Category Archives: Cloud Security

Cyber Security Businesses: Solving Challenges Through New Technologies

From everyday transactions to transport planning, as our world becomes more dependent on technology, cybersecurity risks are becoming more common, and more dangerous. 

Luckily, there’s a range of cybersecurity businesses and start-ups attempting to solve this issue through innovative new technologies.

We look at some recent projects and partnering opportunities tackling cybersecurity challenges. 

Antivirus Software From Japan
Established in 2007, a Japanese company has developed security software to detect unknown threats. They have developed a heuristic application consisting of five engines to detect malware and protect users.

These engines include;
  • Static analyses
  • Sandbox runs programs on a virtual environment
  • Dynamic analyses (monitors the behaviour of currently running programs)
  • Machine learnings
  • Vulnerability attack protection
The advantage of this technology is that it does not depend on pattern files. So far, the programs have detected several major threats and the engines are regularly updated with the latest research and information. In addition, the software requires no signature, a benefit for companies who do not wish to have their data drawn into the cloud.

The company has been very successful in Japan and are now looking to expand into European markets with the help of a partner. Their ideal partner would be an Original Equipment Manufacturer (OEM) company working in Internet Security.

Protecting Data, Assets and Brands Against Global Cyber Attacks
A German company has developed an automated platform to deal with global cybersecurity threats more efficiently.

The technology allows users to;
  • Benefit from ad-hoc assistance in emergencies
  • Simplify their security processes
  • Safely share threat information with a range of stakeholders and organisations
  • Contribute to a collaborative database
Some of the benefits of this platform include;
  • Automated incident response management
  • Real-time alerts
  • Data fusion on a large scale
  • Easy integration
  • Secure collaboration
  • Varied deployment models
  • Helps users understand and monitor threats worldwide
The company is now looking for help with the commercialisation of the business. They are seeking European or Asian partners to aid with sales, marketing and delivery.

Helping SMEs Improve Their Information Security
A British company has developed a bespoke service for SMEs, helping them to improve their security and technology solutions.

This service includes;
  • IT/cybersecurity
  • Privacy/ GDPR
  • Business continuity
  • Disaster recovery
  • Collaboration technologies
  • Blockchain/IoT/AI/Cloud computing
The company prides itself on strong face-to-face communication and their ability to tailor services to meet the needs of specific clients. They are currently looking to make commercial partnerships with businesses looking to improve their cybersecurity.

24/7 Security and Events Management
An Israeli company has developed a new solution to help organisations manage internal and external cyber threats. This real-time technology is available worldwide and offers a reliable, individualised service.

The service includes;
  • Risk assessments
  • Forensics
  • Compliance
  • A flexible pricing model
The advantage of a 24/7 security service is that users can speak to security specialists at any time, and alerts are handled in real-time.

The company is looking for commercial agents in the cybersecurity sector to expand their client base.

Enterprise Europe Network: Connecting Businesses and Partners Worldwide
Enterprise Europe Network (EEN) helps businesses, academia and research institutions connect, expand into new markets and transform ideas into marketable products.

Discover more cybersecurity businesses and partnership opportunities part of the EEN network for an insight into the future of online security.

Consolidate your Security in the Cloud with Cisco Umbrella

 

What makes a great partnership? Open communication and a passion for constant advancement are two important elements. Our customers have helped us continuously innovate, and together, we’re transforming how security is delivered. Over the past 12+ months, we embarked on a journey to take Cisco Umbrella to a new level.

DNS has always been at our core — starting as a recursive DNS service (OpenDNS) in 2006, then moving into the enterprise security space in 2012 with the release of Umbrella. Enforcing security at the DNS layer was something brand new at the time. People started to see how valuable it was to have a single view of all internet activity across every location, and it was an incredibly effective way to block threats at the earliest possible point (and who doesn’t love fewer alerts to investigate!?). Add in the fact that it’s delivered from the cloud and can be deployed enterprise-wide in minutes…you can start to see the appeal it has.

As we saw more applications and infrastructure move to the cloud, more people working off-network (and “forgetting” to turn on that pesky VPN), and the move to more direct internet access at remote offices, we heard more from our customers about what they needed from a security service. It wasn’t just about DNS-layer security — they often needed more. We’re excited to share that we’re now delivering more. Much more.

Now, Umbrella offers secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality — in addition to the DNS-layer security and threat intelligence from Investigate — all in a single, integrated cloud console. All of this is available in a new Umbrella package: Secure Internet Gateway Essentials.

By unifying multiple security services in the cloud, we are now able to offer our customers greater flexibility, sharper visibility, and consistent enforcement, everywhere your users work. The goal is simple ­– if we can simplify your security operations and reduce complexity, then you can reduce risk and accelerate secure cloud adoption.

Here are a few examples of innovations that we’re introducing as part of this:

Bye Security Silos, Hello Consolidation

It can be an overwhelming endeavor to help your organization transition to the cloud and secure direct internet access. It takes skill and a considerable amount of resources. How many office locations are you tasked with securing? We’ve heard loud and clear that it’s not sustainable for you to build a separate security stack in each location. By moving those core security services to a single cloud solution, you’ll be able to deploy the right level of security consistently across your organization. And you have the flexibility to deploy it as needed — you’re not forced to proxy everything or deploy in a specific way. For example, you could start with DNS for fast protection everywhere and leverage additional security services (secure web gateway, firewall, CASB, etc.) wherever you need them.

 

“I like the simplicity of Cisco Umbrella from a management perspective, but I also enjoy the complexity of the advanced layers of protection that Cisco Umbrella provides. This one product has truly transformed our ability to protect our entire workforce, regardless of location.” – Ryan Deppe, Network Operation Supervisor, Cianbro Corporation

 

Well-known Technology, Brand New Approach

IPSec tunnels have been around forever. But, we set out to do something different based on what we’ve heard from you. Cisco developed a new technology for IPSec tunnels that minimizes downtime and eliminates the need to build secondary tunnels with a patent-pending approach using Anycast technology for automated failover. A single IPsec tunnel can be deployed to send traffic to Umbrella from any network device, including SD-WAN. This integrated approach combined with Anycast routing can efficiently protect branch users, connected devices, and application usage from all internet breakouts with 100% business uptime.

Real-time Detection of DNS Tunneling

Even though we’ve been a leader in DNS-layer security for years, we won’t rest on our laurels. We’re watching attacker tactics and quickly adjusting ours — DNS Tunneling is one example. DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic (i.e. HTTP) over port 53. There are legitimate reasons why you would use DNS tunneling, but attackers have been using it for data exfiltration and command and control callbacks. To better identify and stop this, we’ve added advanced detection capabilities, real-time heuristics, signature, and encoded data detection to Umbrella.

Deeper Web Control, Retrospective Alerts on Malicious Files

Our new secure web gateway (full proxy) provides complete web traffic visibility, control, and protection — with capabilities such as content filtering at the URL-level, blocking applications or app functions, HTTPS decryption (either for select sites or all), file inspection with Cisco Advanced Malware Protection and antivirus, sandboxing unknown files with Cisco Threat Grid, and retrospective alerts on files that subsequently display malicious behavior. Think about it — file behavior can change over time or could put mechanisms in place to evade initial detection. If a file is initially determined to be safe by Threat Grid and downloaded from the web, but later is deemed to be malicious, you can now see that in Umbrella.

All of these Umbrella enhancements are designed to help your organization accelerate cloud adoption with confidence — you need assurance that your users will be secure wherever they connect to the internet and that’s exactly what we’re focused on delivering for you. If you want to learn more, join our Security Virtual Summit on November 12th and check out Jeff Reed’s blog to hear about other Cisco Security innovations.

The post Consolidate your Security in the Cloud with Cisco Umbrella appeared first on Cisco Blogs.

Securing Your Future by Innovating Today

At a time when cybercrime costs three times more than natural disasters globally1, the demands on security are constantly growing. Whether you’re asked to protect a workforce that roams anywhere, a workplace that is digitized, or workloads that run wherever, your disparate security solutions are creating discord and an untenable level of complexity.

At Cisco, we’ve been on a quest to change that, and we believe we’re uniquely positioned to redefine security. As you’re innovating to build your future, we’re innovating to keep it secure — by creating a comprehensive platform approach and continuously evolving our security technologies.

That’s why I’m excited today to share some of the recent innovations across our security portfolio. With a cloud-powered platform approach in mind, these enhancements are designed to break down silos between SecOps, NetOps, and ITOps and free up your time by:

  • Simplifying your firewalling experience with more consistent policy management with cloud-native environments and cloud-based logging.
  • Accelerating your cloud adoption with new secure web gateway and firewall services in the cloud, deployed through a single IPsec tunnel.
  • Future-proofing your security with an industry-validated zero-trust approach for your workforce, workloads, and workplace, while integrating threat context.
  • Simplifying your breach defense experience with more visibility and actions for threat response, plus new services delivered by Cisco experts to help augment your team.

 

Security Operations made easier so you can focus on what matters

 

Experience the future of firewalling

As you’re moving applications into the cloud, the NetOps’ job is expanding to include cloud-native firewalls. Securing all control points across this multicloud environment should not feel like reinventing the wheel. We’re simplifying the experience and enabling NetOps to maintain consistent policies across firewalls, and into the cloud, starting with support for AWS, with more cloud providers roadmapped. Additionally, to help you easily maintain consistent policies as you’re adopting SD-WAN, we’ve simplified policy management for Meraki MX, one of our SD-WAN solutions. Just a few clicks, that’s all it takes to seamlessly harmonize policies across your hybrid environment.

We’re also improving visibility and making compliance easier with cloud-based logging for our NGFWs. This new capability aggregates and centralizes the on-prem and cloud logs so you can search, filter, and sort them, accelerating investigations while ensuring your organization complies with industry regulations.

The increased user connectivity to the cloud creates new demands for faster speeds, so we’re raising the bar with our appliances as well. The latest models of our NGFWs offer a 3X performance boost over previous appliances and optimize the performance-to-price ratio to keep your network — and business — running smoothly and securely.

Accelerate cloud adoption securely

To help you transition to the cloud successfully— and protect any user, anywhere they connect to the internet — while saving a considerable amount of resources, we’ve consolidated a broad range of security services into a single, cloud-delivered security solution and dashboard. Alongside DNS-layer security, CASB, and interactive threat intelligence services, we’ve added secure web gateway and firewall services to our cloud security solution to deliver deeper visibility and control over all ports and protocols, even encrypted web traffic.

The secure web gateway (full proxy) provides complete web traffic visibility, control, and protection — with capabilities like decrypting and scanning files on any site, filtering out inappropriate or malicious URLs, sandboxing unknown files, and blocking applications or app functions.

With this comprehensive set of functionalities, you can rely on us for the full security stack at smaller branches as you adopt SD-WAN. A single configuration in our networking product dashboards deploys DNS-layer security across hundreds of network devices, including SD-WAN. Additionally, a single IPsec tunnel deploys secure web gateway and firewall from any network device, including SD-WAN. Our integrated approach and Anycast routing can efficiently protect your branch users, connected devices, and application usage from all internet breakouts with 100% business uptime.

Secure access with a zero-trust approach

We have been working over the past year to create a more comprehensive zero-trust framework. Based on customer feedback, we focused on securing three key pillars: workforce, workloads, and workplace. We are thrilled that Forrester recognized our strides and named Cisco a leader in the recently released Forrester Wave among Zero Trust eXtended Ecosystem Platform Providers. As the analyst report noted, “Cisco excels in zero trust with a renewed and targeted focus … and is well-positioned as a prominent zero-trust player.”

We continue to innovate in this space and are reducing risks based on device trust by integrating our threat-detection capabilities with multi-factor authentication. The majority of breaches originate on the endpoint, but what if ITOps could establish trust in a user device before it’s allowed any access to sensitive resources? By safeguarding against vulnerable or compromised endpoints and blocking their access, you’ll be able to better detect and respond to malware threats as well as prevent data breaches.

Adopt breach defense everywhere

Taking endpoint defense one step farther, we added the ability to isolate an endpoint, which stops malware from spreading while giving SecOps time to remediate without losing forensics data, or simply giving ITOps time to troubleshoot an unknown issue. Making breach defense less overwhelming, endpoint isolation empowers incident investigators to uncover endpoint data that wasn’t available before — using advanced search with more than 300 query parameters, such as listing applications with high memory utilization.

Malware is also a growing problem at the network level because adversaries have learned to hide behind encrypted traffic. We’ve extended the capability to analyze encrypted traffic behavior into the cloud, providing higher fidelity of threat protection and enabling cryptographic compliance. At the same time, we’re simplifying investigations, giving you deeper visibility at multiple layers, and helping you respond quicker across different vectors by integrating network security analytics with our unified threat response application.

If you need help preparing for and responding to attacks, you can augment your team with our incident response services, now part of Talos. You know Talos as the team who’s constantly researching new threats on your behalf, and now they can integrate that intel even faster across our entire portfolio — benefitting not only retainer customers but everyone. For even leaner teams that need next-level support, we’re adding managed threat detection and response services to help you leverage your Cisco Security investments 24x7x365.

Several of these innovations are industry firsts, and we’re excited to offer customers new ways to better manage their growing business demands. I encourage you to take a closer look at these enhancements and discover how they can make your security an enabler rather than a barrier.

Get Started

Ready to experience for yourself how Cisco can simplify your experience, accelerate your success, and secure your future?

 

 


Source:

1 Allianz Risk Barometer, 2019

 

The post Securing Your Future by Innovating Today appeared first on Cisco Blogs.

15 Easy, Effective Ways to Start Winning Back Your Online Privacy

NCSAM

NCSAM

Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back.

Like most people, the internet knows way too much about me — my age, address, phone numbers and job titles for the past 10 years, my home value, the names and ages of family members  — and I’d like to change that.

But there’s a catch: Like most people, I can’t go off the digital grid altogether because my professional life requires me to maintain an online presence. So, the more critical question is this:

How private do I want to be online?  

The answer to that question will differ for everyone. However, as the privacy conversation continues to escalate, consider a family huddle. Google each family member’s name, review search results, and decide on your comfort level with what you see. To start putting new habits in place, consider these 15 tips.

15 ways to reign in your family’s privacy

  1. Limit public sharing. Don’t share more information than necessary on any online platform, including private texts and messages. Hackers and cyber thieves mine for data around the clock.
  2. Control your digital footprint. Limit information online by a) setting social media profiles to private b) regularly editing friends lists c) deleting personal information on social profiles d) limiting app permissions someone and browser extensions e) being careful not to overshare.NCSAM
  3. Search incognito. Use your browser in private or incognito mode to reduce some tracking and auto-filling.
  4. Use secure messaging apps. While WhatsApp has plenty of safety risks for minors, in terms of data privacy, it’s a winner because it includes end-to-end encryption that prevents anyone in the middle from reading private communications.
  5. Install an ad blocker. If you don’t like the idea of third parties following you around online, and peppering your feed with personalized ads, consider installing an ad blocker.
  6. Remove yourself from data broker sites. Dozens of companies can harvest your personal information from public records online, compile it, and sell it. To delete your name and data from companies such as PeopleFinder, Spokeo, White Pages, or MyLife, make a formal request to the company (or find the opt-out button on their sites) and followup to make sure it was deleted. If you still aren’t happy with the amount of personal data online, you can also use a fee-based service such as DeleteMe.com.
  7. Be wise to scams. Don’t open strange emails, click random downloads, connect with strangers online, or send money to unverified individuals or organizations.
  8. Use bulletproof passwords. When it comes to data protection, the strength of your password, and these best practices matter.
  9. Turn off devices. When you’re finished using your laptop, smartphone, or IoT devices, turn them off to protect against rogue attacks.NCSAM
  10. Safeguard your SSN. Just because a form (doctor, college and job applications, ticket purchases) asks for your Social Security Number (SSN) doesn’t mean you have to provide it.
  11. Avoid public Wi-Fi. Public networks are targets for hackers who are hoping to intercept personal information; opt for the security of a family VPN.
  12. Purge old, unused apps and data. To strengthen security, regularly delete old data, photos, apps, emails, and unused accounts.
  13. Protect all devices. Make sure all your devices are protected viruses, malware, with reputable security software.
  14. Review bank statements. Check bank statements often for fraudulent purchases and pay special attention to small transactions.
  15. Turn off Bluetooth. Bluetooth technology is convenient, but outside sources can compromise it, so turn it off when it’s not in use.

Is it possible to keep ourselves and our children off the digital grid and lock down our digital privacy 100%? Sadly, probably not. But one thing is for sure: We can all do better by taking specific steps to build new digital habits every day.

~~~

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.

Securing the Unsecured: State of Cybersecurity 2019 – Part II

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?

In Part I of the series, we explored IT security trends for 2019 and ways companies can protect themselves from IoT device vulnerability. Today, we’re continuing the discussion by exploring the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.

Q3: How great is the threat to companies of “crypto crime”?

The thing about ransomware is that it’s no longer the province of specific groups. At the RSA Conference this year, McAfee’s own Raj Samani shared the advent of the franchise model in crypto crime. As a result, we are seeing greater reach, but less unique systems applying ransomware. Still, we see the enterprises failing in the same ways year after year and falling victim to these families of ransomware at scale.

As you seek to conquer incident response as an effective plank of mitigating the effect of phishing and initial ransomware infections—I’d ask, how does your incident response change in the cloud? Do you have incident response resources and provisions for SaaS vs. IaaS? How do you get the logs and resources that you need from cloud providers to effectively investigate and ensure you have identified all affected nodes, or the initial attack vector? The time to figure out that question isn’t during time-compressed investigation stages when everyone is under stress from an active threat.

With the recent third anniversary of No More Ransom, security leaders like Raj Samani and the companies that make up partnerships like that of the No More Ransom website can help offer basic protection for some forms of ransomware. In this joint project with Europol and AWS, it’s been an amazing journey to watch and even invest in helping protect businesses against ransomware.

Q4: How can small businesses with limited resources protect the privacy of their customers?

The dwell time of threats in small and medium businesses is 45 to 800 days, with the averages moving more towards the latter. Cloud based information security SaaS (Software as a Service) is helping to level the playing field. To make continued progress, venture capital backing small firms, and the public buying from these companies, need to assert an expectation of security as part of doing business.

Many restaurants and retail establishments are still small businesses today, run by families and individuals. In many of these stores, there is a certain level of distrust of cloud and connected platforms, versus point-of-sales systems they can put their hands on and feel like they have control over. How do we gain the trust and their attention to of these small stakeholders, help them either more strongly secure things in-house or make the move to cloud security services? We can’t just have an answer that demands $4,000 or $40,000 to make the fix. Instead we have to find every possible opportunity to go serverless and make more and more walled garden capability for things like point of sale, or small engineering platform.

When it comes to small businesses interconnecting systems and moving into cloud services for consumers, these small companies holding identities is a challenge from a trust perspective. Forums and programs like the OpenID technologies providing standards and enabling identity without spreading the authorization infrastructure unnecessarily has been instrumental in constraining the size of this problem.

Security spans everything. There are basic exercises that you can do as business customers to check your readiness. I am a huge fan of SOAPA from ESG as a method of mapping what assets you have at different levels of the organization. Ask yourself a basic question -can you keep control integrity when you go from one “tower” —like on-premise—of connected capability to mapping the other silos or major cloud environments of your hybrid company? I’d also add it costs nothing to follow some of your favorite security personalities. I follow people like Cisco’s Wendy Nather and Kate Moussouris, the CEO of Luta Security who is helping even small companies understand the market of bug bounties and vulnerability disclosure.

Here, too, public policy potentially has a natural role. Government requires health training, for example in a restaurant, but not information security necessarily at small- and medium-sized business. Actually, the natural consequences and motivations of insurance companies can be an ally here, requiring training in basic computer hygiene, security, and privacy as part of issuing liability policies for businesses.

Q5: What are some new cybersecurity threats that we can expect to see in the next year?

I expect to see the rise of more significant exploitation of the “seams” in cloud integrations. The recent CapitalOne breach was relatively benign in the scheme of things. The actor was a braggart hacktivist, but the media coverage emphasized the weakness of cloud integrations to many who might have more capability. We’ve seen spikes in discussion in the dark web around this, so the profile of the cloud vulnerability is higher, and now we will have to see how the cat-and-mouse game between offense and defense proceeds.

I think it’s worth adding, the next threat isn’t as much the challenge to me, as the enterprise reaching the next run of maturity in the digital environment. Asset management, vulnerability reduction, and preparing the protection of cloud operations and visibility are all critical disciplines for the enterprise, no matter what the threat is.

Protect your devices. Protect your cloud—not in silos, but with an integrated strategy. Demand from your vendors the ability to integrate to maintain a cohesive threat picture which you can use to easily react.

To read Part I of this two-part series, click here.

 

The post Securing the Unsecured: State of Cybersecurity 2019 – Part II appeared first on McAfee Blogs.

Securing the Unsecured: State of Cybersecurity 2019 – Part I

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?

Alongside some fantastic leaders and technology strategists from HCL, Oracle, Clarify360, Duo Security, and TCDI, we explored the challenges of today’s hyper-connected and stretched security team.

Today, businesses operate in a world where over the last few years, more than 85% of business leaders surveyed by Dell and Dimensional Research say they believe security teams can better enable digital transformation initiatives if they are included early. Moreover, 90% say they can better enable the business if given more resources. Yet most of these same leaders assert that security is being brought in too late to enable digital transformation initiatives! These digital transformation trends—cloud, data, analytics, devices—are critical to the next generation of customer and employee experiences, and for the clear majority of companies, the transition of value chains is already in progress!

We collate the insights from the course of the discussion …

Q1: What are some of the IT security trends for 2019? Are there particular cybersecurity challenges related to digital trends?

Digital isn’t one trend—it’s many. Plus, we can’t stop running the business today. This forces a split of the skill investment that is available to companies, which MSSPs and system integrators can cover part of. The biggest challenge is information security extension in a multi-cloud world. All large enterprise is multi-cloud and hybrid. Yet few security operations teams are prepared for that.

Part of solving that challenge is bringing nascent ways of identifying anomalies and gaining scale—for example, through graph theory technology, critical to find the little traces that represent defensive capability. Machine learning will be throughout the information security technology stack soon. This shift must happen, as the challenge is more than new environments. The log volumes in cloud are material—and you pay for them, by the way—the formats are different, the collections are different, and the visibility is fragmented.

The harder thing here is that information security teams must adjust to ALL of this at ONCE. Great, you have AWS Cloud Trail. Let me ask you a question: Which of your security stack can see that AND is tuned for it AND can unify the risk identified there with on-premise derived visibility? And if you can answer that in a positive way, what about when I ask the same thing for Azure? Are you starting to think about the shift to resilience, or are you still thinking about defense and control exclusively?

I’d ask though, as your team is investing in cloud, are they investing in the understanding and readiness to protect data science? Are you preparing the project cycle for your security team to now be iterative as well to even deliver these services? Identity and access management is part of the solution as a critical foundation. Effective governance and strategy can help you figure out which platforms have security relevant data. While it’s easy to say “see and save everything,” you quickly find out how expensive that is, and how much trash is in there. At that point, you can start thinking about automation.

Focusing on data storage and data in motion has led us to consider more zero-trust to cut down on the amount of interstitial security complexity. To realize that vision, tokenization and indexing and many other technologies must continue to expand. We face an odd duality between the confidentiality and accessibility of making data useful in digital employee experience and customer experience.

It’s about more than adding automation to conquer the complexity. The automation must have intelligence, and it must operate in a way that is more than “I bought tech with buzzwords.” So many platforms and products say they do these things—but as you buy and implement, you need to focus on how, and how hard they are to build and link together. Plus, how are you going to maintain them? Be careful as we adjust to keep the pace of digital transformation that we aren’t trading one problem for another.

Finally, I’d note that at every level of the information security organization—not jus the CISO—the people need to have a sense of purpose. What value do you add as a security professional to the customer experience? Why do you exist? We need to remember that, as customer journeys are the way that digital transformation shows up. We have to think end-to-end.

Q2: What can companies do to protect themselves against vulnerabilities created by IoT devices?

Start with procurement. Look, I’d love to tell you that IoT security is a software problem, but that’s only part of it. It really starts with buying technology that is well-designed, and both the customer and the upstream vendor must enforce Secure Development Life Cycle (SDLC) internally.

To a certain degree, we need to see IoT as completely untrusted. Google’s BeyondCorp is a good goal for an entire org’s high-level vision of zero trust. Data introspection and device behaviors then need to have high inspection rather than assumptions of performance. We are advantaged in that we now live in a society full of tools where the reality is that encryption overhead is almost negligible with RISC based enhancements to network interface level assets. The organization can think differently about data protection in that kind of world with (relatively) cheap encryption cost to latency and performance.

When I think about IoT security, I continue to go back to an example that really made an impression on me a couple years back: If the team at IKEA can sell an IoT lightbar for cheap that has basic randomization, locked services, and minimal platform build … I have to think that certainly we can do better in health technology, industrial control systems, and manufacturing technologies.

When it comes to governance, IoT has the potential to turn asset management issues up to “11” on the 10-point scale of concern. How do you define an authorized device? Authorize an untrusted device to send data into the system? What do you recognize as a managed device? How will your organization make conditional access decisions to use, aggregate, and modify data? “Enterprise Architecture” (EA) needs to be part of the plan for effective governance. In some ways, as an industry, EA got swept up with the boom and bust of specific analyst models of architecture not proving out value cases at a lot of organizations. In today’s iterative digital world, architecture and simplicity have to be part of the IoT project Minimum Viable Product in order to realize the scale needed later.

We can’t manage IoT like laptops—these devices have fewer capabilities. Instead we need more affirmative approaches that integrate the components of the ecosystem in a predictable and defined way, like trusted cloud. The default expectation for a device intended to be used in a reduced management environment should have heavy encryption, PKI validation, and locked down application-controlled execution built into them out of the box.

When you take a step back and look at the problem as societal instead of the microcosm of a specific company’s product or implementation, public policy must enter into the intersection of law and devices at scale. We have to solve difficult questions like the role of liability and commercial incentives to build and deploy device platforms in a responsible way. As one example, when machine learning-led IoT decisions create a catastrophe, who is responsible? The owning company? The software vendor? The system integrator? All the above? In critical spaces like utilities and healthcare, we need the focus of meeting some level of criteria for devices to have minimum reasonable security.

Even at this scale, this, too could be a great place for graph theory and machine learning-led approaches to secure societal level device challenges like elections. It’s easily expressed as math—easily identified for loci and baseline deviations. We need investment, however, from government or non-traditional sources as the state/local government and education sectors have very long buying cycles, and the available budget for this problem hasn’t yet justified the extended R&D costs of these kinds of technological changes.

Even while these public policy shifts are emerging, the greater propensity of localized privacy law has created operational hurdles for enterprise. As a microcosm, introduction of privacy safeguards in the India data localization law represents many different interests trying to be balanced in one approach. This has created a higher cost for external multinationals as they create duplicative storage and has even slowed digital transformation and created a drag on growth for India based consulting and business process outsourcing economic engines. You could make the same analysis for CCPA or GDPR, but these same measures have helped privacy, potentially, for citizens.

To help companies navigate these challenges, we are seeing organizations like ENISA, and the NCSC Secure Authority providing advisory guidance. This leads to the definition of a state of reasonable practice. When we add that kind of practical dimension to ISO standards like the 27000 series, and the Top 20 from the Center for Internet Security, and others, we help organizations navigate what the basics look like for practical security applicability in IoT and security generally.

In Part II of this series, we’ll explore the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.

The post Securing the Unsecured: State of Cybersecurity 2019 – Part I appeared first on McAfee Blogs.

Security is Shifting to a Unified Cloud Edge

More than 95% of companies today use cloud services, and 83% store sensitive data in the cloud. This data is traveling via a larger and more diverse group of devices than ever before, to and from an ever-growing list of cloud services. More importantly, it is moving in ways you may not be able to see, may have no control over, and may not have even authorized.

Even today, many businesses don’t realize the extent of their cloud usage—the average organization thinks they use about 30 cloud services, but in reality, they use nearly 2,000. And those cloud services are hosting an ever-increasing amount of sensitive data—according to our 2019 Cloud Adoption and Risk Report, the number of files with sensitive data shared in the cloud has increased 53% year over year.

In an attempt to regain visibility and control, cybersecurity teams have attempted to stitch together a variety of data protection solutions, each with their own proprietary engine, policies and management platform. As a result, only 30 percent of companies can protect data with the same policies on their devices, network and cloud—and only 36% can enforce data loss prevention rules in the cloud at all. The fact that more than 80% of organizations have separate management controls for DLP and CASB deployments further increases complexity and lowers security efficacy.

With the cloud increasingly the epicenter of business operations, our security strategies must be able to secure not just our network, but every place our employees and our data go—whether it’s a corporate device at headquarters, an unmanaged smartphone on a foreign telecommunications network, or even an authorized user at home working from a personal laptop. And they must be able to do so simply.

To meet this challenge head on, McAfee has introduced Unified Cloud Edge, an industry-first initiative converging the capabilities of its award-winning McAfee MVISION Cloud, McAfee Web Gateway and McAfee Data Loss Prevention offerings within the MVISION ePO platform for a truly frictionless IT environment.

Figure 1: Simplified architecture for Unified Cloud Edge

“The convergence of security solutions that traditionally have functioned independently will improve an organization’s security posture by creating security defenses that work cohesively to defend against attacks,” Rob Westervelt, research director at IDC, said. “But even more importantly, this convergence will help ease the burden of managing security and compliance across hybrid and multi-cloud environments, which is one of the most significant challenges enterprises face today.”

Converging these technologies into a cloud-native platform offers simplicity in policy management, centralized incident management and reporting, and a combined set of application programming interface (API) and proxy-based controls to secure users, devices and data everywhere. Instead of replicating the work of implementing DLP across multiple environments, admins can use one set of content rules across endpoints, networks and cloud services. They can investigate security events, run reports from a single repository and enable a consistent user experience.

The result? Complete visibility and consistent controls over data from device to cloud, and an unrivaled level of simplicity and security.

To learn more about McAfee’s vision for a frictionless IT environment, check out the McAfee Unified Cloud Edge Tech Preview.

The post Security is Shifting to a Unified Cloud Edge appeared first on McAfee Blogs.

Major Web Hosting Hazards You Should Take Seriously

“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”

This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”

Come on, people.

Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?

While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.

If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.

Shocking Stats

Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).

From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.

The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.

While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.

For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.

Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.

While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.

That’s why we’re going to talk about hosting security issues that you should protect your site from.

How Web Hosting Affects the Security of Your Website

Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.

For example, if you’re a blogger or a business owner, you’ll get:

  • A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
  • A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
  • High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
  • Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.

Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:

  • Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
  • Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
  • Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.

So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.

Beware of these Major Web Hosting Hazards

  1. Shared Hosting Issues

Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.

For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.

Can you believe it? 800 websites on one server! Talk about performance issues, right?

While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.

Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.

  1. Attacks that Exploit an outdated version of PHP

It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.

However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.

Source: Threat Post

“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”

For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!

“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”

On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.

Well, hopefully you’re not going to be one of them.

  1. More Sophisticated DDoS Attack Techniques

DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.

For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.

The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky

Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.

For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.

 

For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.

Source: The Register

Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.

Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.

Stay Protected

Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.

Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.

 

Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.

The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.

19 Cloud Security Best Practices for 2019

Now well into its second decade of commercial availability, cloud computing has become near-ubiquitous, with roughly 95 percent of businesses reporting that they have a cloud strategy. While cloud providers are more secure than ever before, there are still risks to using any cloud service. Fortunately, they can be largely mitigated by following these cloud security best practices:

Protect Your Cloud Data

  1. Determine which data is the most sensitive. While applying the highest level of protection across the board would naturally be overkill, failing to protect the data that is sensitive puts your enterprise at risk of intellectual property loss or regulatory penalties. Therefore, the first priority should be to gain an understanding of what to protect through data discovery and classification, which is typically performed by a data classification engine. Aim for a comprehensive solution that locates and protects sensitive content on your network, endpoints, databases and in the cloud, while giving you the appropriate level of flexibility for your organization.
  2. How is this data being accessed and stored? While it’s true that sensitive data can be stored safely in the cloud, it certainly isn’t a foregone conclusion. According to the McAfee 2019 Cloud Adoption and Risk Report, 21 percent of all files in the cloud contain sensitive data—a sharp increase from the year before1. While much of this data lives in well-established enterprise cloud services such as Box, Salesforce and Office365, it’s important to realize that none of these services guarantees 100 percent safety. That’s why it’s important to examine the permissions and access context associated with data in your cloud environment and adjust appropriately. In some cases, you may need to remove or quarantine sensitive data already stored in the cloud.
  3. Who should be able to share it, and how? Sharing of sensitive data in the cloud has increased by more than 50% year over year.1 Regardless of how powerful your threat mitigation strategy is, the risks are far too high to take a reactive approach: access control policies should be established and enforced before data ever enters the cloud. Just as the number of employees who need the ability to edit a document is much smaller than the number who may need to view it, it is very likely that not everyone who needs to be able to access certain data needs the ability to share Defining groups and setting up privileges so that sharing is only enabled for those who require it can drastically limit the amount of data being shared externally.
  4. Don’t rely on cloud service encryption. Comprehensive encryption at the file level should be the basis of all your cloud security efforts. While the encryption offered within cloud services can safeguard your data from outside parties, it necessarily gives the cloud service provider access to your encryption keys. To fully control access, you’ll want to deploy stringent encryption solutions, using your own keys, before uploading data to the cloud.

Minimize Internal Cloud Security Threats  

  1. Bring employee cloud usage out of the shadows. Just because you have a corporate cloud security strategy in place doesn’t mean that your employees aren’t utilizing the cloud on their own terms. From cloud storage accounts like Dropbox to online file conversion services, most people don’t consult with IT before accessing the cloud. To measure the potential risk of employee cloud use, you should first check your web proxy, firewall and SIEM logs to get a complete picture of which cloud services are being utilized, and then conduct an assessment of their value to the employee/organization versus their risk when deployed wholly or partially in the cloud. Also, keep in mind that shadow usage doesn’t just refer to known endpoints accessing unknown or unauthorized services—you’ll also need a strategy to stop data from moving from trusted cloud services to unmanaged devices you’re unaware of. Because cloud services can provide access from any device connected to the internet, unmanaged endpoints such as personal mobile devices create a hole in your security strategy. You can restrict downloads to unauthorized devices by making device security verification a prerequisite to downloading files.
  2. Create a “safe” list. While most of your employees are utilizing cloud services for above-the-board purposes, some of them will inadvertently find and use dubious cloud services. Of the 1,935 cloud services in use at the average organization, 173 of them rank as high-risk services.1 By knowing which services are being used at your company, you’ll be able to set policies 1.) Outlining what sorts of data are allowed in the cloud, 2.) Establishing a “safe” list of cloud applications that employees can utilize, and 3.) Explaining the cloud security best practices, precautions and tools required for secure utilization of these applications.
  3. Endpoints play a role, too. Most users access the cloud through web browsers, so deploying strong client security tools and ensuring that browsers are up-to-date and protected from browser exploits is a crucial component of cloud security. To fully protect your end-user devices, utilize advanced endpoint security such as firewall solutions, particularly if using IaaS or PaaS models.
  4. Look to the future. New cloud applications come online frequently, and the risk of cloud services evolves rapidly, making manual cloud security policies difficult to create and keep up to date. While you can’t predict every cloud service that will be accessed, you can automatically update web access policies with information about the risk profile of a cloud service in order to block access or present a warning message. Accomplish this through integration of closed-loop remediation (which enforces policies based on a service-wide risk rating or distinct cloud service attributes) with your secure web gateway or firewall. The system will automatically update and enforce policies without disrupting the existing environment.
  5. Guard against careless and malicious users. With organizations experiencing an average of 14.8 insider threat incidents per month—and 94.3 percent experiencing an average of at least one a month—it isn’t a matter of if you will encounter this sort of threat; it’s a matter of when. Threats of this nature include both unintentional exposure—such as accidentally disseminating a document containing sensitive data—as well as true malicious behavior, such as a salesperson downloading their full contact list before leaving to join a competitor. Careless employees and third-party attackers can both exhibit behavior suggesting malicious use of cloud data. Solutions leveraging both machine learning and behavioral analytics can monitor for anomalies and mitigate both internal and external data loss.
  6. Trust. But verify. Additional verification should be required for anyone using a new device to access sensitive data in the cloud. One suggestion is to automatically require two-factor authentication for any high-risk cloud access scenarios. Specialized cloud security solutions can introduce the requirement for users to authenticate with an additional identity factor in real time, leveraging existing identity providers and identity factors (such as a hard token, a mobile phone soft token, or text message) already familiar to end users.

Develop Strong Partnerships with Reputable Cloud Providers

  1. Regulatory compliance is still key. Regardless of how many essential business functions are shifted to the cloud, an enterprise can never outsource responsibility for compliance. Whether you’re required to comply with the California Consumer Privacy Act, PCI DSS, GDPR, HIPAA or other regulatory policies, you’ll want to choose a cloud architecture platform that will allow you to meet any regulatory standards that apply to your industry. From there, you’ll need to understand which aspects of compliance your provider will take care of, and which will remain under your purview. While many cloud service providers are certified for myriad industry and governmental regulations, it’s still your responsibility to build compliant applications and services on the cloud, and to maintain that compliance going forward. It’s important to note that previous contractual obligations or legal barriers may prohibit the use of cloud services on the grounds that doing so constitutes relinquishing control of that data.
  2. But brand compliance is important, too. Moving to the cloud doesn’t have to mean sacrificing your branding strategy. Develop a comprehensive plan to manage identities and authorizations with cloud services. Software services that comply with SAML, OpenID or other federation standards make it possible for you to extend your corporate identity management tools into the cloud.
  3. Look for trustworthy providers. Cloud service providers committed to accountability, transparency and meeting established standards will generally display certifications such as SAS 70 Type II or ISO 27001. Cloud service providers should make readily accessible documentation and reports, such as audit results and certifications, complete with details relevant to the assessment process. Audits should be independently conducted and based on existing standards. It is the responsibility of the cloud provider to continuously maintain certifications and to notify clients of any changes in status, but it’s the customer’s responsibility to understand the scope of standards used—some widely used standards do not assess security controls, and some auditing firms and auditors are more reliable than others.
  4. How are they protecting you? No cloud service provider offers 100 percent security. Over the past several years, many high profile CSPs have been targeted by hackers, including AWS, Azure, Google Drive, Apple iCloud, Dropbox, and others. It’s important to examine the provider’s data protection strategies and multitenant architecture, if relevant—if the provider’s own hardware or operating system are compromised, everything hosted within them is automatically at risk. For that reason, it’s important to use security tools and examine prior audits to find potential security gaps (and if the provider uses their own third-party providers, cloud security best practices suggest you examine their certifications and audits as well.) From there, you’ll be able to determine what security issues must be addressed on your end. For example, fewer than 1 in 10 providers encrypt data stored at rest, and even fewer support the ability for a customer to encrypt data using their own encryption keys.1 Finding providers that both offer comprehensive protection as well as the ability for users to bridge any gaps is crucial to maintaining a strong cloud security posture.
  5. Investigate cloud provider contracts and SLAs carefully. The cloud services contract is your only guarantee of service, and your primary recourse should something go wrong—so it is essential to fully review and understand all terms and conditions of your agreement, including any annexes, schedules and appendices. For example, a contract can make the difference between a company who takes responsibility for your data, and a company that takes ownership of your data. (Only 37.3 % of providers specify that customer data is owned by the customer. The rest either don’t legally specify who owns the data, creating a legal grey area—or, more egregiously, claim ownership of all uploaded data.1) Does the service offer visibility into security events and responses? Is it willing to provide monitoring tools or hooks into your corporate monitoring tools? Does it provide monthly reports on security events and responses? And what happens to your data if you terminate the service? (Keep in mind that only 13.3 percent of cloud providers delete user data immediately upon account termination. The rest keep data for up to a year, with some specifying they have a right to keep it indefinitely.) If you find parts of the contract objectionable, you can try to negotiate—but in the case where you’re told that certain terms are non-negotiable, it is up to you to determine whether the risk presented by accepting the terms as-is is an acceptable one to your business. If not, you’ll need to find alternate means of managing the risk, such as encryption or monitoring, or find another provider.
  6. What happens if something goes wrong? Since no two cloud service providers offer the same set of security controls—and again, no cloud provider delivers 100 percent security—developing an Incident Response (IR) plan is critical. Make sure the provider includes you and considers you a partner in creating such plans. Establish communication paths, roles and responsibilities with regard to an incident, and to run through the response and hand-offs ahead of time. SLAs should spell out the details of the data the cloud provider will provide in the case of an incident, how data will be handled during incidents to maintain availability, and guarantee the support necessary to effectively execute the enterprise IR plan at each stage. While continuous monitoring will offer the best chance at early detection, full-scale testing should be performed on at least an annual basis, with additional testing coinciding with major changes to the architecture.
  7. Protect your IaaS environments. When using IaaS environments such as AWS or Azure, you retain responsibility for the security of operating systems, applications, and network traffic. Advanced anti-malware technology should be applied to the OS and virtual network to protect your infrastructure. Deploy application whitelisting and memory exploit prevention for single-purpose workloads and machine learning-based protection for file stores and general-purpose workloads.
  8. Neutralize and remove malware from the cloud.Malware can infect cloud workloads through shared folders that sync automatically with cloud storage services, spreading malware from an infected user device to another user’s device. Use a cloud security solution program to scan the files you’ve stored in the cloud to avoid malware, ransomware or data theft attacks. If malware is detected on a workload host or in a cloud application, it can be quarantined or removed, safeguarding sensitive data from compromise and preventing corruption of data by ransomware.
  9. Audit your IaaS configurations regularly.  The many critical settings in IaaS environments such as AWS or Azure can create exploitable weaknesses if misconfigured. Organizations have, on average, at least 14 misconfigured IaaS instances running at any given time, resulting in an average of nearly 2,300 misconfiguration incidents per month. Worse, greater than 1 in 20 AWS S3 buckets in use are misconfigured to be publicly readable.1 To avoid such potential for data loss, you’ll need to audit your configurations for identity and access management, network configuration, and encryption. McAfee offers a free Cloud Audit to help get you started.

 

  1. McAfee 2019 Cloud Adoption and Risk Report

 

The post 19 Cloud Security Best Practices for 2019 appeared first on McAfee Blogs.

IoT Security in 2019: Things You Need to Know

In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.

IoT visibility & security in 2019:

1. IoT endpoint security vs network security

Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.

Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.

2. “Cryptography is typically bypassed, not penetratedShamir’s law

In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should  now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.

3. 3rd party IoT vulnerabilities

One of the main issues in IoT security is the heavily reliance of IoT devices on third-party components for communication capabilities, cryptographic capabilities, the operating system itself etc. In fact, this reliance is so strong that it has reached a point where it’s unlikely to find an IoT device without third-party components within it. The fact that third-party libraries are commonly used across devices, combined with the difficulty to secure them, makes them a sweet spot for hackers to look for IoT vulnerabilities and exploit many IoT devices through such 3rd party component.

Vulnerability in third-party components is very dangerous. In many IoT devices, there is no separation and segmentation between processes and/or tasks, which means that even one vulnerability in a third-party library is compromising the entire device. This could lead to lethal results: attackers can leverage the third-party vulnerability to take control over the device and cause damage, steal information of perform a ransomware attack on the manufacturer.

it’s not only that third-party components are dangerous, but they are also extremely difficult to secure. Many third-party components are delivered in binary form, with no source code available. Even when the source code is available, it’s often hard to dive into it and asses the security level or vulnerabilities inside it. Either way, most developers use the open-source components as black-boxes. On top of that, static analysis tools and compiler security flags lack the ability to analyze and secure third-party components and most IoT security solutions cannot offer real-time protection into binary code.

VxWorks vulnerabilities

A recent example of such third party vulnerability that affects millions of devices can be found in the security bugs found in the VxWorks embedded operating system. These vulnerabilities exposed every manufacturer that used VxWorks operating system, even if security measures like penetration testing, static analysis, PKI and firmware analysis were taken.

To summarize, in order to provide strong and holistic IoT protection, you must handle and secure all parts of the device, including the third-party components. Sternum IoT security solutions focus on holistically securing IoT devices from within and therefore offers a unique capability of embedding security protection & visibility into the device from end-to-end. Sternum’s solution is also operating during real-time execution of the device and prevents all attack attempts at the exact point of exploitation, while immediately alerting about the attack and its origins, including from within third-party libraries.

4. Regulation is kicking in

In the past two years, we’re seeing a across industries effort to create regulations and standards for IoT security. We are expecting to see more of these efforts shaping into real regulations that will obligate manufacturers to comply with them.

A good and important example is the FDA premarket cybersecurity guidance that was published last year and is expected to become a formal guidance in 2020. The guidance includes different aspects of cybersecurity in medical devices (which is in many cases are essentially IoT devices) such as data integrity, Over-the-air updates, real-time protection, execution integrity, third-party liabilities and real-time monitoring of the devices.

Another example is the California Internet of Things cybersecurity law that states: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure.

We expect to see more states and countries forming regulations around IoT security since these devices lack of security may have a dramatic effect on industry, cities, and people’s lives. Top two regulations that are about to be released are the new EU Cybersecurity Act (based on ENISA and ETSI standards) and the NIST IoT and Cybersecurity framework.

The post IoT Security in 2019: Things You Need to Know appeared first on CyberDB.

Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season

With summer coming to a close, it’s almost time for back to school! Back to school season is an exciting time for students, especially college students, as they take their first steps towards independence and embark on journeys that will shape the rest of their lives. As students across the country prepare to start or return to college, we here at McAfee have revealed new findings indicating that many are not proactively protecting their academic data. Here are the key takeaways from our survey of 1,000 Americans, ages 18-25, who attend or have attended college:

Education Needs to Go Beyond the Normal Curriculum

While many students are focused on classes like biology and business management, very few get the proper exposure to cybersecurity knowledge. 80% of students have been affected by a cyberattack or know a friend or family member who has been affected. However, 43% claim that they don’t think they will ever be a victim of a cybercrime in the future.

Educational institutions are very careful to promote physical safety, but what about cyber safety? It turns out only 36% of American students claim that they have learned how to keep personal information safe through school resources. According to 42% of our respondents, they learn the most about cybersecurity from the news. To help improve cybersecurity education in colleges and universities, these institutions should take a certain level of responsibility when it comes to training students on how they can help keep their precious academic data safe from cybercriminals.

Take Notes on Device Security

Believe it or not, many students fail to secure all of their devices, opening them up to even more vulnerabilities. While half of students have security software installed on their personal computers, this isn’t the case for their tablets or smartphones. Only 37% of students surveyed have smartphone protection, and only 13% have tablet protection. What’s more, about one in five (21%) students don’t use any cybersecurity products at all.

Class Dismissed: Cyberattacks Targeting Education Are on the Rise

According to data from McAfee Labs, cyberattacks targeting education in Q1 2019 have increased by 50% from Q4 2018. The combination of many students being uneducated in proper cybersecurity hygiene and the vast array of shared networks that these students are simultaneously logged onto gives cybercriminals plenty of opportunities to exploit when it comes to targeting universities. Some of the attacks utilized include account hijacking and malware, which made up more than 70% of attacks on these institutions from January to May of 2019. And even though these attacks are on the rise, 90% of American students still use public Wi-Fi and only 18% use a VPN to protect their devices.

Become a Cybersecurity Scholar

In order to go into this school year with confidence, students should remember these security tips:

  • Never reuse passwords. Use a unique password for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. You can also use a password manager so you don’t have to worry about remembering various logins.
  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public. Protect your identity by turning your profiles to private so you can control who can follow you. You should also take the time to understand the various security and privacy settings to see which work best for your lifestyle.
  • Use the cloud with caution. If you plan on storing your documents in the cloud, be sure to set up an additional layer of access security. One way of doing this is through two-factor authentication.
  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to keep your connection secure.
  • Discuss cyber safety often. It’s just as important for families to discuss cyber safety as it is for them to discuss privacy on social media. Talk to your family about ways to identify phishing scams, what to do if you may have been involved in a data breach, and invest in security software that scans for malware and untrusted sites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season appeared first on McAfee Blogs.

Serverless Security: Best Practices to Secure your Serverless Infrastructure

According to a study by LogicMonitor, the number of applications hosted on-premises will decrease by 10%, to 27%, by 2020. In comparison, the number of cloud-native, more specifically serverless hosted applications, like AWS Lambda, Google Cloud and Microsoft Azure, will increase to 41%.

The trend to cloud, specifically serverless, and away from on-prem, is not new and of no surprise, as serverless hosted applications provide developers with a faster speed to market and allows for them to release new functionality on a more frequent basis. In addition, it can save organizations bundles in infrastructure costs. It has however left DevSecOps and security teams in a quandary. While they don’t want to impede development efforts, they are left with no choice but to place the security of serverless applications in someone else’s hands.

To alleviate this issue, there are several serverless security best practices that must be put in place in order to properly secure serverless apps launched by the developer.

Serverless Security Best Practices

Don’t rely solely on WAF protection: Application layer firewalls are only capable of inspecting HTTP(s) traffic. This means that a WAF will only protect functions which are API Gateway-triggered functions. It will not provide protection against any other event trigger types. A WAF will not help if your functions are triggered from different events sources, such as:

  • Cloud storage events (e.g. AWS S3, Azure Blob storage, Google Cloud Storage)
  • Stream data processing (e.g. AWS Kinesis)
  • Databases changes (e.g. AWS DynamoDB, Azure CosmosDB)
  • Code modifications (e.g. AWS CodeCommit)
  • Notifications (e.g., SMS, Emails, IoT)

Having a WAF in place is still important, but it is not and should not be the only line of defense in securing serverless applications. Relying solely on a WAF leaves many gaping security holes.

Customize Function Permissions: 90% of permissions in serverless applications are found to be over permissioned. While setting up permissions feels like a daunting task when thinking of the function levels in serverless, a one size fits all approach is not a solution. Setting policies that are larger and more permissive in the function is a common serverless security mistake, and failing to minimize individual function roles and permissions makes your attack surface larger than necessary. Creating proper function level permissions requires DevSecOps teams to sit down with the developers who wrote the functions and review what each function does. Only after determining what each function actually needs to do, can a unique role for each function and a suitable permission policy be created. Luckily there are tools available to help automate this process for heightened AWS Lambda security, as well as other cloud-native platforms.

Conduct a Code Audit: Black Duck Software conducted an audit of 1,000 commonly-used applications in enterprises and found that 96% utilized open-source software. Furthermore, their researchers found that 60% of that software contained security vulnerabilities, and some of the bugs were more than four years old. This makes code ownership and authenticity a critical security risk, as can you really trust what isn’t yours?

Referred to as “Poisoning the Well,’ attackers aim to gain more long-term persistence in your application by means of an upstream attack. Cloud-native applications tend to comprise of many modules and libraries. The modules often include many other modules, so it’s not uncommon for a single serverless function to include tens of thousands of lines of code from various external sources, even with less than 100 lines of code your developers wrote. Attackers look to include their malicious code in common projects. After poisoning the well, they patiently wait as the new version makes its way into your cloud applications. To enhance AWS serverless security, as well as Microsoft Azure, Google Cloud Functions, etc, it is important to conduct a security audit of the code or look for tooling that can automate the process, scanning for vulnerabilities as a serverless security best practice.

Retain Control Over Your Functions: This may sound like a utopian dream, but code vulnerability can be mitigated through careful CI/CD. Malicious functions can slip in through a variety of means, such as being deployed by a rogue employee. Additionally, develop workstations could be a target for attackers, rather than the deployed apps themselves, and would enable attackers to deploy malicious functions through legitimate channels. Such functions could sneak in and wreak havoc, undetected. To offset this chance, create a policy and strategy for conducting a code analysis during build before it goes into runtime, and make sure every function goes through CI/CD.

Look at All Attack Indicators: Visibility gets harder with serverless. The shift to serverless significantly increases the total amount of information and the number of resources, which hinders DevSecOps and Security team’s ability to make sense of all the data. As the quantity of functions increases, it becomes even more difficult to determine if everything is behaving the way it’s supposed to. Case in point, only a few hundred functions can generate billions of events in your log every day and it becomes difficult to know which are important. Even if you are familiar with the attack patterns that are unique to serverless apps, visually scanning them all simply can’t be done, so leverage AI tools for added serverless security visibility and efficiency.

Time Out Your Functions: Functions should have a tight runtime profile. Admittedly, crafting appropriate serverless function timeouts is often not intuitive. The maximum duration of a function can be quite specific to that function. DevSecOps teams must consider the configured timeout versus the actual timeout. Many developers set the timeout to the maximum allowed since the unused time doesn’t create an additional expense. However, this approach creates an enormous security risk because if an attacker is able to succeed with a code injection, they have more time available to do more damage. Shorter timeouts require them to attack more often, which we refer to as a “Groundhog Day,” attack, but it makes the attack more visible. As a serverless security best practice, shrink not just what a function can do, but how long it can run.

In conclusion, despite new security challenges arising, serverless deployments are great for organizations of all sizes- providing developers with speed to launch, and improving operational costs and efficiencies. Serverless also creates an opportunity to adopt an even greater security posture since everything is at the function level making it even more difficult for attackers. To embrace this new opportunity, it is important for teams to change their approach to application security in serverless deployments. Securing serverless apps requires a variety of tools and tactics, including collaboration between the people involved in the application and the security.

The post Serverless Security: Best Practices to Secure your Serverless Infrastructure appeared first on CyberDB.

Test Your Knowledge on How Businesses Use and Secure the Cloud

Security used to be an inhibitor to cloud adoption, but now the tables have turned, and for the first time we are seeing security professionals embrace the cloud as a more secure environment for their business. Not only are they finding it more secure, but the benefits of cloud adoption are being accelerated in-step with better security.

Do you know what’s shaping our new world of secure cloud adoption? Do you know what the best practices are for you to accelerate your own business with the cloud? Test your knowledge in this quiz.

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

Not prepared? Lucky for you this is an “open-book” test. Find some cheat sheets and study guides below.

Report: Cloud Adoption and Risk Report: Business Growth Edition

Blog: Top Findings from the Cloud Adoption and Risk Report: Business Growth Edition

Blog: Why Security Teams Have Come to Embrace the Cloud

MVISION Cloud Data Sheet

MVISION Cloud

The post Test Your Knowledge on How Businesses Use and Secure the Cloud appeared first on McAfee Blogs.

Using Intelligent Data Controls to Accelerate Business

In our previous blog post, Getting Started with Cloud Governance, enterprise security architect Wayne Anderson discussed the challenge of understanding the “sanctioned” path to the cloud and how governance was the initial building block for cloud security. To understand the sanctioned path, we must have visibility into our overall use of cloud services and further apply a set of intelligent controls that enforce our governance requirements. These steps become the building blocks for intelligent data control, which tightens our data security posture and allows accelerated business transformation.

Before we focus on the intelligent control of data in sanctioned services, we must have a good understanding of what services are being utilized in our environment, along with the associated risk they bring. Setting requirements for cloud service governance is a good first step in identifying and limiting services. To map a set of technical controls to the problem data protection in the cloud, we must start with an architecture and an intelligent model that helps us achieve the desired controls.

The application of intelligent data control starts with a centrally managed platform that is elastic and works across all cloud services models, from SaaS, to PaaS and IaaS. There must be a consistent model in place for the visibility and control of allowable services as well as the control of data for sanctioned applications. The data policies used by the platform should also be consistent in both device-to-cloud and cloud-and-cloud scenarios.

Here’s a diagram showing a common control plane across cloud models:

Once we have the platform defined and in place, we monitor the cloud services being used and build an inventory of discovered services.

Here’s a sample inventory of cloud services using McAfee MVISION Cloud as our platform:

The discovered cloud services inventory is mapped against a comprehensive cloud services risk registry that assesses each service against dozens of attributes that can be used for fine-grained governance policies.

Example cloud service risk profile and attributes:

Finally, we can craft and apply our governance policies, providing visibility and/or remediation of services that fall outside the governance requirements. Any future changes to governance requirements are monitored by an approval workflow system.  The risk registry is updated dynamically and external to the policy execution. This allows for remediation of newly discovered and disallowed cloud services that are outside the acceptable governance requirements.

Intelligent application of governance requirements:

Using this arrangement allows us to implement governance requirements such as total risk (no services allowed with a risk score > 7 on a 1-to-10 scale), not allowing a service that is multi-tenant and does not encrypt data at rest, etc.

Providing intelligent control of cloud services governance policies helps to close the gap of data loss and malware from suspect services that have not been sanctioned. Establishing intelligent governance of cloud services allows for the next step of applying intelligent control to our sanctioned services.

In the future, we will continue the discussion on how intelligent data control can increase data security efficacy and accelerate your business as a result.

The post Using Intelligent Data Controls to Accelerate Business appeared first on McAfee Blogs.

Ten tips for better AWS cyber security

Amazon Web Services (AWS) offers a huge variety of benefits for businesses, and organisations are increasingly opting for cloud solutions for their data, website, and applications. However, there are still some businesses using AWS that have not put the proper cyber security controls in place. Here we take a look at ten great tips to improve your AWS cyber security.

  1. Understand your responsibilities

When you work with any kind of web services provider you need to understand what you are responsible for and what will be managed by the provider. This is absolutely true in terms of AWS – where Amazon runs its so-called ‘shared responsibility model’. In this model AWS is responsible for protecting the infrastructure of the AWS cloud system including hardware, software, and networking.

On the other hand, you as the customer is responsible for customer data, identity and access management, firewall and anti-virus configuration, and issues such as data encryption. It can sometimes be necessary to work with outside agencies to manage your own cyber security.

  1. Ensure you have a coherent strategy in place

There is often a debate regarding cyber security: should you put controls in place to protect your business first and then update the system as necessary, or should you prioritise establishing a coherent strategy first, before investing in expensive services and tools? You might assume that you need to put defences in place immediately, regardless of whether they are right for your business, but in fact this can often be expensive and difficult to change at a later date.

In the majority of cases it is important that you should put a strategy in place first. With the complex requirements of modern cyber security, you need to understand the needs of your operation before you commit to services.

  1. Use a secure password policy

You need to ensure that your users are protecting themselves with strong passwords. You should put a secure password policy in place – this should not only mean that the passwords have specific requirements (such as: at least 8 characters; numbers, letters and symbols used; etc.) but also that the passwords should need to be updated periodically, and must be unique from previously used passwords.

The policy needs to be configured in the settings of your system so that there is no option for users to not follow them.

  1. Clearly define users’ roles

One major cyber security issue can occur in AWS if a business fails to define and set user roles. If all users have the same permissions and can access the whole of the system then your company is at serious risk if just one of them is compromised by cybercriminals.

You can easily manage user roles in your AWS account, ensuring that staff only have access to the data and files that they need in order to do their job. Of course, it is also important to regularly re-assess accounts to be sure that individuals do not have access to information across the whole of the system.

  1. Opt for a managed service if you require technical expertise

If you want to use AWS services for its many benefits but you are concerned that you do not have the kind of in-house technical expertise required to do so successfully, it can be a great idea to use a managed service. AWS specialists, Wirehive, say:

“There’s no doubt that managed AWS solutions can be extremely powerful and valuable for businesses. However, with the range of tools and options available to AWS businesses, day-to-day infrastructure management activities of the service can be demanding and complicated, taking significant expertise and resources away from more profitable tasks.”

You can work with companies offering a wide range of options to suit your needs, whether you are looking for 24/7 support and the whole system managed for you, or you just need expertise on specific issues.

  1. Put written procedures in place

It is a great idea to ensure that you have your cyber security procedures written up so that they can be accessed by anyone in the company. It is important to have a documented record of plans so that staff are ready to implement them.

  1. Include security at all layers

Yes, it is important to have cyber-security solutions such as firewalls and anti-virus software, but they are no longer enough to keep your business secure. When you work with AWS it is important to provide cyber security solutions for all layers of your business. This means everything from endpoint security measures to integrated SIEM services.

Once again, it is important to note here that if you do not take expert advice on the right sort of security services that you need, you can end up spending a large part of your budget on services that aren’t really doing anything for you.

  1. Encrypt sensitive data

AWS encourages its users to encrypt their data, and even offers you the option encrypt with the click of a button using their native encryption. However, you may prefer to implement your own encryption in ensure that you are protected to your own standards.

Additionally, it should be pointed out that encrypting data will not slow down your system, as some believe – it is simply an important method of securing your data.

  1. Never use expired certificates

It might seem like common sense, but it is still a problem for some AWS users. You should not be using expired SSL/TLS certificates – they may not be compatible with AWS services anymore, and this can create a whole range of issues.

    10. Backup everything

AWS offers backup solutions, and they really are worth considering. Every organisation needs to ensure that its data is backed up in case of either a ransomware-style cyber-attack or some other major issue.

 

The post Ten tips for better AWS cyber security appeared first on CyberDB.