Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes. Attackers are using the noise of ransomware to … More
53% of CISOs and CSOs in the UK&I reported that their organization suffered at least one significant cyberattack in 2020, with 14% experiencing multiple attacks, a Proofpoint survey reveals. This trend is not set to slow down, with 64% expressing concern that their organization is at risk of an attack in 2021. Those in larger organizations feel at greater threat, with this figure jumping to 89% amongst CSOs and CISOs from organizations over 2,500 employees … More
The post Most CISOs believe that human error is the biggest risk for their organization appeared first on Help Net Security.
By Dana Mitchell, Director, Cybersecurity Solutions Group, Microsoft Canada Digital transformation, cloud computing and a sophisticated threat landscape are forcing everyone to rethink the roles that each individual within an organization has in defending against cyber threats. With billions of people around the globe working from home, changes to the daily practice of cybersecurity are…The post Security is everyone’s priority first appeared on IT World Canada.
The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.
In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.
- Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
- Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
- Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
- Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.
If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.
In the aftermath of the SolarWinds hack, a better understanding of third-party hacks in any update that you provide to your colleagues, bosses, and even the board of directors may be warranted. Any such update that you provide on SolarWinds should certainly cover whether or not your organization is one of the 300,000 SolarWinds customers and whether or not you were one of the 18,000 or so that were using the specific version of Orion … More
The post Understanding third-party hacks in the aftermath of the SolarWinds breach appeared first on Help Net Security.
The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.
Data explosion and regulatory environment
As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.
Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.
Manage compliance challenges
According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.
Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.
- Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
- Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
- Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
- Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.
Simplify compliance with Microsoft Compliance Manager
Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:
- Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
- Workflow functionality to help you efficiently complete risk assessments.
- Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
- Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.
For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.
Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.
Figure 1: Shared responsibility model
Apply a shared responsibility model
Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.
Figure 2: NIST examples of shared responsibilities
Assess your compliance with a compliance score
Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:
- Mandatory or discretionary.
- Preventative, detective, or corrective.
Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.
The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.
Figure 3: Compliance Score from Microsoft Compliance Manager
For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.
This is an important question for employers, recruiters, seasoned security professionals, and especially for those planning a cybersecurity career. The Information Security Careers Network (ISCN) recently surveyed its LinkedIn community of over 90,000 members about the 50 leading cybersecurity industry certifications and courses. The results of which have been compiled into the following definitive top ten list of the most desired cybersecurity certifications in 2021.
|CyberSecurity Certificates in High Demand by Employers|
10. SANS Penetration Testing Courses
The selection of penetration testing courses and certifications offered by the SANS Institute are well regarded for helping both beginners and experts alike to increase technical cybersecurity expertise and paygrades. The SANS/GIAC Penetration Tester (GPEN)
9. Cybersecurity or Information Security University Degree
- Architectural Concepts and Design Requirements
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Legal and Compliance
Increasing in popularity in recent years is the Certified Chief Information Security Officer (CCISO) by the EC-Council, which is suitable for those seeking to be promoted into senior managerial, leadership, and executive-level positions. 33% of cybersecurity professionals stated that this course is one of the best for equipping participants to succeed in managerial positions.
- Governance and Risk Management
- Information Security Controls, Compliance, and Audit Management
- Security Program Management and Operations
- Information Security Core Competencies
- Strategic Planning, Finance, Procurement, Vendor Management
- Information Security Governance (24%)
- Information Risk Management (30%)
- Information Security Program Development and Management (27%)
- Information Security Incident Management (19%)
The course was ranked highly in the survey results. Cybersecurity professionals said the course provided strong relevance to the ‘real world’, ranking the OSCP qualification in second place in terms of how much it was ‘in-demand’ by employers.
1. Certified Information Security Professional (CISSP) by ISC2
- Security and Risk Management (15%)
- Asset Security (10%)
- Security Architecture and Engineering (13%)
- Communication and Network Security (13%)
- Identity and Access Management (IAM) (13%)
- Security Assessment and Testing (12%)
- Security Operations (13%)
- Software Development Security (11%)
The year 2020 was the year working from home lost its oddity status and became normality. Big names like Google and Twitter are planning long-term and hold out the prospect of working from home on a permanent basis. More than 60 percent of companies are trying the same and have implemented home office policies in 2020. But with great flexibility comes great responsibility: Everyone responsible for Cybersecurity and a secure IT infrastructure is now dealing with new challenges closing the last gaps and weak points when it comes to allowing access to company resources. Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH, the specialist for secure identity access management (IAM), authentication and authorization, shows the top 3 issues CISOs have to look out for:
1. The Problem with Insider Threats will only get Worse
With more and more people working from home, the use of personal devices and working on private networks only increases and further fuels the risk of insider threats. This does not come as a surprise. As early as in 2018, Verizon's Data Breach Investigation Report already recorded an increase in threats from "internal actors," meaning employees who knowingly or unknowingly illegally disseminated data and other company information. According to the 2020 report, insiders were responsible for a data breach in a flabbergasting 30% of cases.
The case of Twitter in the summer of 2020 illustrates the damage vividly an insider threat can create. Hackers used social engineering to exploit the insecurity of IT employees and thus gain access to internal systems. Of course, it is quite unlikely that any of Twitter’s employees acted with malicious intent, still, they became the tool for an attack. The result: although the ATOs (Account Take Over) was used for fairly obvious scam posts, the attackers captured well over $100,000.
No company is immune to such attacks, and even strict cybersecurity policies have little effect because they are very difficult to enforce or monitor when people are working from home. Therefore, it can be assumed that the number of insider threats will increase by more than 20% in 2021.
2. Ransomware and Shadow-IT are bound to become the CISOs nightmare
Working from home came suddenly for most companies and pretty much overnight, and even still, most corporations are not sufficiently prepared for the challenges that lie ahead. Unlike in the office, where the IT department can reasonably reliably control the distribution of software on employee PCs, the use of home networks and private devices opens up new attack vectors for hackers.
Employees often use third-party services, download free software, or use private cloud services as a workaround when corporate services are not available. The storage of documents, access to data or other sensitive information on private devices will also continue to increase without CISOs being able to control this. Since private devices and networks are usually inadequately protected, they serve as a gateway for ransomware, which then attacks corporate networks, encrypts data and extorts high ransoms. Gartner analysts have already predicted a 700% increase in 2017 - the growth from the New Normal will dwarf those numbers and give CISOs many sleepless nights. Due to system and network vulnerabilities, misconfigurations, phishing, and the increase in credential attacks, we will likely see an exponential increase in ransomware attacks in 2021.
3. Mobile Devices Become a Favourite Target for Hackers
Developments such as multi-factor authentication (MFA) is improving the security of access to corporate services. On the flip side, it has put mobile devices in the crosshair of hackers. As smartphones are now practical for almost all online activities, the number of attack vectors has grown steadily along with them. In addition to malware, which can be easily installed via third-party apps, especially on Android, and data manipulation or the exploitation of recovery vulnerabilities (such as the interception of magic links or PIN text messages), social engineering is a particularly popular field here.
In addition to the widespread phishing e-mail, vishing (manipulation of employees by fictitious calls from IT staff) and smishing (which works similarly to phishing but uses SMS instead of e-mail) will increase sharply. Hackers will come up with new tricks to compromise mobile devices, and that can only make digital fraud worse.
2021: The Year We Abolish Trust
In a year in which we will have to learn a lot of things anew, CISOs are well-advised to not build anything on trust – neither their network infrastructure nor their IAM. Zero-trust architectures that question all access to corporate resources must become the standard in the age of the New Normal. Restricting resource access to a physical address or IP address, or to VPN access, is counterproductive and difficult to manage if employees are to work from remote locations. Digital identity will shift from user identity to the combined identity of the device and the user. Only this will enable modern and secure identity & access management.