’t have clear answers to those questions, your security program probably is not mature, and would not really benefit from an additional costly function.

Cost can be a serious concern.  While SOC analysts have a fairly wide spread for salary range, threat intelligence analysts with government training are not that common, resulting in a salary premium.  Below you can see a relatively common private sector intelligence analyst salary as contrasted with a salary for a government trained analyst.

salary comparison

Glassdoor threat intel salaries for the private and public sector

A well-trained threat intel analyst embedded in a mature security team can be an outstanding force multiplier, but without a well-oiled environment to place them into, they can inflate staffing budgets without providing a significant return on investment.

But I have to

If you must start a threat intel program, the first step is to look for the components you already have. Spending on threat intel vendors or employees with highly specific experience can lead to astronomical costs, and raises the odds that enterprise leadership won’t find value in the team. So start small: almost every Tier II SOC has senior members with a wealth of experience in the threat landscape, and an itch for more responsibility. Rather than casting a line into a very tight market for new staff, it’s much more cost effective to send those SOC members to intelligence training, then task them with creating training for everyone else. Some companies have accomplished this via transitioning SOC staff from monitoring to threat hunting.

Threat hunting – intel you should already be doing

Per Wikipedia, “Cyber threat hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.”  In practice, what this amounts to is training analysts to tell the entire story of a threat: where did it start, what TTPs were employed in the attack, what systems were touched, and what corroborating information can be gained from public data.  When a responder is trained to tell the full story of a threat in this manner, organizations can not only respond to a threat, but can also learn from it and adjust mitigations accordingly.

Tools you need and tools you don’t

First and foremost, you do not need a third party threat intelligence feed.  It’s a nice to have, but the reality is that external vendors cannot provide data specific to your company, and frequently struggle to offer relevant data filtered by industry vertical.  Vastly more important is to make appropriate use of the data you have.  Here’s a non-comprehensive list of data that many companies collect, but don’t exploit effectively:

  • Malicious spam can be used to pinpoint types of threats specific to the organization, as well as relative popularity of exploits used
  • Log review is commonly done as part of after action reports associated with a breach. But they can also be used proactively to review patterns of activity, and adjust mitigations accordingly.
  • Password failures.  If a threat actor is attempting to brute force an account, is it a dictionary attack or have the credentials previously been valid on the system? Looking at use of outdated passwords can pinpoint a past data leak, or give visibility into how stolen company data is disseminated out to threat actors.

Reviewing internal data for threat intelligence can be much more effective than a third party feed because all internal data is by definition tailored to your company’s specific threat profile.  It also costs nothing, which doesn’t hurt.

Where to go next

Threat intelligence is a relatively new field in private sector infosec, but a few researchers have produced valuable resources for getting people on the right path.

Securosis provides both a threat intel blog, and a library of papers offering deep dives into security principles and best practices.

The SANS reading room has a great white paper on identifying what threat intel is, and what it can do in best cases. Very useful in communicating with executives who might be unclear on these ideas.

And if you’ve already started a threat intel program, check out the SANS paper on evaluating information security controls. The scope is a bit broader than a single cyber security function, but should provide valuable input on how to judge if your program is working for you at a reasonable cost.

Threat intelligence is still a very new idea that doesn’t yet have widely agreed upon best practice. So while there are some good resources to get started, the best resource for you is most likely other people in the same position.  Talking to peers, reading current blogs, and keeping tabs on productive teams can position you well for success. Good luck, and stay safe.

The post So you’ve been asked to start a threat intel program appeared first on Malwarebytes Labs.

Building a Profitable Security Services Offering Part 2 IT Security Features and Benefits Overview

Trend Micro is excited to partner with SPC International in this 5-part Blog, Webinar and Online Training Series; focused on Building a Profitable Security Services Offering for MSP Partners.  Through the series, SPC will teach you a selling process of leading with security, steps in growing your recurring managed security services revenue and provide you the tools to make it happen.

We value and invest in Trend Micro MSP Partners to help:

 

  • Maximize Your Cash Flow – self-provision licenses, pay-as-you-go monthly billing, no upfront or minimum costs
  • Enhance the Tools You’re Already Using – integration with 3rd party RMM and PSA (Autotask, ConnectWise & Kaseya)
  • Optimize Your Productivity – manage multiple customers from a single console, anywhere, anytime

Building a Profitable Security Services Offering

Introduction

Security is the number one concern of business owners today. This isn’t surprising, with all of the hacks, breaches, data thefts, ransomware attacks and privacy violations that we hear about on a daily basis. And those are just the ones we know about – according to the Online Trust Alliance’s (OTA) “Cyber Incident & Breach Trends Report,” cybersecurity incidents nearly doubled from about 82,000 in 2016 to 160,000 or so in 2017. But the report also notes that this number could easily be more than double that, as so many breaches are unreported.

The necessity to thwart these cybercriminals and protect critical business, financial, healthcare data and more has created a tremendous opportunity for IT service providers to evolve to meet this challenge and benefit from a continually growing revenue stream.

In this 5-part blog series and its companion Webinars, I’ll dive deep into the topic of building a profitable security services offering and cover essential topics such as the services that comprise different levels of security offerings; as well as how to lead with security to prospect effectively and set appointments, and how to price, position and sell these services. And once sold, I’ll cover how to properly On-Board new clients and share a strategy to continue to realize healthy ongoing security project profits and exponentially growing recurring managed security services revenues on an ongoing basis.

Watch On-Demand Webinar #2IT Security Services Features and Benefits’ (URL:  https://th115.infusionsoft.com/app/page/72b7ce05e5518db3a86601a69720d931)

Part 2: IT Security Features and Benefits Overview

We know that Security is the #1 concern of today’s business owners, regardless of the industry they serve, and strategic leaders understand that they must increase their security posture to protect their data, systems and users against internal and external threats.

Therefore, offering IT security services is a strategic client service and control point for security providers. These high value, high margin services represent a stable, growing revenue opportunity with an extremely low barrier to entry and delivery.

What are Managed IT Security Services? 

Managed IT Security Services are a defined set of onsite or remotely-delivered services that are prepaid for at a fixed rate on a recurring basis, where the security provider assumes complete responsibility for the management and delivery of these security services and their outcome.

In addition, these services are governed by a Service Level Agreement or SLA, and are scheduled, preventative and proactive. On the other hand, Managed IT Security Services are not measured by time invested. Nor are they reactive services. Finally, they are not billed for on a time and materials basis.

The Old Way of delivering security services vs. The New Way 

The old way of delivering security services to clients means that the service provider is most profitable when their client is in the most pain, as the price of reactive, emergency security remediation services are always higher than scheduled, monitored, preventative services.

And clients are never prepared to pay for these reactive, costly emergencies, which negatively impact their cash flow and operations, and in extreme cases, their brand, image and customer relationships, and create tension between them and their reactive security provider.

The new way of delivering Managed IT Security Services is much more attractive and beneficial to clients, as the security provider actively seeks out and delivers security solutions to protect their clients’ data and environments from security incidents and manages security risk and response for a flat monthly fee.

Because the Managed Security Services Provider; or MSSP, assumes more risk in the relationship, if they are to be profitable, they must ensure their client’s security and reduce vulnerabilities.

As a result, the MSSP is more profitable when their clients experience less threats, and their business goals align with their clients’ in this respect.

This reality creates a much stronger business partnership than a typical vendor relationship for the MSSP and their clients and paves the way for acceptance as a Trusted Advisor.

What comprises a security offering and what are its benefits? 

A basic security portfolio typically includes Firewall Management, Anti-Virus and Anti-Malware solutions, desktop and server operating system security, Email Security, Web Content or URL Filtering, Mobile Security, Data security including Backups, end-user Security Awareness Training and more.

And there are a variety of advantages for a client when engaging an MSSP, including enjoying a high level of confidence that drives continued innovation in their organization, instead of worrying so much about security threats that this concern stifles growth strategies and activities.

Along with improving their compliance posture, clients enjoy rapid detection and remediation of threats at much lower costs than reactive, “after the event” security remediation services, and gain a stronger posture to reduce insider fraud and theft, along with guarding against data leakage.

In addition, a clear path and process to identify and quickly address security incidents brings clients peace of mind, and predictable monthly fees allow them to budget for security more effectively for the long term.

When presented properly to a prospect, these and other factors make a compelling argument to engage in a managed IT security services relationship.

Security Services bundling and pricing 

To provide the best opportunity to engage with as many prospects as possible while maintaining healthy margins, the MSSP will bundle and tier their services to offer various distinct packages, with each successively higher-priced option adding more qualitative value in terms of services and benefits, along with more attractive Service Level Agreements; or SLAs, that govern response time. This allows prospects to select the option that makes the most sense for their specific business needs, risk profile and budget.

There are several considerations for the MSSP when determining their pricing model, and they can price their services in several ways, such as per endpoint, per user or as the aforementioned tiered or bundled services. Or they may price strictly on value alone, with each opportunity quoted individually.

Their ultimate pricing strategy will also be informed by other factors, such as their SLAs’ response times and the hours they provide service to their client  – 8 to 5 Monday through Friday, 24×7, or on holidays or weekends.

Once the appropriate service bundle or tier is selected by the client, the MSSP will provide them a Scope of Work or SOW, that clearly defines what is included and covered in the service relationship, and what is not. Typically, the SOW covers all of the agreed-upon security maintenance and service work the MSSP delivers for the specified endpoints, devices and users within the SLA.

New users added, or new services or licenses installed or provisioned after service go-live normally fall outside the scope of an existing SOW, and will typically be added to the client’s overall agreement at an increased monthly fee by having the client authorize a new SOW or an addendum to the existing SOW.

And to preserve margins, best in class MSSPs will understand the true cost of delivering their services to their clients; including the cost of 3rd party security products and services they bundle into their offerings and establish a minimum desired margin for these deliverables.

Using a pricing calculator helps ensure margin attainment and speeds pricing activities. Once the minimum price is established for a client, the security sales professional will try to increase the ultimate price by using consultative sales techniques to sell on value.

The value of becoming the Trusted Advisor as an MSSP

A Trusted Advisor is a critical business asset for their clients, as they work to understand their client’s business needs and priorities and develop strategies to actively seek out solutions to improve daily workflows, processes and procedures and improve security to best assist their clients reduce risk and reach their business goals.

An effective Trusted Advisor earns their client’s loyalty by understanding their external competitive challenges as well as their internal operational challenges and works to help their clients advance their value proposition to their target market, improve client service, sales, marketing and back-office operational processes through technology to help their clients retain and expand their market base.

These are the reasons that MSSPs operating as mature Trusted Advisors are so successful at consistently identifying up-sell and cross-sell opportunities for new solutions to their clients while increasing their satisfaction.  Watch On-Demand Webinar #2IT Security Services Features and Benefits’ (URL:  https://th115.infusionsoft.com/app/page/72b7ce05e5518db3a86601a69720d931)

Next time on Building a Profitable Security Services Offering: Part 3: Qualifying Prospects for Security Services and Solutions

About Erick Simpson

Co-Founder, Senior Vice President and CIO of MSP University and SPC International Online, Erick Simpson is a strategic IT business transformation specialist that improves top and bottom-line business performance by increasing operational and service efficiencies, helps build and grow new or improve existing MSP and Cloud business practices with proven sales and sales engineering, project management and help desk processes; and packaging, bundling and tiering profitable MRR service offerings.

30+ years of experience in the IT industry as an Enterprise CIO and one of the 1st pure-play MSPs in the industry (acquired in 2007), Erick is a business process improvement expert with hundreds of successful ITSP, MSP, Security and Cloud improvement engagements, and has worked with numerous clients on the buy, sell and integration sides of the M&A process.

A highly sought-after IT, Cloud, Security and Managed Services business growth specialist and speaker, Erick has authored over 40 business improvement best practice guides and 4 best-selling books, including “The Guide to a Successful Managed Services Practice”, the definitive book on Managed Services, and the follow-ups in his Managed Services Series “The Best I.T. Sales & Marketing BOOK EVER!” and “The Best I.T. Service Delivery BOOK EVER!” and “The Best NOC and Service Desk Operations BOOK EVER!”

LinkedIn

The post Building a Profitable Security Services Offering Part 2 IT Security Features and Benefits Overview appeared first on .

How to Ensure Safety from Fraud Within Your Business

Fraud is a major problem in modern-day businesses. It significantly hampers the progression of business and leads to loss of revenue. According to PriceWaterhouseCoopers’ evaluation reports, over half of all businesses today have in one way or another suffered fraud. In particular, 88 percent of companies within the United States have suffered fraud that led […]… Read More

The post How to Ensure Safety from Fraud Within Your Business appeared first on The State of Security.

Can we trust our online project management tools?

How would you feel about sharing confidential information about your company on Twitter or Facebook? That doesn’t sound right, does it? So, in a corporate life where we keep our work calendars online, and where we work together on projects using online flow-planners and online project management software, it might pay off to wonder whether the shared content is safe from prying eyes.

What are we looking at?

From the easy-to-use shared document on Google Drive to full-fledged Trello boards that we use to manage complicated projects—basically everything that uses the cloud as a server is our subject here. When evaluating your online project management tools, it is important from a security standpoint to have an overview of:

  • Which online project management platforms are you using?
  • Which data are you sharing on which platforms?
  • Who has access to those data?

Once you know this, you can move on to the main question:

  • Is the data that should stay confidential shielded well enough?

What are the risks?

The risks of using online project management tools are made up of several elements. Once again, a list of questions will help you gage this, including:

  • How secure is the platform you are using?
  • Do the people that have access to the data need to have access? And are they given access to see all the information that is shared, or just a portion?

As you can see, we are not just worrying about outsiders getting ahold of information. Sometimes, we must keep secrets, even from our own co-workers. Not every company has an open salary policy, for example, so the information how much everyone makes might not be allowed outside of HR.

But the threat of a breach is the most important one. Having the competition know about the latest project your design team is working on can be deadly in some industries. And of course, any project that contains customer data and is not secured can be breached by a cybercriminal. Knowing this, it’s our job to help you find the safest possible tool to perform your job.

Does it make sense to share online?

Are we sharing information online because we need to do it online or just because we can? Sometimes being the cool kids that use an online project management platform that has all the bells and whistles is more a matter of convenience than it is strictly necessary. But if you are:

  • employing remote workers
  • cooperating between offices around the world
  • heavily relying on a BYOD strategy

then online tools maybe the only way to realize your project management goals.

Every ounce of prevention

What you don’t share can’t get lost. And control over what you do share (and with whom) is adamant.

  • Limit the amount of privileged information you are sharing. Make sure that only the information needed for the project is being shared with the appropriate team members.
  • Change the login credentials at a regular interval, and do this in a non-predictable way. Going from “passwordMay” to “passwordJune” at the end of the month will not stop nosy co-workers from digging. Do not post the new credentials on the platform, either.
  • Use 2FA where and if possible to enhance login security.
  • Update and patch the software as soon as possible. This limits the risk of anyone abusing a published vulnerability in the platform.
  • Keep tally of who is supposed to have access at all times, and check this against the connected devices when and if you can.

Breach management

Hardening your online tools against breaches is usually in the hands of toolmakers themselves—the software provider or the cloud service provider with whom you’ve partnered. Therefore, it makes sense to look into the project management tool’s reputation for security, as well as its ability to serve your company’s needs. While you can’t control the security of the tool itself, you can limit the consequences of a mishap, should it occur, by doing the following:

  • Don’t try to keep it a secret when credentials have been found in the wrong hands. Making participants aware of the situation helps them to change passwords and follow up with other appropriate actions.
  • Make sure there are backups of important data. Someone with unauthorized access may believe in burning the bridges behind them.
  • In case of a breach, try your best to find out exactly how it happened. Was there a vulnerability in the tool? Did a team member open up a malicious attachment? This will assist you in preventing similar attacks.

Controlling the risks

Working in the cloud can be useful for project management, but sometimes we need a reminder that there are risks involved. If you set up an online project management tool or other cloud-based project, it’s good to be aware of these risks and give some thought to the ways you can limit them.

When you’re working on a project for your company—whether it’s leading a team or participating in the project’s development—it’s important to make data losses as rare as possible, to learn from your mistakes, and to handle breaches and other security incidents responsibly.

Stay safe out there!

The post Can we trust our online project management tools? appeared first on Malwarebytes Labs.

Taking the Robot out of the Human

Artificial intelligence, or simply AI, was merely a dream a number of years ago – now, not only are we seeing it become more common in our everyday lives, it’s beginning to be a very hot topic amongst businesses. Last year, the Boston Consulting Group and MIT Sloan Management Review study published a report that found 84% of respondents thought AI will enable them to obtain or sustain a competitive advantage whilst 75% felt AI would allow them to move into new businesses and ventures. Simply put, AI is revolutionising business as we know it.

Many business leaders agree that having AI and a level of self-automation being present in some part of a business, however big or small, is beneficial. However, there are still a number, albeit a small group, of leaders who have voiced their concerns. At the very worst, there is a worry that should AI become too prominent, the worst-case scenario is a humans vs robots with ultimately the human workforce being side-lined. Putting that to one side, the benefits of AI in business is vast and here are a few examples of how I believe AI will be revolutionising the enterprise space in the not too distant future:

Redefining logistics

When AI and robotics were added to the production line, many feared that manual jobs would become solely automated. However what sceptics of robotics don’t realise is that it was implemented to take on the smaller, less critical tasks – like packing, stacking and labelling boxes. Many think the world is on the verge of a technological revolution, or the “The Fourth Industrial Revolution” (4IR) which is a combination of technologies that fuse the physical, digital and biological worlds together – a world where machines can think for themselves.

Similar to production lines, basic data entry and programming roles are becoming much more efficient and cost-effective through AI. Filling vacancies with long-term, fully automated AI-powered computers could be the answer, but in the short term, teaching smart technology to work alongside human talent could be the way forward for businesses and help bridge the skills gap, which takes me onto my next point.

Data Insights

Whilst the access to time and skills is limited and businesses become more and more data-driven, it’s clear that taking two weeks to manually translate raw data has significant implications. With the volume of data being generated on a daily basis, it’s no surprise that inaccuracies occur. Whilst time is eaten by employees tidying data into something that’s meaningful – chances are that by the time it’s complete, it’s already out of date. Sceptics will argue that certain jobs can be done more efficiently by humans, however, this can come at a higher cost in man-hours and more receptive to human error. Jeopardising the security of your business cannot be an exception at any cost.

Improving data security

Cybersecurity is a critical part of enterprises with businesses spending billions of dollars each year in making sure its defences are able to keep out hackers. The job of staying ahead of hackers is incredibly challenging for CTO’s, but the capabilities of AI can certainly help. Whether it’s the latest spyware, DDoS attack patterns or botnets, hackers are constantly evolving and adapting to find new ways in which to breach a company’s data defences. Where we’re seeing AI supporting is having the ability to scour the internet to look for some of these threats ahead of time and before they are used against companies. Human security analysts can only do so much and in many cases, the pace and change to the threat landscape are simply too much. Leveraging AI and deep learning to help human analysts will make things a lot safer for businesses.

Bridging the skills gap

Despite AI’s potential to drive change, there continues to be a shortage of cyber skills. According to a ESG survey of 650 IT cybersecurity professionals this year, 51% claimed they had a “problematic shortage of cybersecurity skills”. The ramifications include increased workload on cybersecurity staff to hire and train juniors as opposed to hiring experienced cybersecurity professionals – leaving less time to deal with cyber crises when they need to. However, this shouldn’t be seen as replacing jobs, but will instead increase the need for workers with more advanced skills. Businesses need to invest in creating a culture of constant learning for their staff where they can learn new skills and attract leading AI practitioners. The introduction of AI could help bridge the gap by widening skills and allowing employees to work alongside machines – leaving AI to manage less critical jobs.

AI should not only create time for innovation and proactive threat hunting but deliver cost savings and increase employee productivity. Like the revolutions that preceded it, 4IR has the potential to improve the quality of life for employees and their employers around the world. With AI taking a leading role in tackling simple and repetitive tasks, the human workforce can focus on roles that are more complex, challenging and require much more critical thinking power. Unfortunately, though we cannot see the future yet, businesses should think more holistically about the advantages of AI and what can be reaped, before competitors do.

To keep up-to-date with the latest cybersecurity news, take a look at the McAfee Security blog here.

The post Taking the Robot out of the Human appeared first on McAfee Blogs.

What’s causing the cybersecurity skills gap?

The proliferation of next-gen technology into mainstream society has been a boon for consumers, entrepreneurs, and business owners alike. Between the rise of mobile computing, the Internet of Things (IoT), and modern social media, our society is more connected than ever before.

But all of this technology presents some new problems, too. According to recent studies, the number of companies that report problematic shortages in the cybersecurity skills of their staff has increased steadily over the past several years. While approximately 23 percent of companies indicated such an issue in 2014, more than 50 percent face the same challenge today.

Additionally, recent reports show that, not surprisingly, 100 percent of tech companies view cybersecurity and privacy breaches as a risk, with 88 percent concerned about their ability manage their IT infrastructure, and 78 percent worried about how they’ll comply with data privacy regulations.

So what’s the problem with cybersecurity? What’s causing such a lack of know-how on such an important cause? Let’s take a look.

Primary causes

Some of the primary causes of the cybersecurity skills gap include:

1. Failure to collaborate

Cybersecurity is a collaborative responsibility that the whole company needs to get behind. Not only does a CEO or CISO need to maintain a comprehensive and versatile IT staff to take a proactive stance against hackers and cybercriminals, but they also need to open two-way lines of communication to address any problems before they get out of hand.

IT staff and cybersecurity researchers also needs to collaborate—with one another and with other professionals in the industry. Given the rapid evolutionary nature of the Internet and its related systems, it’s impossible for any one person—or even one team—to keep up with the day-to-day changes.

2. Lack of process standardization

Although cybersecurity isn’t a standardized job, the task of securing an online system from potential hackers can be automated. This isn’t to say that a company can get rid of its entire IT staff—in fact, it’s just the opposite. Not only are knowledgeable IT experts needed to usher in this standardization, but they’re needed to enforce it, too.

Cybersecurity standardization is achievable in multiple ways, including:

  • Penetration testing: This lets IT staff members run their proprietary hacks and exploits against a system to ensure it is secure from outside hackers and unknown threats.
  • Incident response: Standardizing an IT team’s incident response protocol makes sure everyone is on the same page and knows how to react if a breach does occur.

It’s a winning situation for everyone involved. Owners and CEOs gain comfort knowing that their investments are protected. IT teams get to use their tools and knowledge. And customers don’t have to worry about their personal information falling into the wrong hands.

3. Not enough training opportunities

There’s also a lack of training opportunities in the industry. Although this is an area that sees continual improvement, especially as more colleges and universities embrace areas of study such as big data, the IoT, and cybersecurity, academia still gets far outpaced by the desire, motivation, and sheer boredom that drive today’s hackers.

Potential solutions

Although it will take a concentrated effort to close the cybersecurity skills gap, society is progressing in the right direction. Companies explore and utilize several potential options, including:

1. Workforce investments

Some companies are increasing their investments in the human workforce to join the fight against cybercrime. According to recent studies, only 32 percent of organizations currently provide adequate training in IT security. The same study reveals that 86 percent of respondents do not spend enough capital on their internal training initiatives.

Other companies are hiring IT staff based on their potential instead of their actual past experience. This is a risky process, as working in cybersecurity requires technical acumen and the ability to adapt in the face of fast-paced changes, but some companies have had great success when hiring outside the box. Mathematicians, accountants, or even artists have been hired and deployed successfully to IT security or research teams. Such diverse expertise helps when examining problems from all possible angles.

Making investments to bring more women into the profession is another viable strategy. According to recent studies, female workers comprise only 11 percent of the entire industry workforce. Organizations such as Women in CyberSecurity and Women in International Security are both helping women gain a better foothold in an industry that is traditionally dominated by men.

2. The millennial generation

Millennials could be one of the best tools for fighting cybercrime. Not only are they already familiar with technology, but many of them are interested in entering and leading a tech-oriented career. According to recent surveys, 68 percent of respondents view themselves as technological innovators while 41 percent are early adopters of modern technology.

This spells good news for employers. Technological innovators are known for their outside-of-the-box thinking and proactive attitude toward next-gen technology. Some might come up with new utilities, tools, and methods to support the fight against cybercrime.

Early adopters are typically ahead of the curve when it comes to using new technology. They help by finding and popularizing new tools, and are often tech savvy enough to stave off potential scams and other social engineering tactics.

Unfortunately, the latest reports indicate that less than 10 percent of millennials are interested in making cybersecurity a long-term career. Other professionals predict that our current generation of IT experts is already starting to hit retirement age—a trend that will only make the skills gap worse within the next few years.

But the lack of millennial interest doesn’t stem from a lack of technical interest. Instead, millennials tend to embrace more “exciting” tech development careers, such as video game development, social media, engineering, and app development, to name a few. By repositioning cybersecurity as “cool,” recruiters and other hiring organizations might draw in a younger workforce ready to fight crime on the Internet.

3. Automating processes

Process automation is gaining a lot of steam in the cybersecurity niche. While it wasn’t long ago when data breaches and other incidents required a customized, manual resolution, the power of today’s machine-learning and AI-powered cybersecurity programs make manual intervention almost obsolete.

But human staff members still need to deploy and/or program these systems and monitor the processes they use. Not only does this give IT staff a position on the front lines in the fight against cybercrime, but it also gives them the opportunity to learn new concepts and technologies before many of their peers.

Minimizing the gap in the future

Companies will reduce much of the skills gaps if they divert more resources to building up cybersecurity research and IT teams, and plan ahead. This isn’t always easy—especially with the rapid and ever-changing nature of the development of IT in the 21st century. But there are some strong trends in place to help, starting with an overall increase in cybersecurity awareness over the latter part of the decade.

Roles such as the security analyst, security manager, and are almost always in demand—and they show no signs of slowing. Filling these roles with skilled, knowledgeable experts might not solve every IT problem—but it’s a good start.

The post What’s causing the cybersecurity skills gap? appeared first on Malwarebytes Labs.

How One Healthcare Company Implements DLP to Protect PII and PHI

In 2016, Prime Therapeutics, an American pharmacy benefits management company, hired Jacob Walls to bolster data loss prevention across the enterprise. The company serves 22 Blue Cross Blue Shield health care plans and more than 27 million members nationwide, including one out of every six people covered through US public healthcare exchanges. Since Prime Therapeutics’ employees and systems handle both PII and PHI daily as they interact with Blue Cross Blue Shield, pharmacists, Medicare and Medicaid, and employers, a robust DLP defense is essential.

Defining and Implementing DLP Use Cases Throughout the Enterprise

In his role as a senior information security engineer and Prime Therapeutics’ main DLP expert, Walls and his team spend a lot of time engaging with other departments outside of security. First, they work to understand the stakeholders’ DLP-related concerns and define specific use cases to meet their various privacy, compliance, legal, or incident response-related requirements. Then they create rules for the company’s McAfee Network DLP appliance[s] and McAfee DLP Endpoint agents to test and implement.

“Different departments come to us and request the services for a specific use case,” explains Walls. “We’ll usually provide them with metrics around how well a rule set can address their use case… go over false positive rates and things like that to give them a baseline of how effective [DLP] would be.” Then, after implementing the policy, Walls or another engineer will meet regularly with the requestor of the policy to provide feedback on its effectiveness and, as necessary, tweak for improvements.

For instance, the company’s Privacy and Data Distribution department was concerned that users could print sensitive information on unauthorized printers. Using the built-in local printing rules in the McAfee Network DLP appliance, Walls easily addressed the issue, enforcing the printing of sensitive information only to authorized printers. In addition, discussions on effectiveness led to reporting that filters printing by user and content to pinpoint any employees who need additional education or monitoring.

Preventing Sensitive Data Leakage Via Email

Since email is the primary form of communication with entities outside the network, for many specific departments and the enterprise in general, preventing exfiltration of sensitive information via email message or attachment is one of Prime Therapeutics’ most important DLP use cases. This use case was also the main reason for purchasing McAfee Network DLP.

“Using McAfee Data Loss Prevention, we have implemented corporate policies that restrict sensitive information from exiting the network via email unless authorized and encrypted,” notes Walls. “Moving this functionality from the MTA [Mail Transport Agent] to DLP has allowed for true security ownership and has greatly enhanced our capabilities in this area. Additionally, reporting and metrics around the use of email for communicating sensitive information has helped us internally to gauge the level of risk associated with this communication method…The visibility we now have into outbound email communication has been extremely beneficial on multiple fronts.”

Effectiveness and speed are driving indicators of success… The visibility McAfee DLP has given us into both our data at rest and our data in motion has had both an immediate and ongoing positive impact on our business.”

—Jacob Walls, Senior Security Engineer, Prime Therapeutics

How Successful are These DLP Implementations?

“Effectiveness and speed are driving indicators of success,” says Walls, pointing to lack of data leakage incidents and ease of compliance as components of those two indicators. “The visibility McAfee DLP has given us into both our data at rest and our data in motion has had both an immediate and ongoing positive impact on our business.”

A side-benefit of implementing McAfee DLP Endpoint and McAfee Network DLP for Prime Therapeutic has been an increase in awareness across its employee base regarding sensitive data. “Awareness around data-at-rest and the need to place controls around approved locations appears to be growing,” states Walls. “[It] is not limited to specific departments, but rather arises from projects and conversations between all the teams involved. It’s a positive maturing of controls due to greater business awareness of DLP.”

Advice to Those Looking to Implement DLP Solutions

Based on his experience, Walls says he would advise anyone looking at DLP solutions to begin by identifying and prioritizing use cases. “Much of the work around DLP happens outside of the tool and is process-driven,” he elaborates. “Therefore, it’s important to engage with the stakeholders and affected parties even prior to any rule configuration. That said, make sure you know what the DLP solution is capable of, and what it offers for integration and workflow. Doing so up front will save a lot of time and help avoid miscommunication and misaligned expectations.”

Walls also offers words of encouragement. He really enjoys his job, and especially interacting with other areas of the business. “I get great satisfaction in solving a problem and sharing that with the people I’ve solved the problem for,” he claims.

Working with DLP has also shifted Wall’s priorities and expanded his viewpoint. “DLP definitely branches out to other departments and gets you engaged with privacy, with legal—really with your core business,” he says. “I’ve been able to sympathize a little more [and understand better] the desired end results of other departments outside of security. So that’s been helpful.”

“Security is not a one-person job; it can’t be accomplished with one person [or] one company,” concludes Wall. “So we need partners, and we need friends in the industry to work together. The McAfee support team has consistently available, receptive, and responsive to our questions and needs. ‘Together is Power’ is definitely something that McAfee represents for us.”

To watch a video of Jacob Walls talking about his experience with McAfee and information security, watch below. Get your questions answered by tweeting @McAfee_Business.

The post How One Healthcare Company Implements DLP to Protect PII and PHI appeared first on McAfee Blogs.

Securing the vulnerabilities of working from home

With more and more businesses offering employees the opportunity to work outside of the office, it’s no surprise that IT departments are becoming increasingly nervous about the dangers of remote working. As this method of boosting staff morale becomes common, sensitive company data has the potential to be in various risky locations outside the remit of the office safe zone. We’ve rounded up some key areas that all businesses should be focusing on to stay ahead of the game especially when their reputation could be at risk.

Recruiting talent and training

Employees that work outside the four office walls, exposes businesses to the risks of data theft and fraud, even from a distance. By assessing the risks associated with all types of remote working, it’s good practice to train and advise staff on the impact of their actions, otherwise, it’s easy to lose sight of rules and procedures.

Due to the ongoing issue of too few people with the ‘right skills’ in the tech sector, the future to success may be to merge human and machine learning. This could not only reduce the gap, but allow businesses to remain on the front foot against cybercriminals. Without it, we’re could be wasting valuable time that could otherwise be used for innovation and proactive threat hunting.

Share responsibility

With emails and the web being the most common form of digital comms in a workplace, staff must be educated on the key giveaway signs in spotting, flagging and reporting anything that looks suspicious. By sharing the responsibility and encouraging employees to flag anything suspect, you’re naturally raising awareness internally and warning others from falling into similar traps – openness is the key, and this way you’re always one step ahead of those with malicious intent.

You must also have trust in the people that work for you. In the “second economy,” trust is key to the success of a business and the prime casualty of conflict. Without it, you may be putting your company, its data and even your other employees at risk. By evolving both technology and organisational culture, businesses would naturally become more cohesive and share responsibilities where no one can do it alone – ‘Together is Power’.

Security

By ensuring that all systems holding any business related data are fully equipped with firewalls and protective software, you’re reducing the risk of data breaches. Teams must work together to ensure tools can operate collectively to protect and detect potential threats. With some data being too sensitive to be outside of the office walls, it’s useful setting up staff accounts with permissions that limit data or deny staff from accessing it remotely.

Security must be taken seriously – from the CEO’s desk to the end user. This is especially prevalent with employees coming and going constantly in a business – Employers must have strategies in place to ensure accounts are deactivated and activated at any given time. Although it’s still early days, we may see GDPR being an opportunity for security transformation across businesses where a culture of privacy is compulsory.

Cloud control

The Cloud has become an integral part of business, however, its advantages come with its own share of high risks. It’s important to note that each additional data storage site increases your exposure to risks, therefore the number of places you’re storing data should be kept at a minimum. By regularly monitoring for any potential threats and implementing a strong security plan with your employees, you’ll have much greater control of your assets. When you have control, especially focused in one dedicated place it’s easier to locate where security is weakest, identify new gaps and mitigate risk quickly.

With the number of businesses offering flexible working increasing, the risk of vulnerabilities is becoming greater. Employers must take responsibility for how staff are administering their first line of defence and consider what policies they need to put in place to concede to these demands in the safest way possible.

To keep up-to-date with the latest cybersecurity news, take a look at the McAfee Security blog here.

The post Securing the vulnerabilities of working from home appeared first on McAfee Blogs.

Winning the Game at McAfee: How Gamers Become Cybersecurity Workers

This blog was written by Jeff Elder.

When Austin Ortega was 12, he and his brother fought over who got to play video games like Gorillas and Commander Keen on an old family computer his parents had bequeathed to them. Then one day, they broke it. Their dad brought to their Grapevine, Texas, home a stack of floppy disks, dropped them in front of the boys, and told them to fix it. They did.

“I think it took like 14 floppy disks. They took a while to install,” says the McAfee technicalsupport engineer, who references gaming in every class he teaches to new employees. “Video games probably pushed a lot of us into an IT job,” says Ortega, 32. “We were sitting in front of a computer for hours, anyway. We might as well get paid for it.”

 

Ninety-two percent of cybersecurity managers say gamers possess skills that make them suited to a career in cybersecurity – and 75% would consider hiring a gamer even if that person had no cybersecurity training or experience.

Welcome to cybersecurity in 2018, where “Winning the Game” is more than a metaphor for beating attackers. Gaming today is part of a strategy to attract scarce workforce talent. And once cybersecurity workers are hired, gaming can help keep them sharp, keep them happy, and keep them, period.

In our recent report, Winning the Game, 950 cybersecurity managers and professionals in organizations with 500 or more employees were surveyed to gain insight into innovation, employee-satisfaction, and gamification.

The corroborating evidence to Ortega’s experience is stacked up like 14 floppy disks:

  • 92% of managers surveyed say gamers possess skills that make them suited for a career in cybersecurity
  • 80% of extremely dissatisfied employees who report their organization does not use gamification say they wish they did.
  • 77% of senior managers say their organization’s cybersecurity would be much safer if they implemented more gamification.

At McAfee, we see that at our company’s main offices in Santa Clara, Calif., and Plano, Texas, and with employees around the world.

“Video games brought me into computers and more technical areas of interest,” says Conor Makinson, a quality assurance engineer in Cork, Ireland. “Personally being one of the ‘young cybersecurity workers,’ I think that some games can really help develop mindsets that are beneficial to working in security.”

This is part of our public outreach to tech workers, a workforce in very high demand. Our chief information security officer told security’s biggest trade show about the benefits of gamification last week. “I’m a gamer,” said Grant Bourzikas at a session on recruiting talent at the RSA Conference in San Francisco. “I hate losing a game three times in a row. I have to win, and my wife is mad because we’re late, but I am focused.” Bourzikas looks for that focus and tries to channel it in our security operations center, where games are part of the work.

All those hours trying to beat a game may have actually been an investment in your career. (Hear that Mom and Dad?)

And building games may take Ortega’s floppy disk challenge into the 21st century. “I actually made flash games, first-person shooter games, and role-player games when I was in high school, and it definitely increased my interested in tech and coding,” says Catherine Gabel, demand generation specialist in Silicon Valley who joined McAfee it its Skyhigh Networks acquisition.

Gaming, like its dark-arts cousin hacking, has global reach. Nam Nguyen, a McAfee sales engineer, grew up gaming in South Vietnam, beginning at age 10. “I spent all of my lunch money on it.” He sees great potential for gamifying cybersecurity. “You have to find out new ways to beat the game, and the same is true in cybersecurity.”

Bourzikas and Chatelle Lynch, McAfee’s head of human resources, are already looking ahead to seek out the future of cybersecurity talent, and see much of it engaged in gaming. Austin Redlin, 17, agrees. “Gaming did, in fact, spark an interest in computers for me,” he says. “I began to want to understand what everything meant in a computer.”

Redlin is headed to the U.S. Marine Corps’ military occupational specialty school for Communications and IT. Is a career in the cybersecurity industry in his future? Well, it runs in the family. His mom, Deb Redlin, is executive assistant to McAfee Chief Technology Officer Steve Grobman.

Gaming and cybersecurity go hand in hand, the young Redlin said – via snail mail to his mom from Parris Island, South Carolina. Boot camp, even in 2018, is still one place that doesn’t tolerate games.

Jeff Elder was a member of the McAfee Digital Media Team.

The post Winning the Game at McAfee: How Gamers Become Cybersecurity Workers appeared first on McAfee Blogs.

Come Talk to McAfee at the Gartner Security and Risk Management Summit

A wide group of experts from McAfee will be attending the Gartner Security & Risk Management Summit from June 4-7 in National Harbor, Maryland. The summit brings together an estimated 3400 attendees and over 200 exhibitors looking to share their vision, stories and capabilities with a wider range of cybersecurity and risk management experts. Personally, I’m looking forward to sessions on Security Operations, Management and Orchestration,

Join us on Tuesday, June 5th from 10:30-11:15, for a session entitled Appetite for Destruction – The Cloud Edition, given by Rajiv Gupta, SVP of the Cloud Security Business Unit and Raj Samani (@Raj_Samani), Chief Scientist and McAfee Fellow. Raj and Rajiv will examine the evolving threat landscape in 2018 and how the cloud will increasingly come under fire.

Looking to hear more about our view on cloud security? One of our system engineers, Will Aranha, a DC native from Skyhigh, now part of McAfee, will give a great session entitled Cloud Security in the Era of “There’s an App for That. While it takes place on Monday, June 4th, the same day this blog was published, swing by the booth if you want a summary or a follow-up on the slides he presented. If you’re reading this in time – head to George’s Hall D by 1:50pm.

Speaking of our booth, I have to encourage you to visit McAfee at booth #436. Talking to experts 1:1 is one of the best ways to get educated and answer questions. My hope is that you’ll walk away with a bigger and broader vision of what McAfee can do. We call it our Device to Cloud protection vision.

Better yet see live demos of both updated and new products. We’ll have 4 stations centered on the following:

Endpoint Security – Protecting against advanced and fileless threats is important, but you also need context on threat trends (not just EDR) and the ability respond quickly and efficiently (a single security management console called ePO makes it easier). Find out what the new McAfee is doing differently in this space.

Evolve Your Security Operations – Wondering why you can’t get more out of your SIEM? Wish you had a few more tier 2 or tier 3 security analysts on staff? See how analytics and machine-learning can transform how every analyst, regardless of their level, can find threats and make decisions faster. Here’s a screen shot from our Mock SOC demo that gives you a taste of how both McAfee Behavior Analytics and McAfee Investigator can transform your team.

McAfee Behavioral Analytics (MBA) screen shot that shows a high-risk user and the reason for the rating. MBA uses machine-learning to model users and organizational behavior.

The beginning of an investigation with McAfee Investigator as shown in the mock SOC demo (the red box highlights a guided investigation). Turns an analyst into a real Sherlock Holmes.

Data Center & Cloud DefenseIf you’re like most enterprises, you’ve got some workloads running in a hybrid cloud. The team here will show you how to make protection fast and easy through things like automated workload and container discovery, cloud-optimized threat defense, and network visibility and micro-segmentation. A recent SANS endpoint survey (a multi-vendor effort) showed the network as 1 of 3 top areas where respondents detected compromises.

McAfee Skyhigh Security Cloud (CASB)Your teams are working the in cloud which makes securing the areas where they work (e.g., Office 365, AWS, Azure, Box, Salesforce, Slack, and others) important. The team will help you better understand everything from DLP to collaboration control policies to detecting compromised accounts in cloud environments.

Click here to find out how MGM Resorts International uses McAfee solutions, including the McAfee SIEM and Investigator products, to significantly reduce detection and response times. Select benefits included:

  • Improved security posture through well-orchestrated integration and intelligence sharing
  • Accelerated time and reduced effort to contain, investigate, and remediate advanced threats
  • Improved collaboration and skills of security investigation team

Stop by our booth (#436) to hear about more customers and use cases. If you can’t make it to the show, I encourage you to reach out to learn more about the innovation occurring at the new McAfee.

The post Come Talk to McAfee at the Gartner Security and Risk Management Summit appeared first on McAfee Blogs.

The New Security Experience

Everyone has their limits — limited budget, limited staffing and time — but we seldom take into account the basic limitations imposed on us by something we can hardly control: our minds. But understanding limits helps us work with them, not against them. Following years of hard work and focus, we have now begun to introduce a new security experience.

McAfee wants to bring radical efficiency to cybersecurity staffs. That can be achieved in part by developing technologies like the McAfee® Data Exchange Layer (DXL) to bring cross-product and cross-vendor communication to cybersecurity solutions, though we see a place where the needs of our customers can be met even further by honestly addressing the limits of our minds.

How large is the average person’s working memory? Conventional wisdom says we can juggle seven different things at a time, plus or minus two. Even the smartest among us can still remain fairly ignorant about how little we can hold in our heads at any one time.

Some years ago, University of Notre Dame researchers ran a study1 where they instructed people to start a task at a table on one side of a room before walking to a table on the other side of the room to complete it. As humans, we do that kind of thing reasonably well.

But then the researchers partitioned the room, leaving a doorway between the two tables, and completion rates plummeted. The study blamed that common human experience of walking to another room to get something and forgetting what it was once you got there.

Imagine leaving your living room to make popcorn, but the moment you enter the kitchen you can’t remember what you’d been thinking. The study supposed that our minds dehydrate our sense of where we were as we move from one place to another, to better focus on our new location. But context-switching is a lossy operation. If you don’t deliberately carry something over that threshold, you might drop it. Returning to the living room rehydrates that context, and suddenly you remember the popcorn.

Those researchers ran the same study with people in front of computers. When moving from one end to another of a single space on screen, people did well. Place a virtual partition in the virtual space and completion rates tanked equivalently to moving through contexts in the real world.

Some cybersecurity products might look simple, but navigating through simple contexts still costs something, and with stakes much higher than failing to make popcorn. Common cybersecurity workflows — from investigating threats to changing policy — regularly require moving across many more screens than anyone can hold in their head at the same time. This burns vast amounts of cognition.

Simply by disassembling the old cybersecurity experience to bring related information together in a single, high-context workspace — encouraging the user to drive into the right information at the right time — we shift the cognitive load from managing context switches to actually solving cybersecurity problems.

Over the past 18 months, McAfee has shipped several new and innovative experiences designed to accelerate mundane tasks, focusing limited cybersecurity staff on the task at hand. Our most recent launch was an entirely new product, McAfee® Investigator which combines a high-context, guided experience with powerful cloud-based analytics and machine learning, with strong customer outcomes being praised by industry analysts and customers alike. Bringing McAfee’s UX approach to our existing products is also testing well, reducing some common workflows from minutes to seconds.*

While we look forward to sharing more about our efforts in the weeks and months to come, we know all too well that once you move your attention somewhere else, you’ll likely forget most of what you just read here. Still, if you keep just one thing, remember this: McAfee wants to be your number one security partner, not only by offering full protection from device to cloud but also by making cybersecurity workers radically more efficient — to help you avoid dropping crucial clues without even realizing it, like something you went to the other room to get and forgot what it was once you got there.

We see a bright opportunity for a new security experience. At McAfee, we look forward to getting there together.

 

1 “Walking through doorways causes forgetting: Situation models and experienced space” (University of Notre Dame); Radvansky, G.A. & Copeland, D.E. Memory & Cognition (2006) 34: 1150.

*Time reductions are intended as examples of how a given McAfee product, in the specified circumstances and configurations, may provide time savings. Circumstances and results will vary.

The post The New Security Experience appeared first on McAfee Blogs.

McAfee earns a Top Product Award from AV-Test!

McAfee achieved a near perfect score of 17.5 for both McAfee Internet Security (MIS) 20.8, and McAfee Endpoint Security (ENS) 10.5.3, in the areas of protection, performance and usability in the latest round of testing from AV-Test. The AV-TEST Institute, a leading international and independent service provider in the fields of IT security and anti-virus research also honored both products with a Top Product Award.

These results, announced May 28, continue to build on improvements earned over the last several test cycles.  In the latest tests, both MIS and ENS achieved a perfect score of 6 out of 6 in both usability and protection and a near perfect score of 5.5 out of 6 in performance.

Our latest Endpoint Security solutions continue to be market-leading solutions, surpassing other consumer and enterprise platform security vendors in independent scoring around Protection, Performance and Usability.  In fact, both McAfee ENS and MIS was 100% effective against prevalent malware circulating in the past 4 weeks and was virtually 100% effective against 0-day malware attacks as well (a single miss). Both products had ZERO false positives which means you can trust the results you receive from our products. McAfee ENS and MIS also showed virtually no signs of impacting user productivity.

Curious how we fared relative to the competition? You can visit AV Test’s website at https://www.av-test.org/ for all current and past test results.

The post McAfee earns a Top Product Award from AV-Test! appeared first on McAfee Blogs.

WannaCry One Year Later: Looking Back at a Milestone

Has it been a year? It seems longer.

When the WannaCry ransomware attack hit tens of thousands of individuals and business around the world on May 12, 2017, it wasn’t the first time we had seen ransomware, but its impact was unique and lasting.

We’ve all known for decades about hackers, information thefts, computer viruses etc. But when a hospital’s information system gets locked, and lives are at stake, think pieces about the “Future of Cybersecurity” don’t seem so distant. WannaCry brought the future into the present. Quickly.

In the last year, there seems to have been more dialog about the “downside” of tech as well as the upside. In short, for every positive in IT there is often an (unintended) downside. For example, billions of people love social media, particularly Facebook. But the recent testimony before Congress from Facebook’s CEO brought out the dark side of this technology: privacy issues and even the possibility of political manipulation.

Frequently, IT downsides seem to involve cybersecurity issues, in one way or another.

With WannaCry, the “theory” of threats became personal. If someone is ill and can’t get medical attention, that’s personal. It your pacemaker is hacked, that’s personal. And if your car — self-driving or not — gets its power steering wheel locked by a hacker when you’re going 80 miles an hour, that’s personal.

A Unique Problem

Why was Wanna Cry different? Because it’s the first time we’ve seen worm tactics combined with ransomware on a major scale. The outbreak infected at least 350,000 victims in more than 150 countries.

WannaCry’s success came down to its ability to amplify one attack through the vulnerabilities of many machines on the network, making the impact greater than what we had seen from traditional ransomware attacks.

To quote McAfee’s Chief Scientist Raj Samani: “WannaCry is still being talked about, and I suspect it will be one of those events that will act as a milestone for malware. It took the industry by storm with its propagation method, and challenged the previously held belief that criminals would provide decryption keys once paid the ransom.”

Day Zero Protection

In terms of the company I work for, McAfee, Wanna Cry was a test: a test to see if the cybersecurity software we had been working on for many years would meet the challenges of an attack we had never seen before. I think we met the challenge, and I also learned from that attack.

McAfee technology provided Day Zero protection against the attack, not just at the endpoint but across many aspects of an integrated security architecture. Threats like WannaCry remind us that an integrated cybersecurity approach is the best defense because it enables people to protect, detect and respond to the newest and most challenging threats.

We met the attack in several ways:

  • The latest McAfee Endpoint Security® software running Dynamic Application Containment® (DAC) in secure mode gave full Day Zero protection against WannaCry.
  • ENS®, Threat Intelligence Exchange® (TIE) and Advanced Threat Defense® (ATD) operate together as a zero touch, closed loop security defense system.
  • McAfee Active Response® (MAR) delivered trace data that revealed malicious activity at Day Zero, helping responders identify the attack and update defenses across the environment.

For customers on older endpoint technology, McAfee researchers analyzed samples of the WannaCry ransomware immediately upon detection, and then updated McAfee Global Threat Intelligence® (GTI) and released an emergency DAT and new HIPS signatures for extra coverage. As a company, we spent a lot of time on the phone with customers over the weekend after “WannaCry Friday”—many had questions about their endpoint version.

The Big Picture

In the case of WannaCry, the immediate threat was met. But we also realized it’s important to keep an eye on the big picture. Now, more than ever, the “new threat, new widget” approach must evolve.

McAfee’s philosophy is that an effective defense is built on a dynamic cybersecurity platform that is both open and integrated. Open, so it can quickly accept new technologies that protect against even the most creative adversaries; and integrated in that technologies can work together as a cohesive defense.

Those integrated defenses were on clear display in protecting our customers during the WannaCry episode. Leveraging an automated security system that protects, detects and corrects in real time allows users to both free up resources and thwart advanced attacks. As a result, users no longer have to choose between the best technology or the most manageable – they can have both.

The post WannaCry One Year Later: Looking Back at a Milestone appeared first on McAfee Blogs.

Cyber Storm: Strengthening Cyber Preparedness

This past April, McAfee employees joined with more than 2000 members of the private industry, federal government, and international partners to participate in a three-day cyber exercise called Cyber Storm, led by the Department of Homeland Security (DHS). The goal of the exercise was to simulate discovery and response to a large-scale, coordinated cyber-attack impacting the U.S. critical infrastructure, and improve cybersecurity coordination for the nation.

These exercises are part of DHS’s ongoing efforts to assess and strengthen cyber preparedness and examine incident response processes. The Cyber Storm series also strengthens information sharing partnerships among federal, state, international, and private-sector partners. During the three-day exercise, we simulated a cyber crisis of national and international consequence. This exercise gave the McAfee team the ability to test both internal and external incident response processes in a safe venue.

While DHS does not disclose specific details about the scenario for operational security purposes, Cyber Storm VI featured a multi-sector cyber-attack targeting critical infrastructure that produced realistic global events with varied impacts. McAfee was one of over 100 participating public and private sector organizations.

I had the opportunity to be one of the members sitting inside ExCon or exercise control. This was the nucleus of the cyber exercise! It was a busy three days as new incidents were sent out, watching how teams responded, and adjusting if things didn’t go exactly as planned. This simulation allowed us to learn and gave us a unique opportunity to raise our game. We now have more processes in place ready to deal with cyber-attacks if they were to occur. The teams executed well, revealing the strengths of our critical relationships with government agencies and other private sector organizations.

I was particularly impressed how DHS executed and collaborated with all the various organizations participating. Because the participants took it seriously, it made it feel very real. Given the well-founded concerns around cybersecurity and the demands the cyber threat landscape regularly places on us, it was great to see different organizations from different agencies and vertical industry segments coming together when needed. Such large-scale simulation was no easy feat, but the core planning team in conjunction with all the organization planners made it run without a hitch. For more information on Cyber Storm, visit https://www.dhs.gov/cyber-storm.

The post Cyber Storm: Strengthening Cyber Preparedness appeared first on McAfee Blogs.

With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out?

Like most who attend RSA, I set a goal for myself to walk through the North and South exhibit halls and stop by every booth to “keep up” with the latest messaging and capabilities across the cyber landscape. I started off the day optimistic and full of enthusiasm. This year, I decided to keep track of the booths I visited even if it was just for a brief few seconds. I went to 287 booths in the North Hall and 279 in the South Hall. That’s right: I counted and hit 566 booths in a little over three hours.

What did I learn from this year’s event? Aside from the latest industry buzzwords and jargon, — threat sharing, machine learning, AI, data lakes, SOC automation, attack surface discovery and exploitation — every vendor sounded the same, and you had to go beyond the surface level to find out how they differentiate themselves.

I left disappointed that not once did I hear a vendor talk about helping customers by focusing on their desired outcomes, value and service level agreements.

Our marketing team recently released the following data points, which I believe are telling of where we are as an industry.

More than 1,200 vendors compete in the cybersecurity market today. Conservatively, if each vendor offers an average of three products, with each product carrying an average of five features, that would make the cybersecurity market replete with nearly 20,000 features.

There is no shortage of competition for features in our industry. Look at most cybersecurity vendor websites and you’ll find lots of content around product capabilities. It’s no wonder customers are under assault by relentless adversaries. Each new threat vector requires a new defensive technology, which typically takes the form of a new product (if not a new vendor), complete with its own set of features.

That’s why McAfee focuses on sound architectural principles when designing modernized cybersecurity environments. We provide an open, proactive and intelligent architecture to protect data and stop threats from device to cloud. This allows customers to onboard new defensive technologies quickly to maximize their effectiveness. And, with our open, integrated approach, customers benefit from an overall security system with a whole greater than the sum of its parts. They get the benefit of both worlds: abundant vendor choice within a unified, cohesive system.

RSA 2019 Goals: Find vendors who are talking about solving customer challenges by focusing on outcomes, architecture interoperability, efficacy and efficiencies with some service level agreements mixed in for good measure. I really believe McAfee is setting a new higher standard for the cyber landscape that is essential and meaningful to our customers and the partner ecosystem. Let’s see if anybody else does something similar (or, if anybody else follows suit, or something like that).

The post With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out? appeared first on McAfee Blogs.

Passwords, Revisited

Ahh, Passwords.  We have work passwords, personal passwords, super secret passwords, even throw away passwords.  Have you ever stopped to wonder how “secure” your passwords actually are?  Thanks to cybersecurity writer and researcher Troy Hunt, you can now check. Troy runs the website ‘;– Have I been pwned? and recently pulled together the data he has been collecting and created a service that manages half a billion passwords that have been seen in various data breaches and a count of how many times each password has been seen.

If your password lives in this database, it is no longer a secret.

So just for fun, let’s explore this data.  Say you’re a fan of the NFL Green Bay Packers.  You’d (of course) never use the password “greenbay”.   Which is good, because it has been used as a password 12,066 times in various breaches.  What about something tricky like “gr33nb@y”?  (Nope – that one has been seen 28 times.)  Throw in some capital letters like “Gr33nB@y”?  (Strike 2.  That’s been seen 8 times.)  Let’s try adding a symbol “Gr33nB@y#1” – that will be unique!  (Nope.  Strike 3.  That’s been seen 9 times.)

Unless your password is a long string of random characters, the probability it has been exposed in breach is pretty good.  And how do you remember a long string of random characters? Hint, hint: a password manager.  And guess what Password Managers – thanks to Troy’s service – can now do?  They can check to see if the password you’d like to use has been used in a breach.

Let’s look at some more passwords.  Sticking with sports theme – say you’re a Boston Red Sox fan – the password “yankeessuck” has been seen 367 times.  Yankees fan?  “redsoxsuck” – 185 times.  How about Premier League  – say an Arsenal fan might go with “chelseasucks” (30 times) and Chelsea fans with “arsenalsucks” (27 times).  Maybe you’re a more optimistic NBA fan – if Golden State is your team, the password “warriorsrule” shows up 35 times.  Cavalier’s fan?  “clevelandrocks” shows up 68 times.

Proud of your home state? Probably don’t want to use it as a password; “newyork” – 93,558 times, “california” – 78,972 times, “florida” – 74,587 times.  Every state makes the list.  Favorite celebrities your go to for passwords?  Well, “beyonce” has been used as a password 20,014 times, “selenagomez” 5,417 times, Dwayne “therock” Johnson – 38,234 times, Cristiano “ronaldo” – 112,121 times.  Countries? “USA” 406 times, “india” 49,222 times, “england” 50,919 times, “spain” 4,060 times (even “españa” with the ñ has been seen 212 times).  Foods?  “hamburger” – 10,864 times; “hotdog” 61,680; “fishandchips” 1,271 times; “sushi” 7,395 times; and (just for Troy) – “vegemite” has been seen 1,845 times.

Looking at a little more mundane passwords, the password “password” appears over 3.3 million times in the breach data.  The password “123456” shows up over 20 million times.  It’s not all English either, the word for “password” in Spanish, “contraseña”, shows up 1,045 times, in German “passwort” shows up 57,177 times, in Russian “пароль” 13,466 times and even the Maori word “kupuhipa” shows up 3 times.

So as much as we would each like to think we are being clever with our passwords and the patterns we create for ourselves to remember them – is safe to say that in a global context, it has likely already been used.  Don’t take my word for it – go look them up for yourself here (but maybe don’t look up a password you’re currently using).

Oh, and before I forget…  You should use a Password Manager.  Really.  You should.

The post Passwords, Revisited appeared first on McAfee Blogs.

McAfee vNSP and AWS Are Winning Combination for Enterprise and Federal Customers

Fun Facts: ECS stood up and managed the first security operations center at the White House. Today, ECS manages the world’s largest McAfee installation—employing just about every solution we make—for the U.S. Army.

ECS is more than a McAfee Platinum Partner: they’ve built their entire security solution around McAfee products. The company’s unique offering to Enterprise, military, intelligence and federal civilian combines their award-winning managed services powered by McAfee, and high-level competencies across the Amazon Web Services (AWS) product suite.

ECS has earned service delivery certifications for every McAfee product, participating regularly in betas and trials of new software with active input into the development of new products. Its AWS bona fides are equally ambitious: ECS is an AWS Premier Consulting Partner, an Audited Managed Service Partner, and one of the world’s largest AWS resellers.

For the past 17 years, ECS (formerly InfoReliance) has built a managed-services offering that focuses on delivering custom solutions for clients in regulated industries such as government and defense, but the company also has a large and growing roster of high-profile enterprise and commercial customers. ECS focuses its security solutions around the threat defense lifecycle, applying not only McAfee products but complementary solutions from McAfee Security Innovation Alliance.

“Our choice to provide a single-vendor security platform and deliver McAfee at scale is one of the things that makes us unique,” remarks Andy Woods, Director of Managed Cybersecurity at ECS. “It means our organization can have a depth of expertise that’s frankly unmatched by anyone else in the industry. We also believe it’s the best way to be technology-heavy and people-light, and to automate as much of the cybersecurity lifecycle as we can.”

The McAfee Virtual Network Security Platform (vNSP) and its tight synergy with AWS is a large focus of ECS’s business. Tim Gonda, ECS security engineer and vNSP expert, explains: “We feel it is important to recognize that as part of the AWS shared responsibility model, it is up to us to ensure the security of our virtual networks. We leverage vNSP as a way to augment the security of native AWS capabilities. We are able to establish more flexible controls for protecting our own workloads, as well as providing custom-tailored solutions to our clients.”

In one example of a customer’s virtual private cloud (VPC) deployment, the ECS team launched a vNSP controller into the VPC, and deployed sensors per subnet. The application service also included the lightweight, host-based traffic redirector. “One of the biggest differentiators of vNSP versus other products is that it allows us to monitor internal VPC traffic, as well as traffic leaving the VPC, in an extremely lightweight framework,” Gonda comments. “In this example, we managed the lateral traffic within the VPC, as well as traffic going out to the internet, while providing custom filters and rules looking for specific threats on the wire.”

The application of vNSP with AWS-driven VPCs is just one example of ECS’s fearless innovation in today’s marketplace. Woods notes, “We’re proud of our internally developed intellectual properties, such as our iRamp billing system. We developed one of the very first DXL-enabled technologies within the partner community. We were also early adopters of integrated security through McAfee ePO, born out of a need to support clients in regulated industries.”

Woods concludes, “Our clients are focused on value management of their cybersecurity spend and how we can help them reduce their risk not only today but into the future. We deliver security customized security outcomes for every organization we work with. We’re confident in McAfee’s ability to scale along with core competencies on the endpoint, whether on-premises or in the cloud. The connected infrastructure is a key differentiator for us as we deliver managed services to customers across all verticals. For us, ‘Together is Power’ means being able to solve our clients’ cybersecurity problems in the most powerful manner possible, through a single platform of connected technologies.”

The post McAfee vNSP and AWS Are Winning Combination for Enterprise and Federal Customers appeared first on McAfee Blogs.

RSA Influencers Identify Cybersecurity’s Top Issues

More interest, more news, and more money are swirling through the cybersecurity industry than perhaps ever before. Data breaches make headlines, shape elections, and lead to Congressional hearings. Artificial intelligence tools wow the public and stretch the limits of the imagination.

And the 40,000 RSA Conference attendees pouring into San Francisco are not impressed. Cybersecurity is a profession, they say, not a circus.

We reached out to RSA speakers and attendees and asked what they think is the most relevant recent development in cybersecurity. They gave us a variety of answers, many with the central theme that companies and consumers should not believe the hype. Cybersecurity still is – and perhaps always will be – about seasoned professionals patiently applying good tools in a comprehensive way.

“The problem we’re seeing at trade shows recently is there is very little new,” said John Bambenek, a vice president at ThreatSTOP who lectures on cybersecurity at the University of Illinois. “We’re still trying to solve the same old problems in the same ways with newish looking packaging. What’s being overlooked is actually spending the time developing understanding of attacks, threats, and trends so models can be truly informed before making decisions.”

Caroline Wong, Vice President of Security Strategy at Cobalt, agreed. You can’t just turn the latest tools on and watch them vanquish threats. “There’s a big push in DevSecOps for more and more automation, but it’s critical to remember that when it comes to web applications and APIs, manual pen testing is required to discover vulnerabilities in application business logic. Automated scans often miss the most interesting security vulnerabilities.”

 

 

“Automated scans often miss the most interesting security vulnerabilities.”

– Caroline Wong, Cobalt

“Assuming that machine learning models and classifiers will work 100% of the time is setting your SOC up to fail,” wrote McAfee CISO Grant Bourzikas in an RSA blog post titled, “What humans do better than machines.” Bourzikas and McAfee Chief Human Resources Officer Chatelle Lynch will host a session at RSA on how innovation can help companies retain top talent. “Recruiting and retaining a diverse talent pool in cybersecurity today is so competitive,” Lynch said of her session. “Employees want to know they are at a company that strives for the latest innovation.” But that is always within the realm of human-machine teaming at McAfee, Bourzikas says. Shiny new tech must be paired with human analysis.

Many cited human decisions about data regulation – the opposite of whiz-bang security tech – as one of the main issues in cybersecurity today.

“The most important development in cybersecurity is Facebook’s reaction to the imminent enforcement of GDPR,” says Kevin L. Jackson, Founder and CEO of GovCloud Network. “The sound of Facebook’s leadership failure is deafening. The legal battles around data privacy and security will drive whatever happens across the entire cybersecurity landscape, including what technology is deployed.”

 

 

“The sound of Facebook’s leadership failure is deafening.”

– Kevin L. Jackson, GovCloud Network

Kathy Delaney Winger, a Tucson-based lawyer whose areas of practice include cybersecurity, concurred. “Businesses may be surprised to learn that they are obligated to comply with laws such as New York’s cybersecurity regulation and the GDPR – even though they do not fall under the jurisdiction of the enacting entities.”

 

“Far too many small and mid-size businesses simply underestimate the impact that the EU General Data Protection Regulation will have on them,” said Ben Rothke, principal security consultant for Nettitude.

 

 

GDPR preparation doesn’t have to be drudgery. Flora Garcia, a McAfee attorney writing about the regulations, has suggested GDPR can also stand for Great Data Protection Rocks. Data protection could even be a shared global citizenship effort along the lines of environmentalism, she says.

 

The data-protection revolution may even have us rethinking the nature of identity. “The identity industry is moving away from identity,” said Steve Wilson, vice president and principal analyst of Constellation Research, Inc. “What matters in authentication? Not who someone is, but what they are. You need to know something specific about a counter-party, like their age, or their address, or their credit card number, or their nationality, or some mix of these things. You don’t really need to know their identity. This is a very fundamental shift in thinking, and it’s just the beginning of a major regulatory push around data provenance.”

 

“The identity industry is moving away from identity.”

– Steve Wilson, Constellation Research, Inc.

Grounded data-protection hygiene and cybersecurity discipline that looks past the cool factor are not preventing RSA attendees from looking at the very latest threats. “These days, attackers are increasingly focused on cryptocurrencies – stealing them, mining them via cryptojacking or obtaining them as ransom,” said Nick Bilogorskiy, who drives cybersecurity strategy at Juniper Networks and was previously Chief Malware Expert at Facebook. “As companies do not usually have crypto wallets to steal, attackers turn to ransomware because it provides the best bang for the buck and is the logical choice for attackers to monetize business breaches. I expect ransomware and other cryptocurrency malware attacks to grow in popularity this year.”

But even the most quickly evolving threats are enterprises launched by people, aimed at people, and shut down by people. Raj Samani, McAfee’s Chief Scientist, says ransomware and its many forms can be beaten by people – if they get the right help. “The purpose of pseudo-ransomware is typically destruction, but we have seen evidence of its use as a diversionary tactic, and whilst it may appear as traditional ransomware the attackers are unlikely to provide any decryption capability regardless whether the ransom is paid. Either way, with actual ransomware or the decoy tactic, organizations need guidance to mitigate the risk.” Samani is speaking about pseudo-ransomware during his session on the topic at RSA.

Everything in cybersecurity may seem new, baffling, and roiling with change. But people can apply lessons of the past – such as with airport security changes after 9/11 – to find solutions in the future, said McAfee CEO Chris Young. “Smart security changed air travel from top to bottom. We need to bring a cybersecurity paradigm shift that is more collaborative, clear and accessible,” Young said of his RSA keynote on what cybersecurity can learn from those who keep air travel safe.

 

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post RSA Influencers Identify Cybersecurity’s Top Issues appeared first on McAfee Blogs.

Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection

When the European Union’s (EU) General Data Protection Regulation (DPR) comes into full force May 25, European citizens will receive greater privacy protection and regulators will have a strengthened authority to take action against businesses that breach the new laws. Fines of up to 4% of annual global revenue or €20 million, whichever is greater, can be levied against any organization that processes personal data of EU residents, regardless of where they are based. Stories with doomsday predictions and generous helpings of fear can be found in many publications.

McAfee recently published an executive summary of our report, Beyond GDPR: Data Residency Insights from Around the World, that focuses on responses from the 200 professionals surveyed in the financial services sector. While there remains work to be done, it’s not all doom and gloom for the financial services industry. More than one quarter (27%) of financial services firms surveyed are already set up to comply with the GDPR requirement for controllers to report a breach to the appropriate authorities within 72 hours of becoming aware of a breach, when compared to just 20 percent of other industries. This is most likely the result of greater preparation, as the financial sector has a higher proportion of firms (28%) that have been working on compliance for three to four years, compared to the global average of just two years.

We believe that the looming threat of GDPR fines is an opportunity to communicate the seriousness of these regulations to your board and executives, and to position the firm as one that cares about personal privacy. And that could help boost the bottom line according to survey respondents – some 80% of financial services respondents believe that organizations that properly apply data protection laws will attract new customers.

Knowing what data is stored where is one of the most important steps of this data protection activity, but here are a few more that we recommend.

Step 1. Know Your Data.

Not only where it is, but what it is, why you are collecting it, and what levels of security and encryption are used to protect it. If you are collecting personal data that is not essential to your service offering, you may want to reconsider what you collect to better manage your risk of exposure, and comply with data-minimization principles.

Step 2. Enforce Encryption.

Effective encryption protects data by making it useless to hackers in the event of a data breach. Use proven encryption technologies, such as Triple Data Encryption Standard (DES), RSA, or Advanced Encryption Standards (AES) to ensure the safe storage of both your employees’ data and customers’ data.

Step 3. Pseudonymize personally identifiable information (PII).

Modifying data prior to processing so that it cannot be tracked back to a specific individual provides another layer of data protection. Pseudonymizing your data allows you to take advantage of Big Data and do larger scale data analysis, and is viewed as an appropriate technical and organizational measure under article 32 of the GDPR.

Step 4. Get Executive Management Involved.

The necessary changes to your data storage, monitoring, management, and security systems can require more human and financial resources than are currently budgeted. The potential of significant fines is an excellent opportunity to get the required support from the highest levels of your organization.

Step 5. Appoint a Project Owner.

Staying compliant with various data protection laws is not something that can be done by an IT staffer in their spare time. Consider appointing a data protection officer or equivalent, to take ownership of both implementation and ongoing management of this project. A data protection officer may be required in any event, depending on the nature of the processing carried out.

Step 6. Review Data Security with Cloud Vendors.

With cloud computing and storage touching most business processes in some fashion, consider conducting an audit of all your vendors’ systems, procedures, and contracts, and the data that they are handling and storing on your behalf. After all, each organization will be held responsible for meeting the GDPR requirements.

Step 7. Foster a Security-Aware Culture.

Human errors are often responsible for data and security breaches. It doesn’t matter that your business follows the strictest security protocol —one error made by one uninformed person could lead to irreparable damages. Consider making sure that all your employees and contractors receive proper and regular training on data security and the handling of customer information.

Step 8. Have a Response Plan.

No system is 100% bulletproof. You need an incident response plan in place to make sure that you can recover as quickly as possible in the event of a data breach. Under GDPR law, you are required as a controller to alert the appropriate authorities within 72 hours of becoming aware of a data breach, and you also need to notify any individuals whose personal data has been compromised.

Step 9.  Go with a Privacy by Design Approach.

The GDPR places a requirement on organizations to take into account data privacy during design stages of all projects.  Companies will want to consider data-protection technologies such as data loss prevention (DLP) and cloud data protection (CASB) from the very beginning of the development. Implement data-protection policies that would help prevent both accidental and malicious data theft by insiders and cybercriminals – doesn’t matter where it resides.

While no one can guarantee that you will not suffer a data loss, following these steps will help you understand where you stand, identify any gaps, and improve your organization’s responsiveness. Loss of customer confidence was the most common concern of financial services organisations (64%), and rapid containment and response is one of the best ways to protect your firm’s valuable reputation. So keep calm, and prepare for GDPR.

Read the full report, Beyond GDPR: Data Residency Insights from Around the World, and learn more about the top data-protection concerns and strategies of more than 800 senior business professionals from eight countries and a range of industries.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection appeared first on McAfee Blogs.

A Guide to McAfee at RSA 2018

As the RSA Conference convenes more than 40,000 April 16-19 at Moscone Center in San Francisco, cybersecurity has perhaps never been so vital, diverse, and wide-ranging. To help make sense of that, McAfee speakers at RSA will look back at influences that shaped this world, ahead to new innovations and management approaches, and deeply into the worst cyber threats of today.

Keynote: CEO Chris Young looks back at airline security flight

What can we learn from the Underwear Bomber and the rule of 3-1-1? Chief Executive Officer Chris Young delivers his sixth RSA keynote Tuesday, April 17th by applying lessons learned fighting terror in the air. “Smart security changed air travel from top to bottom. We need to bring a cybersecurity paradigm shift that is more collaborative, clear and accessible.” Young said of his keynote. Find out what cybersecurity can learn from those that keep air travel the safest form of transportation, bar none. April 17th, 8:55-9:20 a.m., Moscone West, Level 3.

Sessions: Fighting ransomware and nurturing innovation

Christiaan Beek and Raj Samani of the McAfee Advanced Threat Research team uncover the dark world of pseudo-ransomware, where demands for payment mask the devastation of wiper files, and extortion dances with destruction as the world watches. “The purpose of pseudo-ransomware is typically destruction but we have seen evidence of its use as a diversionary tactic, and whilst it may appear as traditional ransomware the attackers are unlikely to provide any decryption capability regardless whether the ransom is paid. Either way, with actual ransomware or the decoy tactic, organizations need guidance to mitigate the risk.” Samani said of his session. Get the point of view of a ransomware hacker as the walls close in during a major campaign takedown. Reserve your seat now for April 16th, 3:35 p.m. (Session code: SEM-M03).

CISO Grant Bourzikas and Chief Human Resources Officer Chatelle Lynch join forces to explain how innovation can help companies retain top talent. “Recruiting and retaining a diverse talent pool in cybersecurity today is so competitive,” Lynch said of her session. “Employees want to know they are at a company that strives for the latest innovation.” Learn how engaging employees (including games!) can make the most of every staff. April 17, 1-1:45 p.m. (Session Code: SPO1-T07).

Expo Hall: Look for McAfee and McAfee Skyhigh

McAfee acquired Skyhigh Networks early this year, adding state-of-the-art cloud security to our existing portfolio. Look for both McAfee and Skyhigh at RSA:

  • McAfee Booth #N3801 (North Hall)
  • McAfee Skyhigh Booth #S1301 (South Hall)

Follow the floor decals between our two booths in the Expo Halls.

McAfee Skyhigh bowling at hipster hangout!

In a private event on Tuesday evening, April 17th, McAfee and our partners will host a full buy-out networking event at the cool boutique bowling alley Mission Bowling in San Francisco’s edgy Mission District neighborhood. This is a private event targeted at security professionals who want to network with their peers and strike up conversations on everything cloud-related, sparing no one but staying out of the gutter. The event will have a hosted bar, raffle, gourmet food, and giveaways. Request an Invite for the April 17th evening event and learn more about McAfee Skyhigh’s RSA events.

More information on the RSA conference here.

The post A Guide to McAfee at RSA 2018 appeared first on McAfee Blogs.

Building a Sustainable Model for Cybersecurity Talent

Depending on whose study you believe, there is going to be a shortage of 1.5 million or more cybersecurity professionals in 2020. As McAfee re-emerged from Intel as an independent company, we have stood up our own fusion of converged physical and security operations center (SOC) functions in the past nine months. We have been very mindful of both the problem and the opportunity.

Working on building out our SOC capabilities, we’ve needed to hire analysts, advanced threat researchers, and engineers in short order. Then there has been the need to standardize the knowledge and approach to managing cyber threats for one of the world’s leading cybersecurity software companies.

So we have gone through a fairly intense period of training. Everyone has received 80 hours of online training, 40 hours of classroom training, and 40 hours of on-the-job training. We have also hired SOC staff from within our own professional service, engineering teams, and sales engineers.

But all of this can be undone quickly by the pressures of working in an intense, demanding 24/7 environment and by other companies making our people offers that they can’t refuse. McAfee just published a new study on this never-ending challenge, Winning the Game.

In this study of 950 cybersecurity professionals and managers in seven developed economy countries across the globe, we found that there are three clear factors with which organizations can win the game when it comes to cybersecurity. These are:

  • Happy workers
  • Automation
  • Playing more games

In organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours).

Similarly, automation is also a positive indicator for the ability of an organization to attract and retain top talent. Nearly one-third of respondents cite the opportunity to work with new technology such as automation, machine learning, and AI as a key factor that would attract them to a job and influence their decision to move.

And, there is a correlation between the use of gamification and happier cybersecurity staff. More than half (54 percent) of respondents who are extremely satisfied in their roles say they use “capture the flag” gaming once or more a year, compared to just 14 percent of those employees who are dissatisfied in their roles. (At McAfee, we run table-top exercises every two weeks, and red team exercises monthly.)

So what does this say for building a model for talent development and management that is sustainable for now and for the future?

I think of the staffing challenge as a series of waves that are constantly churning one upon the other. To ride these waves, we need to design talent programs that are nimble at inception.

At the beginning, we build strong teams with interns and new hires focusing on investing in investing in strategic talent. The objective is to invest in talent so the entire organization can be successful – IT/Engineering/SE/Sales/Support. Hopefully, some will stay in the company.  This helps us to strengthen the enterprise by creating more secure aware teams, instilling a security culture that will carry across the business.

But it’s the middle range that is the challenge. As people become more skilled, they become more marketable, and turnover increases. To use a sports analogy: It’s easy to draft rookies. It’s easy to hold onto longtime veterans. It’s hard to keep free agents in a hot market. If you don’t have mid-level free agents, you have to either ask the rookies to play above their experience, or ask the veterans to do their old jobs. To mitigate the churn, we need to invest in talent we identify as strategic, knowing that some of them will go to other firms.

And from a talent management perspective, I think that it is vital to nurture the natural interests and passions that team members possess. We support this natural development process by providing assigned mentoring, outside reading, and outside vendor training. We encourage gaming, creative problem solving, curiosity, and collaboration. Additionally, everyone in the SOC is being required to develop specializations. This encourages a diverse domain of skills and expertise, which is vital to developing a sustainable model for security operations that can adapt as the threat landscape evolves.

As a chief information security officer, I think you have to recognize that this is always going to be an evolving, never-ending adaptation to meet the changing threat landscape and the dynamic flow of people in your organization. Cybersecurity isn’t just an industry; it’s a robust, active ecosystem. The threats landscape never stands still, and neither does the workforce.

A great summation of this comes from Bill Woods, our Director of Information Security for our converged physical and cyber security operations.

“You have to accept the fact that you are never going to have impenetrable systems. It’s always going to be a game of chess. The opposer is always going to be making moves, some of which will hurt you. It’s always going to be a battle. But that is what keeps the job interesting.”

You can look for Grant Bourzikas on Twitter and LinkedIn. To learn more about how McAfee is growing the cybersecurity innovation pipeline and addressing talent management, be sure to attend the session, “Building the Cybersecurity Innovation Pipeline,” presented by Grant Bourzikas, CISO and VP of McAfee Labs Operations, and Chatelle Lynch, Chief Human Resources Officer, at RSA 2018, April 17 in San Francisco, CA.

The post Building a Sustainable Model for Cybersecurity Talent appeared first on McAfee Blogs.

How the Rubber Meets the Road in Human-Machine Teaming

Everywhere you turn today, machine learning and artificial intelligence are being hyped as both a menace to and the savior of the human race. This is perhaps especially true in cybersecurity.

What these alluring terms usually mean is simply related to detailed statistical comparisons derived from massive data collections. Let’s look at the terms themselves:

  • Machine Learning describes algorithms that can statistically compare patterns and similarities in a set of data and provide useful information without being explicitly programmed to do so.
  • Artificial Intelligence describes programs that go a step further, taking the useful information from machine learning and applying it directly to a pain area to mimic reason and problem-solving and make decisions automatically.
  • Human-Machine Teaming, which our CTO Steve Grobman urges for cybersecurity, describes increasing the number of important security things we can do without explicitly thinking about them or acting on them to such an extent that it frees people to perform strategic analysis and problem-solving.

At McAfee we are urging our customers to take a long and comprehensive view of human-machine teaming that looks beyond the current, cool-factor buzz. You can make it real, make it practical, and make it scalable, but what does that look like? I recently gave an analogy that can help business people understand this topic in a white paper called “Driving Toward a Better Understanding of Machine Learning.” You can download it here.

As a metaphor representing malware threats, I introduced the concept of malicious autonomous cars: self-driving cars that have been programmed to do bad things. For example, posing as taxis, malicious autonomous cars could trick and kidnap people. (Much the way ransomware could masquerade as an email attachment, then “kidnap” your critical user files, and demand payment.)

The machines are learning, and to stay secure we must learn as well. Let’s do it together.

The post How the Rubber Meets the Road in Human-Machine Teaming appeared first on McAfee Blogs.

The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day

At one point in my career, I was responsible for launching massive websites.  We’d talk about when and how we flip the switch to launch the new website.  At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it.  But depending on the year, the flipping on of a website was handled through technology and not very dramatic and not with the fanfare the non-technologists hoped for. (Dimming lights? Fireworks?  It was New York and it was publishing, so there was often beer and wine and maybe T-shirts after, but everyone went home and slept.)

And now we have May 25th coming around the corner. The other day, I got a picture in a text from a colleague of a can of sardines.  It took me a minute to realize the expiration was May 25.  So, other than the sardines, what happens?  Are we done?

First the bad news:  We won’t ever be done.  GDPR requires constant diligence for its principles, recurring reviews of the processes we’ve built; ongoing use of Data Processing Impact Assessments; vigilance on how we process, store, transfer, use personal data; communications with our customers; new contractual language and new things to negotiate; ongoing discussions around security and what is appropriate.  And of course, the biggest question: What will the data regulators do?  Will there be an immediate fine? (My bet is no.)

But now the good news: If you’ve been doing this right and have managed to focus on the concepts of Great Data Protection Rocks and a culture of security, the following things may have happened:

  • You have a much better idea of what data you have, where it is stored, who can get to it, and how it gets used. Hopefully you have deleted some data and have additional automated processes to delete data when it ceases to be needed.
  • You have processes in place to replace things that were being done on the fly. Maybe there’s some documentation and someone officially designated to help with the processes.
  • You know who your vendors are, and more about your high-risk and cloud vendors.
  • You have determined what needs securing and made sure you are securing it “appropriately.”
  • You’ve got a team of people who understand data protection and GDPR – maybe some new friends and some new project partners. A few of them may not have bought in completely (the people who were “voluntold” to help), but just wait.  Something often  seems to happen in the doubter’s personal life that makes them get it – and big time.  Real examples:  Mortgage application reveals massive identity theft that needs to be fixed or they lose the house; soccer coach sends kid’s medical condition info to the whole team’s parents; intern (not at McAfee!) sends spreadsheet of fraternity members’ contact info, but it also contained everyone’s grade-point average.

Perhaps most importantly, your company now has momentum around doing the right thing regarding data protection.  And May 25th will come – too soon, not soon enough, or both! – and the lights won’t dim but there might be T-shirts.

It would be easy to forget GDPR’s lessons. In the United States, Monday, May 28th, is Memorial Day, and we pull out summer clothes, take off to mark the start of summer, and remember our heroes.  But on that Monday and Tuesday and every day after, Great Data Protection will still Rock, and we will still need to look at data, how it’s used, and how our culture can protect it. Just maybe throw out the sardines if they don’t get eaten beforehand (or leave them on the doubter’s desk as a joke).

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day appeared first on McAfee Blogs.

Is Your SOC Caught in the Slow Lane?

Everybody’s got a device. And the data on that device is moving into the public cloud. Massive amounts of data.  In a world of massive amounts of data, who’s the traffic cop? The Security Operation Center (SOC).

But these days the daily flow of data traffic resembles a Formula One race car going full out, and some traffic monitors are a single cop on the beat.

Research shows this analogy is not far off: 25% of security events go unanalyzed. And 39% of cybersecurity organizations manually collect, process, and analyze external intelligence feeds.

Think about this. At the dawn of the Digital Century, more than a third of all companies are approaching cybersecurity manually.

This is not sustainable.

In short, there are simply not enough people to keep up with the security challenges. But it’s not a question of training or hiring more people. The idea is for humans to do less and machines to do more. Automating threat defense has many advantages: speed, the ability to learn, and the ability to collaborate with other solutions. Integration of data, analytics, and machine learning are the foundations of the advanced SOC.

For about a year now McAfee engineers have been developing a new architecture for an existing SIEM tool called McAfee© Enterprise Security Manager version 11 (“McAfee ESM 11”), which can serve as the foundation of a modern SOC.

As cybercriminals get smarter, the need for SOC operations to evolve becomes more important. McAfee ESM 11 can help customers transition their SOC from silos of isolated data and manual investigations to faster operations based on machine learning and behavioral analytics.

What makes ESM 11 different from other SIEM tools is its flexible architecture and scalability.

The open and scalable data bus architecture at the heart of McAfee ESM 11 shares huge volumes of raw, parsed and correlated events to allow threat hunters to easily search recent events, while reliably retaining and storing data for compliance and forensics.

The scalability of McAfee ESM 11 architecture allows for flexible horizontal expansion with high availability, giving organizations the ability to rapidly query billions of events. Additional McAfee ESM appliances or virtual machines can be added at any point to add ingestion, query performance, and redundancy.

ESM 11 also includes the ability to partner. An extensible and distributed design integrates with more than three dozen partners, hundreds of standardized data sources, and industry threat intelligence.

By deploying advanced analytics to quickly elevate key insights and context, analysts and members of a security team tasked with examining cyberthreats can focus their attention on high-value next tasks, like understanding a threat’s impact across the organization and what’s needed to respond.

This human-machine teaming, enabled by McAfee’s new and enhanced security operations solutions like McAfee Investigator, McAfee Behavioral Analytics, and McAfee Advanced Threat Defense, allows organizations to more efficiently collect, enrich and share data, turn security events into actionable insights and act to confidently detect and correct sophisticated threats faster. The strategy was outlined in my last SOC blog.

We’ve been testing these products together at the new McAfee Security Fusion Centers, located in Plano, Texas and Cork, Ireland. These facilities were built last year and are designed to support full visibility and global management of risks, in a simulated environment. The Security Fusion Centers give customers a blueprint for building out their own SOCs.

In short – we are revving up the SOC: critical facts in minutes, not hours. Highly-tuned appliances to collect, process, and correlate log events from multiple years with other data streams, including STIX-based threat intelligence feeds. And the storage of billions of events and flows, with quick access long-term event data storage to investigate attacks.

Let your security travel as fast as your data. And get your SOC out of the slow lane.

The post Is Your SOC Caught in the Slow Lane? appeared first on McAfee Blogs.

Separating the Signal from Noise

In security operations, we frequently talk about the difficulties in separating the signal from the noise to detect legitimate threats and disregard false alarms. Data overload is a common problem and triage becomes a critical skill to hone and develop.

As the chief information security officer (CISO) for McAfee, I am aware at multiple levels of the risks that come from a failure to focus on the right thing. If one of our security operations center (SOC) analysts fails to notice multiple login attempts by the same user from different countries in a short span of time, it could cost us both valuable company data and our reputation in the industry.

For these reasons, McAfee announced major enhancements today to our security operations portfolio in our security information and event management (SIEM) and Security Analytics product lines – enhancements that the McAfee Information Security team I am proud to lead helped to road-test. We also announced that our state-of-the-art converged physical and cyber Security Fusion Centers are now fully operational in Plano, Texas, USA and Cork, Ireland – less than a year after we emerged from Intel as a standalone company.

The big deal for the McAfee Security Fusion Centers is that they have a dual mission: 1) to protect McAfee, and; 2) help us build better products. And for myself, I would add a third objective: help our customers to learn from our experiences protecting McAfee. We want to help them build better reference architectures, learn how to communicate with boards of directors and become more innovative in solving cybersecurity problems.

For Job 1, protect the enterprise, we believe in the primacy of fundamentals. We use the National Institute of Standards and Technology (NIST) cybersecurity framework, as well as the Factor Analysis of Information Risk (FAIR) method to quantify our risk posture, and continually manage for the framework’s core functions of Identify, Protect, Detect, Respond, and Recover. It’s critical that we understand what is happening in our environment and that is why we chose to converge our physical and cybersecurity functions into one operations center – a Security Fusion Center. We need to collect data across all aspects of our operating environment. Without that ability, we are flying blind.

Next, we focus on being able to answer a series of vital questions that help us complete the identification functions. We ask:

  1. What is on the network and how are our networks accessible? We must be able to identify our assets. That visibility into what is connected to us is critical. We use tools like Rapid7 Nexpose, McAfee Rogue System Detection, and network access control (NAC) to constantly monitor the network to tell us what is connected to us.
  2. How are we managing access to vital systems and stores of data? We decided from the beginning that we could not take access to information assets for granted. At McAfee, there is no implicit right of access – only explicit privilege. In this age of bring-your-own-device (BYOD), we have set up two-factor authentication when accessing the McAfee network. If your role requires access to sensitive information, “need to know” access is applied, and the employees must and comply with other access control mechanisms like separation of duties, least privilege, and information management.
  3. Where are the vulnerabilities? We need to evaluate risk across our environment from device to cloud. This means more than just audits and vulnerability management. We had to design our systems so that they would be scalable and support our incident response functions like patch management and counter measures in a prioritized manner. We especially rely on McAfee ePO for visibility across on- and off-premises devices.
  4. How is the data protected? This is a matter of understanding where are the crown jewels of our data and what are the risks for exfiltration. It’s vital to set up policies in a very prioritized and strategic manner. Data loss prevention requires thinking through the data, the applications and the users.
  5. How are we doing against the basics? While it is great to have next generation toolsets, it is often the basics that most organizations miss that cause compromises. For example, we are constantly focused on basics like security architecture, access and authentication control, device configuration and baselines, operating system and third-party patch levels, security awareness training, and table-top exercises.  Even at McAfee with the entire product portfolio, we are diligent about instilling the basics across our security operations.
  6. Finally, what signals do we focus on? We need context and insight to answer this. This requires a place where all the data can be collected, enriched and shared. We have been using McAfee Enterprise Security Manager 11.0, which was announced today, for some time now. The open data bus architecture enables our SIEM to ingest a high volume of data, scaling to billions of events, and then enrich that raw data nearly immediately, turning noise into insights. We also appreciate that this architecture allows the SIEM to intelligently share data to any appropriate appliance, application, or data store. This is an evolved security operations infrastructure – it’s a mix of a SIEM platform with User Entity Behavior Analytics (UEBA) and threat investigation, using McAee Behavioral Analytics (MBA) and McAfee Investigator. Our Security Fusion Centers are the first places where all those pieces will be present and working together.

As for Job #2, helping McAfee build better products, by now you can see how we are living out a commitment to be Customer Zero for McAfee. Going forward, we are going to be the first organization to use McAfee’s new products. But we are doing that in a way that will help our customers implement better, faster and more smoothly before they have even seen the product. We’re working out the bugs and we’re working on feature requests with our Product Management and Engineering teams.

This helps us to be better, more innovative, and to solve cybersecurity challenges. It is meant to be a very tight collaboration – a place to try out our products in the real-world. We’re going to get there through collaboration.  From our learnings in the first year, we have observed that diversity is the single most important factor in developing a world class organization.  Diversity of thought challenges typical thinking and results in better outcomes.

In fact, collaboration is personally my number one thing. I wanted to work with the smartest people in the world. I will acknowledge that I am not the smartest person in the room. Somebody is going to know more about security than I do. Embracing that and bringing that all together will make us all stronger and better at our jobs. And that is what we mean when we say, “Together is Power.”

As for my personal third goal, helping all of you to be better, too, that’s why I’m sharing here. We’ll continue this dialogue about how McAfee is protecting itself and, in the process, learning more about helping you with another blog post soon. I’ll be sharing the byline with my colleague, Jason Rolleston, Vice President for Security Intelligence & Analytics.

Let me know what signals you are focused on and how we can help solve problems together.

You can look for Grant Bourzikas on Twitter and LinkedIn and at security events like MPOWER, Blackhat, and RSA.

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure.

 

The post Separating the Signal from Noise appeared first on McAfee Blogs.

Economic Impact of Cybercrime: Why Cyber Espionage isn’t Just the Military’s Problem

In a technology-driven age, entrepreneurs, organizations, and nations succeed or fail in large part based on how effectively they develop, implement, and protect technology. One of the most notable aspects of “The Economic Impact of Cybercrime” report released recently is the prominence of cyber espionage, the cyber-theft of intellectual property (IP) and business confidential information. The report from the Center for Strategic and International Studies (CSIS) and McAfee estimates that the cost of cybercrime to the global economy is around $600 billion annually, or 0.8% of global GDP, and cyber espionage accounts for 25% of that damage, more than any other category of cybercrime. Furthermore, the report argues that “Internet connectivity has opened a vast terrain for cybercrime, and IP theft goes well beyond traditional areas of interest to governments, such as military technologies.”

When we think of cyber espionage, we tend to think of events such as the Chinese military’s theft of the F-35 joint strike fighter’s blueprints from U.S. corporations. Last month, the Associated Press reported a similar event where Russian hackers attacked several U.S. corporations attempting to steal drone technologies used by the U.S. military.

But there are also cases such as 2009 Operation Aurora attacks, in which nation-state hackers allegedly tied to the China’s People’s Liberation Army sought to steal IP and business confidential information from IT, chemical, web services, and manufacturing firms as well as military contractors. There is also the example from the 2004 Nortel Networks cyber-attacks that allegedly compromised IP later used to strengthen the market position of Chinese telecommunications giant Huawei.

Such examples suggest that nation states are seeking to steal IP not only to enhance their military strength, but also to achieve technological leadership throughout the rest of their economies without the investments, human talent, or other foundational elements associated with technical innovation.

Put simply, cyber espionage isn’t just the U.S. military’s problem. Organizations beyond military contractors should assume they could become targets of such cybercrimes.

If enough of a profit motive is there, it’s wise to assume that the hacking expertise and tools to steal IP are within your would-be attackers’ reach. Furthermore, it’s wise to assume that the beneficiaries of commercial cyber espionage are capable of copying your compromised product designs and building them into their own products, just as Chinese government engineers had integrated stolen F-35 design features into China’s J-20 stealth fighter.

The cyber theft of such IP could result in lost market share and revenues for corporations. Such theft could smother a nation’s most promising new startups in their Series A cradles, or drive its most innovative mid-sized companies out of business, erasing wealth and jobs in the process.

The CSIS report identified three key cyber espionage challenges facing organizations and nations today.

Challenges of Detection

 Cyber espionage maintains a lower profile than critical infrastructure attacks, ransomware, mega-consumer data hacks, and identity theft and fraud, and other threats in part because there’s no incentive to report cyber espionage incidents. Victimized companies don’t wish to report them, if indeed they ever become aware of them. The attackers don’t wish to alert their victims or the public to their crimes. Victim organizations still own the compromised IP or business confidential information and could easily attribute declines in market share and revenue to any number of tactical and strategic moves on the part of competitors. Unsurprisingly, such incidents go undiscovered and under reported.

Challenges of Attribution

As in every other area of cybersecurity, the difficulty of attribution makes the policing of cyber espionage complicated if not near impossible. Attacks of this nature are sophisticated and designed to obscure the identity of the actors behind them. Governments are in the best position to determine attribution because they can combine the analysis of technical cyber-attack forensics with analysis of traditional intelligence to identify actors. But holding adversaries accountable isn’t easy given the nature of the required inputs and analysis that enable attribution.

For instance, the U.S. government has accused Chinese hackers associated with the People’s Liberation Army (PLA) of being responsible for half of the cyberespionage activity targeting U.S. “IP and commercially valuable information,” and claimed that this activity had inflicted $20 billion in economic damage by 2014.

But the evidence used to make such attribution determinations is not easily exposed without revealing the means and methods by which cyber threat researchers and government agencies came by it.

Challenges of Definition

The CSIS report revisits the 2015 Barack Obama-Xi Jinping Summit, where the leaders of the U.S. and China agreed that their intelligence communities would cease to conduct “commercial espionage,” while allowing each nation to engage in military-related espionage appropriate to their respective national security interests. The nations comprising the world’s 20 largest economies agreed to a similar “no-commercial espionage” pledge later that year.

Any such agreement obviously requires accountability mechanisms to have an impact. But it also requires that the nations agree to specific and consistent definitions of what constitutes commercial versus military espionage.

CSIS notes that the evidence is mixed as to whether the Chinese government has slowed commercial espionage in accordance with the 2015 agreement.  But the think tank notes that despite high level dialogues and pledges between nations, officials from multiple countries maintain that commercial IP theft continues unabated.

Last month’s Worldwide Threat Assessment of the U.S. Intelligence Community confirmed that China and other nation-state actors are continuing to use cyber-attacks to “acquire U.S. intellectual property and proprietary information to advance their own economic and national security objectives.”

The assessment goes so far as to suggest that because the disruptive technologies of the 21st century are being developed by public and private competitors around the world, any significant loss of U.S. IP in pivotal areas—artificial intelligence, 5G networking, 3D printing, nano-materials, quantum computing, biotech, and advanced robotics—could ultimately weaken U.S. military and economic power, and result in a loss of national competitiveness in the global marketplace, as well as on the battlefield.

Preventing the Theft of our Future

 At its most basic level, the theft of IP and business confidential information is a theft of the future. It’s a theft of future national security, future business for companies, future wealth for a nation’s communities, and future high paying jobs and standards of living for a nation’s citizens.

Because technologies don’t fit neatly within civilian and military sector silos, particularly throughout their lifecycles, it’s important for organizations to take cyber espionage seriously. Even beyond technology providers, any organization producing anything of great value should take care to consider that that great value is valuable to others, and remember that anything of great value must be protected.

Please go here for more information on the report’s assessments.

The post Economic Impact of Cybercrime: Why Cyber Espionage isn’t Just the Military’s Problem appeared first on McAfee Blogs.

EDR – Not just for Large Enterprises?

When you think of Endpoint Detection and Response (EDR) tools, do you envision a CSI-style crime lab with dozens of monitors and people with eagle eye views of what their users and defenses are doing? For many, the idea of EDR seems like something for “the big players” with teams of highly trained people. This is based on the historical products and presentations of these tools in days gone by however, it’s no longer true.

What Changed?

For starters, threats and the need to investigate them to prevent a repeat of an outbreak or breach. Malware and attack methods became smarter to put it simply and stopping them became much more difficult. Threats don’t always look like threats anymore. The same type of attack might arrive through the web, email, as a different file type with a different name but with the same intent: avoid detection and compromise your endpoints.

Defenses have evolved as well, but as part of that growth another problem grew with it. More defenses means more reports, alerts and places to go to investigate and then remediate a threat. Economically, most organizations have not put more staff into the mix alongside this change. The “do more with less” mantra hasn’t left the minds of many, and the result is too many security practitioners drowning in noise and overwhelmed with management tools and data. Perhaps that’s why so many resort to simply re-imaging a machine instead of investigating or remediating a threat. It seems easier (and it probably is) for many. See our infographic ‘A Return to Endpoint Protection Platforms’ for more on how the use of disparate point tools increases operational complexity.

Lastly, the need to do things differently happened. The latest Gartner Market Guide for Endpoint Detection and Response shows a strong shift in the number of organizations that now consider EDR a need and plan to invest in it. Security Practitioners are shifting gears as the nature of threats and the need to know how they arrived, what they attempted to do and where else they may have attempted entry occurred.

It Doesn’t Have to Take a Village Anymore

Something else changed as these the landscape evolved – EDR solutions became easier and simpler to work with. EDR is no longer a tool that requires a dozen people or a Security Operations Center (SOC). Dashboard style management with prioritized, at-a-glance data has replaced lengthy reports and overwhelming alert volume. More integrated approaches have also cut down manual processes, replacing them with automated responses and automatic contextual insights. This also cuts complexity when delivered as part of an Endpoint Protection platform (EPP). For more details, watch a video on the role of EDR and Machine Learning and the Return to Endpoint Protection Platform Suites.

It no longer requires extensive training or expertise to use and realize value from EDR solutions. Security Practitioners can now simply log in, click to the heart of a threat and remediate it in a short period of time. Remediation can happen in as little as one click and setting traps, triggers and responses for future threats takes only a few minutes.

McAfee offers an integrated EDR solution that gives prioritized data and alerts with a dashboard view of your environment and makes it easy to click to the eye of a threat in seconds.  One of our customers was able to go from using spreadsheets and manual processes to getting data in seconds.

If you’re ready to see how easy and effective EDR can be, check out this video below to see a Metasploit attack halted with a straight forward investigation.

The post EDR – Not just for Large Enterprises? appeared first on McAfee Blogs.

Security is not a buzz-word business model, but our cumulative effort

Security is not a buzz-word business model, but our cumulative effort

This article conveys my personal opinion towards security and it's underlying revenue model; I would recommend to read it with a pinch of salt (+ tequila, while we are on it). I shall be covering either side of the coin, the heads where pentesters try to give you a heads-up on underlying issues, and tails where the businesses still think they can address security at the tail-end of their development.

A recent conversation with a friend who's in information security triggered me to address the white elephant in the room. He works in a security services firm that provides intelligence feeds and alerts to the clients. Now he shared a case where his firm didn't share the right feed at the right time even though the client was "vulnerable" because the subscription model is different. I understand business is essential, but on the contrary isn't security a collective argument? I mean tomorrow if when this client gets attacked, are you going just to turn a blind eye because it didn't pay you well? I understand the remediation always cost money (or more efforts) but holding the alert to a client on some attack you witnessed in the wild based on how much money are they paying you is hard to contend.

I don't dream about the utopian world where security is obvious but we surely can walk in that direction.

What is security to a business?

Is it a domain, a pillar or with the buzz these days, insurance? Information security and privacy while being the talk of the town are still come where the business requirements end. I understand there is a paradigm shift to the left, a movement towards the inception for your "bright idea" but still we are far from an ideal world, the utopian so to speak! I have experienced from either side of the table - the one where we put ourselves in the shoes of hackers and the contrary where we hold hands with the developers to understand their pain points & work together to build a secure ecosystem. I would say it's been very few times that business pays attention to "security" from day-zero (yeah, this tells the kind of clients I am dealing with and why are in business). Often business owners say - Develop this application, based on these requirements, discuss the revenue model, maintenance costs, and yeah! Check if we need these security add-ons or do we adhere to compliance checks as no one wants auditors knocking at the door for all the wrong reasons.

This troubles me. Why don't we understand information security as important a pillar as your whole revenue model?

Security is not a buzz-word business model, but our cumulative effort

How is security as a business?

I have many issues with how "security" is being tossed around as a buzz-word to earn dollars, but very few respect the gravity or the very objective of its existence. I mean whether it's information, financial, or life security - they all have very realistic and quantifiable effects on someone's physical well-being. Every month, I see tens (if not hundreds) of reports and advisories where quality is embarrassingly bad. When you tap to find the right reasons - either the "good" firms are costly, or someone has a comfort zone with existing firms, or worst that neither the business care nor do they pressure firms for better quality. I mean at the end, it's a just plain & straightforward business transaction or a compliance check to make auditor happy.

Have you ever asked yourself the questions,

  1. You did a pentest justifying the money paid for your quality; tomorrow that hospital gets hacked, or patients die. Would you say you didn't put your best consultants/efforts because they were expensive for the cause? You didn't walk the extra mile because the budgeted hours finished?
  2. Now, to you Mr Business, CEO - You want to cut costs on security because you would prefer a more prominent advertisement or a better car in your garage, but security expenditure is dubious to you. Next time check how much companies and business have lost after getting breached. I mean just because it's not an urgent problem, doesn't say it can't be. If it becomes a problem, chances are it's too late. These issues are like symptoms; if you see them, you already are in trouble! Security doesn't always have an immediate ROI, I understand, but don't make it an epitome of "out of sight, out of mind". That's a significant risk you are taking on your revenue, employees or customers.

Now, while I have touched both sides of the problem in this short article; I hope you got the message (fingers crossed). Please do take security seriously, and not only as your business transaction! Every time you do something that involves security on either sides, think - You invest your next big crypto-currency in an exchange/ market that gets hacked because of their lack of due-diligence? Or, your medical records became public because someone didn't perform a good pen-test. Or, you lose your savings because your bank didn't do a thorough "security" check of its infrastructure. If you think you are untouchable because of your home router security; you, my friend are living in an illusion. And, my final rant to the firms where there are good consultants but the reporting, or seriousness in delivering the message to the business is so fcuking messed up, that all their efforts go in vain. Take your deliverable seriously; it's the only window business has to peep into the issues (existing or foreseen), and plan the remediation in time.

That's all my friends. Stay safe and be responsible; security is a cumulative effort and everyone has to be vigilant because you never know where the next cyber-attack be.