PCI Security Standards Council has published a new Information Supplement: PCI DSS for Large Organizations. This document was produced by the 2019 Special Interest Group (SIG), whose members provided their expertise and shared experience of managing PCI DSS assessments in large organizations.
Zero trust is a concept that is gaining an increasingly large and dedicated following, but it may mean different things to different audiences, so let’s start with a definition. I refer to an excellent post by my friend Lee Newcombe and I agree with his definition of zero trust: “Every request to access a resource starts from a position of zero trust. Access decisions are then made and enforced based on a set of trust … More
Many novice Office 365 (O365) shops do not know where platform-specific security vulnerabilities lie, or even that they exist. The threats that you are unaware exist do not cause pain until they rise up and bite – then the agony is fierce. Companies get themselves into trouble when they do not fully understand the way data moves through O365 or they apply on-premise security practices to their cloud strategy. While the O365 platform comes with … More
In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to Jon Callas, a world-renowned cryptographer, software engineer, UX designer, and entrepreneur. Before joining the ACLU as senior technology fellow, he was at Apple, where he helped design the encryption system to protect data stored on a Mac. Jon also worked on security, UX, and crypto for Kroll-O’Gara, Counterpane, and Entrust. He has launched or worked on the launches of many … More
The post Jon Callas: Encryption is a technology that rearranges power appeared first on Help Net Security.
62 percent of employees are unsure if their organization has to comply with the recently-enacted CCPA, which gives California residents enhanced consumer data privacy rights, according to a survey of more than 1,000 employees conducted by Osterman Research. Results reveal a similar lack of awareness regarding the GDPR, in effect since 2018. Employee cybersecurity and privacy engagement The findings reveal progress in cybersecurity awareness. However, many respondents continue to hold false impressions about malware, phishing, … More
The post Employees aware of privacy risks, but unsure of how they affect the workplace appeared first on Help Net Security.
The information security landscape seems to evolve at a faster clip each year. The deluge of ever-changing threats, attack techniques and new breaches making headlines can be challenging to track and assess. That’s why each year the WatchGuard Threat Lab takes a step back to assess the world of cyber security and develop a series of predictions for what emerging trends will have the biggest impact. Following the worldwide controversy over hacking that influenced the … More
The post What the government infosec landscape will look this year appeared first on Help Net Security.
Is an electricity provider’s supply chain its weakest link in the event of a cyberattack? The evidence is compelling that third parties often play unwitting roles. For example, the NotPetya ransomware attacks in mid-2017 originally gained a foothold via a backdoor in third-party accounting software. To safeguard North America’s electricity supply, the North American Electric […]… Read More
Sometimes a disaster strikes: ransomware encrypts critical files, adversaries steal sensitive data, a business application is compromised with a backdoor… This is the stuff that CISOs’ nightmares are made of. As devastating as such incidents can be, for the short time after they occur, the enterprise usually empowers the CISO to implement security measures that he or she didn’t get funding for earlier. Of course, waiting for disastrous events is a reckless and unproductive way … More
According to the NIS Directive, Member States should adopt a common set of baseline security requirements to ensure a minimum level of harmonized security measures across EU and enhance the overall level of security of operators providing essential services (OES) and digital service providers (DSP). The NIS Directive sets three primary objectives: to improve the […]… Read More
The post Assessment Frameworks for NIS Directive Compliance appeared first on The State of Security.
Keeping up with rapidly changing regulatory requirements has become one of the biggest challenge’s organizations face today. Just as companies finished preparing for the General Data Protection Regulation (GDPR), California’s privacy regulation—California Consumer Privacy Act (CCPA)—went into effect on January 1, 2020. And in August 2020, Brazil’s own GDPR-like regulation, Lei Geral de Proteção de Dados (LGPD), will start to be enforced.
To help you take a proactive role in getting ahead of privacy compliance, we’re announcing new privacy-focused assessments available in the public preview of Microsoft Compliance Score. These new assessments help you assess your compliance posture and provide guidance to implement more effective controls for CCPA, LGPD, ISO/IEC 27701:2019, and SOC 1 Type 2 and SOC 2 Type 2.
To learn more, read Microsoft Compliance Score helps address the ever-changing data privacy landscape.
The post New privacy assessments now included in Microsoft Compliance Score appeared first on Microsoft Security.
The Azure security team is pleased to announce that the Azure Security Benchmark v1 (ASB) is now available. ASB is a collection of over 90 security best practices recommendations you can employ to increase the overall security and compliance of all your workloads in Azure.
The ASB controls are based on industry standards and best practices, such as Center for Internet Security (CIS). In addition, ASB preserves the value provided by industry standard control frameworks that have an on-premises focus and makes them more cloud centric. This enables you to apply standard security control frameworks to your Azure deployments and extend security governance practices to the cloud.
ASB v1 includes 11 security controls inspired by, and mapped to, the CIS 7.1 control framework. Over time we’ll add mappings to other frameworks, such as NIST.
ASB also makes it possible to improve the consistency of security documentation for all Azure services by creating a framework where all security recommendations for Azure services are represented in the same format, using the common ASB framework.
ASB includes the following controls:
- Network security
- Logging and monitoring
- Identity and access control
- Data protection
- Vulnerability management
- Inventory and asset management
- Secure configuration
- Malware defense
- Data recovery
- Incident response
- Penetration tests and red team exercises
Documentation for each of the controls contains mappings to industry standard benchmarks (such as CIS), details/rationale for the recommendations, and link(s) to configuration information that will enable the recommendation.
ASB is integrated with Azure Security Center allowing you to track, report, and assess your compliance against the benchmark by using the Security Center compliance dashboard. It has a tab like those you see below. In addition, the ASB impacts Secure Score in Azure Security Center for your subscriptions.
ASB is the foundation for future Azure service security baselines, which will provide a view of benchmark recommendations that are contextualized for each Azure service. This will make it easier for you to implement the ASB for the Azure services that you’re actually using. Also, keep an eye out our release of mappings to the NIST and other security frameworks.
Send us your feedback
We welcome your feedback on ASB! Please complete the Azure Security Benchmark feedback form. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
On my 1st week of the basic course in the Israeli army I was taught that in terms of information security there is no information item that is too negligible or too small to deal with.
The base location, the unit’s name, how big is my team – shall not be told.
There is no need to brag about the amazing projects we do
There is no reason to connect external media to computers
EVERYTHING about information security is important and must be afterthought.
That approach is based on the assumption, that a person who was educated from the very 1st moment not to disclose the name of the unit (barely the city it is located at) will be very minded and aware with information of real potential harm.
This is an excellent and well-proven attitude with regard to security, and I’d expect it to be a corner stone in mission critical cyber security organizations and industries such as: medical, energy, avionics and automotive.
You can imagine how surprised I was when I heard too many times from too senior executives in tone-dictating companies:
“The distance between weakness to hack to actually take over a vehicle and put people in jeopardy is very large. We shall not be excited by each vulnerability.”
Technically, to some extent, they are right. The transition from weakness to exploitation is significant and sometimes impossible. Not every weakness will end in ransomware massage on your airplane infotainment screen.
But this is exactly the intricate approach to security events that we must not remain indifferent to.
After all, taking control of a Jeep Cherokee was a combination of weaknesses, exploitation methods, not well protected communication, etc.
At the end of the day, each cyber incident begins with a weakness that was not well covered, or published or addressed – piling on top of that a great motivation, high technical skills and tenacity will lead to an assault that will make you wanna cry.
As Lau Tzu said ‘A journey of a thousand miles begins with a single step’
In cyber-security arena a small buffer overflow – can sometimes be this single step required
With cyber security we must go ‘All-In’ and leave nothing to luck. We must identify all the threats and evaluate the degree of exposure each one produces.
This knowledge provides us with options to tackle and resolve – some as simple as use different compilation method, some as complex as applying to the supply chain and development teams and some can be solved through an operative mechanism and processes.
I know that this ‘epiphany’ moment about the security status of your product usually causes more headaches than reliefs – since it usually brings a flood of new issues and gaps and their treatment does not make it easier to meet the schedule or increase the margins.
Much easier and more fun is to cover with the warm blanket of the blessed ignorance and practice surprised gestures.
To my opinion this is not a privilege we have in critical infrastructures and specifically in the current era of revolution. We strive for a shared, electronic and autonomous world – cyber attack will stave off the revolution and create a severe blow to the spirit of progress we all enjoy anticipating.
I know that the cyber security industry aware of these needs, there are solution (am sure that they can get better) for doing just that: Cyber Risk Assessment – mapping vulnerabilities, finding violation of security policies, competence with the emerging ISO 21434, hardening issues, mal performance of encryption and even identifying the entire software stack. Risk assessment is conducted to avoid incidents and the right measures should be devoted to do just that – Avoid incidents, not respond, avoid.
To sum up, as I was told by the first sergeant while patrolling around the base, and as ‘Ivar the Boneless’ discovered at the last season of the Vikings – A single uncovered crack and you may loose the fortress, Loose the Trust of the people and find yourself dinning with the Gods at Valhalla.
Therefore, don’t oversee your flaws and vulnerabilities – the progress starts there – you should accept yourself (and your not perfect code) as you are and strive for improvement.
Guest blog Written by Eddie Lazebnik – Brining 15 years of cyber experience – both in private and public sector and recently in a groundbreaking startup. Served for about a decade the Isreali government and military organizations of Cyber Security. Possessing education in business administration, having a proven technical execution record and great passion for technology and innovation. Very excited about the revolution of IoT and specifically in Automotive industry -connected and autonomous vehicles. These days leading strategy and strategic partnerships activity in Cybellum.
In Changing the monolith—Part 1: Building alliances for a secure culture, I explored how security leaders can build alliances and why a commitment to change must be signaled from the top. But whose support should you recruit in the first place? In Part 2, I address considerations for the cybersecurity team itself, the organization’s business leaders, and the employees whose buy-in is critical.
Build the right cybersecurity team
It could be debated that the concept of a “deep generalist” is an oxymoron. The analogy I frequently find myself making is you would never ask a dermatologist to perform a hip replacement. A hip replacement is best left to an orthopedic surgeon who has many hours of hands-on experience performing hip replacements. This does not lessen the importance of the dermatologist, who can quickly identify and treat potentially lethal diseases such as skin cancer.
Similarly, not every cybersecurity and privacy professional is deep in all subjects such as governance, technology, law, organizational dynamics, and emotional intelligence. No person is born a specialist.
If you are looking for someone who is excellent at threat prevention, detection, and incident response, hire someone who specializes in those specific tasks and has demonstrated experience and competency. Likewise, be cautious of promoting cybersecurity architects to the role of Chief Information Security Officer (CISO) if they have not demonstrated strategic leadership with the social aptitude to connect with other senior leaders in the organization. CISOs, after all, are not technology champions as much as they are business leaders.
Keep business leaders in the conversation
Leaders can enhance their organizations’ security stance by sending a top-down message across all business units that “security begins with me.” One way to send this message is to regularly brief the executive team and the board on cybersecurity and privacy risks.
Keep business leaders accountable about security.
These should not be product status reports, but briefings on key performance indicators (KPI) of risk. Business leaders must inform what the organization considers to be its top risks.
Here are three ways to guide these conversations:
- Evaluate the existing cyber-incident response plan within the context of the overall organization’s business continuity plan. Elevate cyber-incident response plans to account for major outages, severe weather, civil unrest, and epidemics—which all place similar, if not identical, stresses to the business. Ask leadership what they believe the “crown jewels” to be, so you can prioritize your approach to data protection. The team responsible for identifying the “crown jewels” should include senior management from the lines of businesses and administrative functions.
- Review the cybersecurity budget with a business case and a strategy in mind. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets tied to what looks like a “good fit” for the organization is recommended.
- Reevaluate cyber insurance on an annual basis and revisit its use and requirements for the organization. Ensure that it’s effective against attacks that could be considered “acts of war,” which might otherwise not be covered by the organization’s policy. Review your policy and ask: What happens if the threat actor was a nation state aiming for another nation state, placing your organization in the crossfire?
Gain buy-in through a frictionless user experience
“Shadow IT” is a persistent problem when there is no sanctioned way for users to collaborate with the outside world. Similarly, users save and hoard emails when, in response to an overly zealous data retention policy, their emails are deleted after 30 days.
Digital transformation introduces a sea of change in how cybersecurity is implemented. It’s paramount to provide the user with the most frictionless user experience available, adopting mobile-first, cloud-first philosophies.
Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls. Look for ways to prioritize the user experience even while meeting security and compliance goals.
Incremental change versus tearing off the band-aid
Imagine slowly replacing the interior and exterior components of your existing vehicle one by one until you have a “new” car. It doesn’t make sense: You still have to drive the car, even while the replacements are being performed!
Similarly, I’ve seen organizations take this approach in implementing change, attempting to create a modern workplace over a long period of time. However, this draws out complex, multi-platform headaches for months and years, leading to user confusion, loss of confidence in IT, and lost productivity. You wouldn’t “purchase” a new car this way; why take this approach for your organization?
Rather than mixing old parts with new parts, you would save money, shop time, and operational (and emotional) complexity by simply trading in your old car for a new one.
Fewer organizations take this alternative approach of “tearing off the band-aid.” If the user experience is frictionless, more efficient, and enhances the ease of data protection, an organization’s highly motivated employee base will adapt much more easily.
Stayed tuned and stay updated
Stay tuned for more! In my next installments, I will cover the topics of process and technology, respectively, and their role in changing the security monolith. Technology on its own solves nothing. What good are building supplies and tools without a blueprint? Similarly, process is the orchestration of the effort, and is necessary to enhance an organization’s cybersecurity, privacy, compliance, and productivity.
The post Changing the monolith—Part 2: Whose support do you need? appeared first on Microsoft Security.
The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.
This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:
- Understanding your data and responsibilities
- Defining your data consent policy
- Access requests and disposing of old data
- Setting up a data storage and security policy
- Training all staff on GDPR
- Creating data processing notices
- Understanding your data and responsibilities
In order to be GDPR compliant it’s important that you understand what data you’re collecting and your responsibilities as a business. It’s therefore a good idea to get clued up on what is defined as ‘personal data’ and set out strict guidelines on how much information you need to collect. This is because a huge part of GDPR is ensuring that you only collect personal information you actually need and that it is only used for the intended purpose. The less you collect the easier it is to stay compliant.
You’ll also want to ensure anyone that is involved in the handling of data understands how to collect and store the data effectively, as well as how to process it in line with GDPR. As you collect data, it’s a good idea to keep a note of how consent is being obtained and what processes the data goes through once it has been collected.
- Setting out your data consent policy
Getting clear and explicit consent from individuals to collect and use their data is one of the most important aspects of GDPR. For this reason, you need to outline to customers or those using your services why you’re collecting their data and how you intend to use it in the future. Once they have actively agreed, you can then collect their data – this is usually done through sign-up forms or pop-ups. However, if they do not give you permission then under no circumstances should you record their personal information.
You must be able to show that they have obtained consent for all the data that you have collected. Otherwise, you run the risk of being fined. Another point worth noting is that you can no longer rely on underhand tactics such as pre-ticked boxes to gain consent. This is now illegal under GDPR and can land you in trouble. Finally, you must make it easy for individuals to opt-out of receiving your communications. The best way to do this is by adding an unsubscribe button at the bottom of all emails.
- Access requests and disposing of old data
If you haven’t already, GDPR states that you must get re-permission from customers whose information you held before the new guidelines were implemented in May 2018. If they do not give you their consent once again or they do not reply to your email at all, you must delete their data as soon as possible. An important part of your GDPR checklist should be getting auditing processes in place that determine how long you will store data. For example, if a customer has not engaged with your brand in 12 months it is no longer necessary to keep their information and it should therefore be deleted.
What’s more, as part of GDPR every EU individual has the right to access their data. Therefore you need a system in place to deal with access requests. You’ll have 30 days from receiving the request to provide them with an electronic copy of all the information you have on them. They can also request that this be deleted, so you need a system in place to get this done as quickly as possible.
- Setting up a data storage and security policy
GDPR is set out to protect the rights and personal information of individuals, therefore you need to make sure you’re taking care of the data you’re collecting. This means knowing where it is stored and ensuring you’ve got the security measures in place to keep it safe. Mapping out all the places where you store data, be that email, databases or cloud-based systems, makes it easier to find and deal with access or deletion requests. Your storage and security policy should outline where everything is stored, how it is protected and who has access to said data.
You also need to know how data is being transferred and the flow of information around your business. This stops information seemingly getting lost or falling into the wrong hands. It also pays to have a system in place just in case your hardware is accessed or lost, whilst containing sensitive information. For example, if a laptop full of information is misplaced, having the data encrypted means you’re less likely to fall victim to a breach or face a fine.
- Training all staff on GDPR
Most data breaches or security mistakes come as a result of human error. But unfortunately, in this case ignorance isn’t bliss, you cannot use ignorance as an excuse for mishandling data. For this reason, it’s important that all members of your team are clued up on GDPR, their personal responsibilities for looking after personal data, and how to recognise a breach. As part of GDPR, you must report any data breaches within 72 hours, this becomes much easier if everyone in your team is educated on what this looks like and who they need to report to.
- Creating data processing notices
Finally, data handling needs to be a clear and transparent process and therefore it’s a good idea to create a notice to explain how your business collects and processes data. This is often called a Fair Processing Notice and can be sent out to customers/users as well as being displayed somewhere on your website. It should outline how you capture, use and store data, as well as giving instructions on how an individual can make and access or deletion request. This helps them to understand how you are protecting their data and can be great for building your reputation as a legitimate and caring business.
Medical IoT devices operate in care facility environments that encompass care giving, case management, customer service, and clinic management. As such, the risk of data gathered and managed by medical devices extends beyond the device itself. A compromise of clinic management services can propagate to IoT device command and control, allowing compromise of devices in attacks that do not directly touch the device at all. This is clearly the major driver for the emerging category of “Medical IoT (IoMT) Cyber Security ”
A large hospital for examples could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device also opens the door to a malicious cyberattack. A recent report from Irdeto, found that 82 percent of healthcare organizations’ IoT devices have been targeted with a cyberattack within the last year.
Going over the players in this industry, it is clear that the Medical IoT security category includes a number of different approaches with the common target to provide the customer with a clear assets discovery and timely alerting on security breaches and attacks on its Medical environment.
Although many large security players are addressing this niche too, CyberDB identified a number of emerging players that are focusing on this industry and as such we expect them to benefit from the growth in this market. These players are (in alphabetical order):
Due to the clear use case and the growing awareness and need in this market, we can see general-purpose IoT security players moving towards the Medical IoT security market.
According a recent report by BisResearch, the overall Medical IoT Cyber security market has been witnessing a steady growth. The market is expected to continue to grow with a double digit CAGR of 41.38% during the forecast period 2019-2028.
CyberMDX is a pioneer in medical cyber security, delivering visibility, threat prevention and analytics for medical and IoT devices and clinical assets. It is a best of breed product built from the ground up for healthcare delivery organizations. CyberMDX is established in 2017, acts globally and raised so far $10M of funds. Its headquarters reside in Tel Aviv & New York City
CyberMDX counters and prevents growing cyber-threats against hospitals, ensuring its critical assets operational continuity as well as patient and data safety. CyberMDX delivers endpoint visibility, network threat prevention and operational analytics for medical, IoT, and OT devices. The agentless solution automates the most granular, context-aware device profiling available on the market and combines it with healthcare tailored risk assessment and remediation capabilities.
Using CyberMDX, healthcare teams can easily:
- Audit devices for software vulnerabilities and prioritize patching
- Detect malicious activity and behavioral anomalies, triggering responses accordingly
- Manage risks proactively via smart micro-segmentation planning and automation
- Streamline clinical compliancy programs
- Report device-relevant FDA recalls
- Optimize device allocation and procurement decision based on usage insights
- Track and manage medical asset lifecycles
- Provide rich reports in support of HIPAA and corporate compliance efforts
- Seamlessly integrate with existing cyber and IT solutions to enrich data sets, enhance workflows, and enable operational excellence
- Interdepartmental HDO functionality and true workflow enablement: CyberMDX takes a holistic, 360° view of healthcare organizations and understands that only by building a common frame of reference and cross-departmental synergies can wholesale progress be achieved. Beyond mere security, CyberMDX provides security, IT, clinical engineering and compliance teams with a platform for data-driven workflow enablement and collaboration.
- Unmatched, context-aware visibility: CyberMDX delivers deep visibility into medical devices, protocols, and connected things of all sorts — along with a clear-eyed view of their clinical context. This deep and contextual visibility drives prevention, incident response, risk mitigation, and lifecycle management (including patch availability notifications). The solution covers medical devices, IoT, and OT across the entire network — providing a single pane of glass from which to view all connected healthcare assets.
- Superior depth and breadth of risk reporting around clinical and critical assets: CyberMDX has a dedicated research team focused solely on connected healthcare and IoMT. The team works with medical device manufactures and regulatory bodies such as CISA, ECRI, MITRE and the FDA to spot and lock down cybersecurity hazards and vulnerabilities before they can be exploited by malicious actors.
Cynerio was established in 2017 by a versatile team with expertise in cybersecurity, medical devices, and healthcare IT. Headquartered in New York City, Cynerio works with leading Healthcare Delivery Organizations (HDOs) worldwide and delivers the only medical-first cybersecurity solution clinical ecosystems require to stay secure and operate with the peace of mind they need to put their focus where it’s needed most: on patient care.
The IoT is an emerging space with a broad sphere of challenges that gets even more complicated when placed in the healthcare context. Hospitals and other HDOs have limited visibility into which devices exist on their networks, device behavior, and vulnerabilities. This limited visibility and understanding impairs IT personnel’s ability to remediate without interrupting patient care.
Securing the healthcare IoT poses the multifold challenge of securing medical devices developed without security in mind. Many of these devices run on outdated operating systems and can’t be patched. Hospital staff often has limited knowledge of the scope of security risks and vulnerabilities introduced to the network by unprotected devices. This is further complicated by traditional security solutions that are ineffective in dealing with connected devices in general.
Hospitals also rely on various non-traditional medical devices to help deliver essential care, such as elevators used to transport patients and smart refrigerators used to store sensitive biological material and medications. These devices are connected to the clinical ecosystem and are involved in medical workflows but are often not given the proper priority when evaluating the security strategy.
Cynerio’s holistic medical-first approach to healthcare / Medical IoT cybersecurity management provides HDOs with a one-stop shop they can rely on by prioritizing patient care and privacy above all else while contextualizing risk and remediation within the framework of healthcare business goals. This approach to security allows HDOs to gain control over their clinical assets and helps achieve immediate security goals and meet strategic, long-term objectives.
Cynerio’s agentless and nonintrusive solution analyzes device communications and behavior to provide ongoing, accurate, and contextual assessments of risk and security posture. This enables swift remediation without impacting operations.
Medigate is a comprehensive platform for IoT cybersecurity. Distinguished by powerful capabilities driving use-cases that have revolutionized expectations around what clinical visibility can mean, Medigate is successfully partnering with health systems across the world to monetize risk reduction practice.
Not unlike other industries, Healthcare’s vaunted digital transformation is based on unprecedented, new levels of visibility. Although having the ability to identify connected endpoints represents a step forward, it is not the game-changer. Rather, it’s the device-specific, detailed attribution and utilization metrics passively captured by Medigate that competitively separates its offering. Made even more real by meaningful and fully operationalized integrations to the systems that can naturally benefit (e.g. NAC, firewalls, SIEM, CMMS and emerging applications in supply chain, procurement and finance), Medigate’s excellent track record with some of the nation’s largest health systems is easily verified.
It is not “magic” and Medigate’s engineering-heavy company profile reflects it. Medigate has done the heavy lift required to passively fingerprint all connected assets, including serially connected modules and/or devices “hidden” behind legacy and modern integration points. The approach is known as deep packet inspection (DPI). Having invested in the engineering talent required to effectively parse the transmission flows between devices, nested modules, integration points and their payload destinations (e.g. EMRs), Medigate delivers the most detailed and accurate baselines available, while also providing continuously monitored, dynamic views of the entire connected ecosystem.
Emboldened by widely publicized and successful attacks, the FDA’s changing guidance, Joint Commission directives and the recognition by acute care providers that ultimately, it’s a patient safety issue, risk capital has poured into the problem space. Validating Medigate’s approach, competitors use deep packet inspection (DPI) when they can and rely on probabilistic methods (i.e. behavioral models promoted as AI) when they cannot. For DICOM and other protocols packaged in the HL7 framework, all vendors use DPI, but that’s as far as they go, and that’s a seminal difference. Solution evaluators should investigate that difference and make up their own minds.
Medigate’s deterministic approach relies on its proven ability to resolve more than one hundred unique medical device protocols encompassing thousands of common devices that would otherwise go uncovered. The skillsets required to do that, and the resulting superior data quality, have fueled far more meaningful system integrations, non-traditional cross functional collaborations and numerous new use-cases that are turning risk reduction into a more strategically diverse, revenue creation practice. In terms of clinical network visibility, Medigate-powered “views” of what’s now possible are strengthening IT’s ROI mission to the enterprise.
Sternum, the multilayered cybersecurity solution offering real-time, embedded protection for IoT devices, was founded in 2018 in Tel Aviv by a team of highly experienced R&D and business leaders. Sternum has a profound understanding of embedded systems and deep insights into the dynamics of today’s threats, offering a new standard of cybersecurity for medical IoT devices. In accordance with the FDA’s pre-market cybersecurity guidelines (which included our commentary), and with unique technology that is ensuring the security of all connected medical devices, Sternum is protecting patients’ lives.
The result: Robust defense of lifesaving devices such as pacemakers and insulin pumps by mitigating known threats while simultaneously adapting to and combating new ones.
The company has developed two holistic solutions:
- Sternum’s Embedded Integrity Verification (EIV) identifies and blocks cyberattacks in real time. This integrity-based attack prevention can be deployed to any medical device, including distributed and unmanaged IoT devices. EIV operates like an on-device firewall, validating each operation within the device. EIV only needs to be deployed once. Once EIV is installed, every new piece of code (including 3rd party) receives protection automatically, fitting into the low resource environment of medical devices and providing security throughout the device’s lifecycle.
- Sternum’s Real-time IoT Event Monitoring System (RIEMS) provides first-of-its-kind visibility from within IoT devices (including operating systems and other 3rd party components) so that OEMs who manufacture the devices, enterprises who implement them, and consumers who use them are immediately alerted to indications of any cyber breach, including prevented attack attempts. RIEMS also continuously monitors devices outside managed networks, enabling OEMs to maintain control of product security for all distributed devices.
How is Sternum’s software-only product suite revolutionary in the medical IoT world?
- Sternum, as a high-diversity and platform-agnostic solution, is the only on-device, real-time cybersecurity solution supporting all types of real-time operating systems (RTOS) and homegrown OS.
- Sternum’s solution operates during runtime with exceptionally low overhead of 3%.
- Because it operates in real time, the solution thwarts zero-day attacks.
- While network security solutions fail to adequately secure today’s distributed medical devices, Sternum provides real-time monitoring of devices outside managed networks.
- Cyberattack prevention is near-perfect when utilizing Sternum’s EIV solution; for over 170 cyberattacks, 96.5% were prevented when benchmarked with RIPE (Runtime Intrusion Prevention Evaluator).
Sternum’s unique, flexible cyber security solution for the Internet of Medical Things (IoMT) can be seamlessly integrated with any medical device’s operating system and development process.
Founded in 2017 by serial cybersecurity entrepreneurs Netanel Davidi and Uri Alter, VDOO has raised $45 million from top-tier investors including 83North, Dell Technology Capital, WRVI Capital, GGV Capital, NTT DOCOMO Ventures and MS&AD ventures. The company currently has more than 65 employees at our offices in the US, Japan and Israel, and dozens of well-known customers around the globe including Medtronic, Stanley Healthcare, NTT and MS&AD.
With device security quickly becoming a strategic imperative for the healthcare market, product security teams that work on medical devices cannot keep making long-term decisions based on a partial picture of possible vulnerabilities at a single stage of the device lifecycle. In order to scale their ability to provide optimal security, they must replace the time- and resource-intensive point solutions they are using today with a single integrated platform.
This is where VDOO comes in. Our Product Security Platform for Connected Devices is the only automated security solution that is integrated across the entire medical device lifecycle – from design and development all the way to deployment, post-deployment and legacy. The end-to-end platform includes modules for security analysis, gap resolution, regulatory compliance, embedded protection, operations monitoring, executive insights and threat intelligence.
VDOO’s unique approach to providing optimal security for medical devices is based on the combination of our patented technology with advanced binary analysis and highly sophisticated machine learning capabilities. This is augmented by our research team, which includes some of the world’s leading embedded security experts, that has built the most comprehensive device security database available today based on the thorough analysis of hundreds of millions of binaries and tens of thousands of connected products.
The VDOO platform’s key differentiators and benefits:
- Contextual and focused device-specific security – Speed up time-to-market and reduce the risk of attacks by cutting out the noise and focusing on the right threats
- Automated security processes for the entire device lifecycle – Improve the efficiency of SDLC processes, reducing operational resource requirements across the board
- Verified compliance with leading standards and regulations – Increase product sales while improving customer adoption by ensuring that all devices are compliant
- Full visibility into the software supply chain – Reduce dependency on third parties by owning your security, thus lowering legal, monetary and reputational risks
- Comprehensive end-point security visibility and analytics – Monetize security as a business model by offering monitoring and protection services to end-users
The post 5 Promising vendors focusing on Cyber Security for Medical IoT (IoMT) appeared first on CyberDB.
Breach and Attack Simulation is a new concept that helps organizations evaluate their security posture in a continuous, automated, and repeatable way. This approach allows for the identification of imminent threats, provides recommended actions, and produces valuable metrics about cyber-risk levels. Breach and attack simulation is a fast-growing segment within the cybersecurity space, and it provides significant advantages over traditional security evaluation methods, including penetration testing and vulnerability assessments.
Going over the players in this industry, it is clear that the BAS category includes a number of different approaches with the common target to provide the customer with a clear picture of its actual vulnerabilities and how to mitigate them.
CyberDB has handpicked in this blog a number of exciting and emerging vendors. These players are (in alphabetical order):
Those companies have a number of characteristics in common, including a very fast time to market, successful management team and strong traction. In addition, all of them have managed to raise Series A or B funding over the last 16 months, ranging from $5M to $32M.
Other notable players range from incumbent to emerging players, such as Rapid7, Qualys, ThreatCare, AttackIQ, GuardiCore, SafeBreach, Verodin (acquired lately by FireEye) and WhiteHaX.
Gartner defines Breach & Attack Simulation (BAS) technologies as tools “that allow enterprises to continually and consistently simulate the full attack cycle (including insider threats, lateral movement, and data exfiltration) against enterprise infrastructure, using software agents, virtual machines, and other means”.
What makes BAS special, is its ability to provide continuous and consistent testing at limited risk and that it can be used to alert IT and business stakeholders about existing gaps in the security posture or validate that security infrastructure, configuration settings and detection/prevention technologies are operating as intended. BAS can also assist in validating if security operations and the SOC staff can detect specific attacks when used as a complement to the red team or penetration testing exercises.
CyberDB strongly recommends exploring embedding BAS technologies as part of the overall modern Cyber security technology stack.
Cymulate was founded by an elite team of former IDF intelligence officers who identified frustrating inefficiencies during their cyber security operations. From this came their mission to empower organizations worldwide and make advanced cyber security as simple and familiar as sending an e-mail. Since the company’s inception in 2016, Cymulate’s platform was given the recognition of “Cool Vendor” in Application and Data Security by Gartner in 2018 and has received dozens of industry awards to date. Today, Cymulate has offices in Israel, United States, United Kingdom, and Spain. The company has raised $11 million with backing from investors Vertex Ventures, Dell Technologies Capital, Susquehanna Growth Equity, and Eyal Gruner.
Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to test, measure and optimize the effectiveness of your security controls any time, all the time. With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you’re exposed and how to fix it—making security continuous, fast and part of every-day activities.
Fully automated and customizable, Cymulate challenges your security controls against the full attack kill chain with thousands of simulated threats, both common and novel. Testing both internal and external defenses, Cymulate shortens test cycles, provides 360° visibility and actionable reporting, and offers a continuous counter-breach assessment technology that empowers security leaders to take a proactive approach to their cyber stance, so they can stay one step ahead of attackers. Always.
With a Research Lab that keeps abreast of the very latest threats, Cymulate proactively challenges security controls against the full attack kill chain, allowing hyper-connected organizations to avert damage and stay safe.
Overtaking manual, periodic penetration testing and red teaming, breach and attack simulation is becoming the most effective method to prepare and predict oncoming attacks. Security professionals realize that to cope with evolving attackers, a continuous and automated solution is essential to ensure optimal non-stop security
Cymulate is trusted by hundreds of companies worldwide, from small businesses to large enterprises, including leading banks and financial services. They share our vision—to make it easy for anyone to protect their company with the highest levels of security. Because the easier cybersecurity is, the more secure your company—and every company—will be.
Established in 2015 with offices in Israel, Boston, London and Zurich, Pcysys delivers an automated network penetration testing platform that assesses and helps reduce corporate cybersecurity risks. Hundreds of security professionals and service providers around the world use Pcysys to perform continuous, machine-based penetration tests that improve their immunity against cyber-attacks across their organizational networks. With over 60 enterprise global customers across all industries, Pcysys is the fastest-growing cybersecurity startup in Israel.
The Problem – Missing Cyber Defense Validation
We believe that penetration testing, as it is known today, is becoming obsolete. Traditionally, penetration testing has been performed manually by service firms, deploying expensive labor to uncover hidden vulnerabilities and produce lengthy reports, with little transparency along the way. Professional services-based penetration testing is limited in scope, time-consuming and costly. It represents a point-in-time snapshot, and cannot comply with the need for continuous security validation within a dynamic IT environment.
PenTera – One-Click Penetration Testing
Requiring no agents or pre-installations, Pcysys’s PenTera platform uses an algorithm to scan and ethically penetrate the network with the latest hacking techniques, prioritizing remediation efforts with a threat-facing perspective. The platform enables organizations to focus their resources on the remediation of the vulnerabilities that take part in a damaging “kill chain” without the need to chase down thousands of vulnerabilities that cannot be truly exploited towards data theft, encryption or service disruption.
- Continual vigilance – the greatest benefit of employing the PenTera platform is the ability to continually validate your security from an attacker’s perspective and grow your cyber resilience over time. Pen-testing is turning to be a daily activity.
- Reduce external testing costs – with PenTera, you can minimize cost and dependency on external risk validation providers. While in some cases an annual 3rd-party pen-test is still required for compliance reasons, it can be reduced in scope and spend.
- Test against the latest threats – as the threat landscape evolves, it is crucial to incorporate the latest threats into your regular pen-testing practices. Your PenTera subscription assures you stay current.
- Agentless – zero agent installations or network configurations.
- Real Exploits, No Simulations – PenTera performs real-time ethical exploitations.
- Automated – press ‘Play’ and get busy doing other things while the penetration test progresses.
- Complete Attack Vector Visibility – every step in the attack vector is presented and reported in detail to explain the attack “kill chain”.
Found in 2014, Picus has more than 100 customers and has been backed by EarlyBird, Social Capital and ACT-VC. Headquartered in San Francisco, Picus has offices in London and Ankara to serve its global customer base.
Picus Security’s customers include leading mid-sized companies and enterprises, across LATAM, Europe, APAC and the Middle East regions.
Picus continuously validates your security operations to harden your defenses. Picus empowers organizations to identify imminent threats, take the most viable defense actions and help businesses understand cyber risks to make the right decisions.
Picus Security is one of the leading Breach and Attack Simulation (BAS) vendors featured in several Gartner reports such as BAS Market Report, Market Guide For Vulnerability Assessment and Hype Cycle for Threat Facing Technologies. Picus has recently been recognized as a Cool Vendor in Security and Risk Management, 2H19 by Gartner. Picus was distinguished as one of the top 10 innovative cyber startups by PwC and the most innovative Infosec Startup of the year by Cyber Defense Magazine.
Unlike penetration testing methods, Picus validates the security effectiveness continuously and in a repeatable manner that is completely risk-free for production systems. This approach helps customers identify imminent threats, take action and get a continuous view of the actual risk. Picus customers also maximize ROI from existing security tools, get continuous metrics on
their security level and can demonstrate the positive impact of security investments to business.
Picus can provide measurable context about descriptions, behavior, and methods of adversaries by running an extensive set of cyber-threats and attack scenarios 24/7 basis and in production networks on its fully risk-free platform with false-positive free. Picus constantly assess organizational readiness for adversarial actions and prioritize findings based on adversarial context and helps immediate actions for mitigation of imminent threats.
- in-depth, full coverage threat database with more than 7,600 real-world payloads that are updated daily, and adversary-based attack scenarios and techniques mapped to the MITRE ATT&ACK framework to cover web application attacks, exploitations, malware, data exfiltration and endpoint scenarios.
- housing more than 34,000 mitigation signatures and 10 security vendor partnerships so analysts can gain insight into the most viable defense actions in response to adversaries, with immediate mitigation validation.
- providing actionable remediation recommendations tailored to organizations and their defense stacks and focusing only on attacks with mitigation solutions.
Randori’s mission is to build the world’s most authentic, automated attack platform, to help security teams “train how they fight”. Founded in 2018 by a former Carbon Black Executive and leading red teamers, Randori provides a SaaS platform to allow security teams of all maturity to spar against an authentic adversary. Customers are testing their incident response, identifying weaknesses (not just vulnerabilities), and as a result, producing justifiable ways to ask for further investment.
Randori is based in Waltham, MA with offices in Denver, CO. Known customers include Houghton Mifflin Harcourt, Greenhill & Co, Carbon Black, RapidDeploy, and ClickSoftware.
The Randori platform consists of two products, Recon and Attack.
Recon provides comprehensive attack surface management powered by black-box discovery. Customers can “see” how attackers perceive their company from the outside. This is especially useful for enterprise organizations with a changing network footprint, such as M&A, high seasonality, or undergoing cloud migration. Their approach differs from “internet-wide scan” methods, which can produce false-positives and are not actionable. Recon results are prioritized using a Target Temptation engine, which takes into account factors like known weaknesses, post-exploitation potential, and the cost of action by an attacker. Recon is available for free trial; a complimentary Recon report can be provided to any company over 1000 employees.
Attack provides authentic adversary emulation across all stages of the kill chain. Customers choose from objective-based runbooks that the platform will use to gain initial access, maintain persistence, and move laterally across the network. Risk is assessed across vulnerabilities, misconfigurations, and credentials—the same ways attackers breach companies. Attack is available to select early access partners and will broaden access in 2020.
The Randori differentiator is authenticity: to get started with their platform, only a single email address is needed to understand one’s attack surface and put it to the test. The platform seeks not to “validate existing controls” or “detection of MITRE ATT&CK techniques”, but help security teams train against a real adversary.
XM Cyber, a multi-award-winning breach and attack simulation (BAS) leader, was founded in 2016 by top security executives from the elite Israeli intelligence sector. XM Cyber’s core team is comprised of highly skilled and experienced veterans from the Israeli Intelligence with expertise in both o?ensive and defensive cyber security.
Headquartered in the Tel Aviv metro area, XM Cyber has offices in the US, UK, Israel and Australia, with global customers including leading financial institutions, critical infrastructure organizations, healthcare, manufacturers, and more.
HaXM by XM Cyber is the first BAS platform to simulate, validate and remediate attackers’ paths to your critical assets 24×7. HaXM’s automated purple teaming aligns red and blue teams to provide the full realistic advanced persistent threat (APT) experience on one hand while delivering vital prioritized actionable remediation on the other. Addressing real user behavior and exploits, the full spectrum of scenarios is aligned to your organization’s own network to expose blind spots and is executed using the most up-to-date attack techniques safely, without affecting network availability and user experience.
By continuously challenging the organizational network with XM Cyber’s platform, organizations gain clear visibility of the cyber risks, and an efficient, data-driven actionable remediation plan aimed at the most burning issues to fix.
- The HaXM simulation and remediation platform continuously exposes attack vectors, from breach point to any organizational critical asset so you always know the attack vectors to your crown jewels.
- The continuous loop of automated red teaming is completed by ongoing and prioritized actionable remediation of security gaps, so you know how to focus your resources on the most critical issues.
- The platform addresses real user behavior, poor IT hygiene and security exploits to expose the most critical blind spots so that you improve your IT hygiene and practices.
Even when an organization has deployed and configured modern security controls, applied patches and refined policies, there is a plethora of ways hackers can still infiltrate the system and compromise critical assets. XM Cyber is the only one to address the crucial question for enterprises: “are my critical assets really secure?” XM Cyber provides the only solution on the market that actually simulates a real APT hacker automatically and continuously.
By automating sophisticated hacking tools and techniques and running them internally, XM Cyber allows you to see the impact a breach would have on your actual environment. And you can remediate gaps and strengthen security for your organization’s “crown jewels”, including your customer data, financial records, intellectual capital and other digital assets.
The post 5 Exciting players in the Breach and Attack Simulation (BAS) Cyber Security Category appeared first on CyberDB.
As part of your ISO 27001 certification project, your organisation will need to prove its compliance with appropriate documentation.
ISO 27001 says that you must document your information security risk assessment process.
Key elements of the ISO 27001 risk assessment procedure
Clause 6.1.2 of the Standard states that organisations must “define and apply” a risk assessment process.
An information security risk assessment is a formal, top management-driven process and sits at the core of an ISO 27001 information security management system (ISMS).
There are five simple steps that you should take to conduct a successful risk assessment:
- Establish a risk management framework
- Identify risks
- Analyse risks
- Evaluate risks
- Select risk treatment options
The risk assessment process determines the controls that have to be deployed in your ISMS. It leads to the Statement of Applicability, which identifies the controls that you are deploying in light of your risk assessment process.
Our bestselling book, Nine Steps to Success – An ISO 27001 Implementation Overview, provides more information on the topic of risk management.
Conducting a risk assessment
For an ISO 27001 risk assessment to be successful, it needs to reflect the organisation’s view on risk management – and it must produce “consistent, valid and comparable results”.
The risk assessment procedure should be detailed, and describe who is responsible for each task, when they must be completed and in what order.
This can be a daunting task for many. Inexperienced assessors often rely on spreadsheets, spending hours interviewing people in their organisation, exchanging documents and methodologies with other departments and filling in data. After all that, they’ll probably realise how inconvenient spreadsheets are. For example:
- They are prone to user error;
- They are hard to maintain;
- It’s difficult to find relevant data in multiple tabs; and
- They don’t automatically conform to ISO 27001
It doesn’t have to be like this. The risk assessment software vsRisk Cloud provides a simple and fast way to identify relevant threats, and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Additionally, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.
A version of this blog was originally published on 11 January 2018.
The post How to write an ISO 27001-compliant risk assessment procedure appeared first on IT Governance UK Blog.
Data protection laws around the world are changing the way businesses handle customer data. The healthcare industry, in particular, is under scrutiny due to the rise of high-profile cyberattacks aimed at some of the biggest healthcare providers.
Health organizations around the world are faced with numerous challenges so far as privacy laws and industry regulations are concerned.
Challenges for the healthcare industry regarding customer data
Whether it’s lax access control, outdated software systems, or overall low cybersecurity awareness, security challenges will likely continue to plague the healthcare industry because the cybersecurity threat landscape is constantly evolving.
This means all healthcare organizations are potential targets, but depending on their cybersecurity strategy, not all may be equipped to fend off hackers. Furthermore, medical information is worth ten times more than credit card information to hackers. Hackers can use medical stolen medical information to file claims with insurers and buy medical equipment or prescription drugs.
Despite regulations in place, some organizations are managing healthcare data in outdated fragmented computer systems or with physical non-digitized healthcare data. These organizations are unfortunately unprepared to meet these regulations or even protect patient data properly.
Furthermore, because healthcare data can mean genetic data, medical histories, and biometric data, which are not all that common in other industries, it can present unique challenges when trying to protect patient data.
What does the law say?
Healthcare clauses or provisions are highlighted under the data privacy laws for healthcare data in some laws like the General Data Protection Regulation (GDPR).
For example, the GDPR explicitly addresses three types of healthcare data:
- Data concerning health: personal data related to the physical or mental health of patient and information about their health status
- Genetic data: unique information about a patient’s physiology health, inherited or acquired genetically
- Biometric data: personal data that allows for the unique identification of a patient including facial images and fingerprints
With the GDPR, healthcare organizations that do manage this kind of data have an added burden to adhere to a higher standard of protection.
Patient Data Act
In the EU, some countries also have their own healthcare legislation that dedicates how healthcare data is to be managed, processed, and even protected.
For example, in Sweden, in addition to the GPDR, hospitals must also comply with the rules governing the processing of personal health and medical care data that can be found in the Patient Data Act.
The Patient Data Act covers many aspects of customer data including a provision that only a person who needs the data may see the patient data.
In the US, Insurance Portability and Accountability Act (HIPAA)serves as the primary healthcare law for the entire country for all protected health information (PHI).
Under HIPAA, the Privacy Rule and Security Rule provisions address the necessary measures to guard the privacy and integrity of health data in the digital age. HIPAA also requires healthcare organizations to conduct such assessments annually and compile reports.
Outside the US, HIPAA acts as the healthcare industry’s “north star for the collection, use, exchange, and protection of patient information.” Many health organizations turn to HIPAA to guide businesses in protecting sensitive health data and give patients the right to access their own information.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) came along to widen the scope of HIPAA’s data protection requirements. It helped increase the legal liability for non-compliance or health organizations.
Though there may be data security challenges, healthcare organizations understand the importance of protecting sensitive information. For this reason, sometimes organizations will create or voluntarily adhere to health standards and codes of conduct regarding the collection, use, and exchange of health information.
One example is HITRUST (Health Information Trust Alliance), a private organization that conducts corporate audits and certifies that healthcare organizations are employing appropriate technical, administrative, and physical safeguards to protect health data in compliance with HIPAA.
Digital lnformation Security in Healthcare Act (DISHA)
While it seems the US and Europe have taken the lead in addressing the protection of healthcare in writing through laws and regulations, other countries may soon follow suit.
In India, there are strides to create new legislation that will seek to regulate the “collection, storage, transmission, access, and use of all digital health data” with the DISHA.
The proposed law will cover any entity that deals with digital health data in different industries like IoT, manufacturing, and others. The law would also require health organizations to provide data breach notices to their customers.
What role security plays
A common misconception about security and compliance is that they are interchangeable. However, this is not true. Security controls like a WAF (Web Application Firewall) simply provide a way for these healthcare companies to achieve compliance as it relates to the protection of data.
However, a WAF cannot help with all the healthcare provisions required under law such as “the right to erasure,” which allows users to request healthcare organizations to delete the data they kept stored.
For this reason, healthcare organizations might need to rethink their cybersecurity strategy and or adopt new strategies or technologies to protect patient data and be compliant with current healthcare data protection standards.
Cloudbric, as a WAF vendor, can help healthcare organizations protect data stored via web applications — a must for all healthcare providers who allow direct patient access through the web.
To prevent hackers from seeping through the cracks that web vulnerabilities introduce, it’s crucial for these healthcare providers to protect this layer.
If you want to learn more, please don’t hesitate to get in touch with our security team to learn how healthcare providers can benefit from using Cloudbric. Fill out the form for a free consultation:
The post 5 Regulations for The Healthcare Industry and The Role of Security appeared first on Cloudbric.
WAFs are among the most common security controls used by organizations in both the public and private sectors to protect their web applications against common web exploits.
Driven by the extensive growth in attack volume against web applications, the global WAF market size is expected to reach $6.89 billion by 2024. What else is driving this growth across industries?
Driver of WAF adoption
In a research study by Computing, 62% of IT decision makers surveyed across various industries stated regulatory compliance as their primary reason for purchasing a WAF.
With regulations introduced to protect consumer data safety, businesses and organizations are keen to adopt industry standards like PCI-DSS (Payment Card Industry Data Security Standard), given that the standard is a prerequisite for businesses who need to accept and process online credit card payments.
Other notable drivers of WAF adoption in the study found that:
- 46% of respondents find that inherent vulnerabilities to application layer attacks had enabled them to present a compelling business case for a WAF.
- 23% were driven by penetration testing that alerted them to some serious vulnerabilities in their web applications.
- 18% stated that there was simply no other cost-effective way of securing legacy applications.
Role of WAF in data protection laws
In the 1990s, there were only 20 data privacy laws worldwide. Now, there are over 100. In many cases, government regulations require the deployment of a WAF, either explicitly or implicitly.
WAFs by their very nature are designed to protect an organization’s core assets (i.e. web applications) and maintain data integrity. That’s why countries with mature cybersecurity markets tend to have data protection or data privacy laws in place to address data security.
One of the most well-known government laws contributing to WAF adoption is the GDPR (General Data Protection Regulation), which is the EU’s answer to adhere to data protection and privacy for all its citizens.
However, not all countries have highly developed laws like the GDRP. Many countries have data protection laws that are too general and might not provide enough guidance to delegate any sort of accountability for companies that hold user data. In these cases, there is also no mention of deploying a WAF.
Saudi Arabia, for example, has privacy laws similar to those found in other countries but their laws simply address privacy and data collection with no mention of data security or clause to notify users of notification of data breaches.
Why compliance and protecting customer data matter
Besides a desire to avoid any penalties or suspended privileges of their services, adhering to data protection laws and compliance industry standards also establish trust among data owners.
By demonstrating a commitment to data protection through compliance, more users will be willing to engage with their services. If an organization does not uphold these standards, users will be less willing to just give up their personal information, and a company’s reputation may be on the line.
Therefore, it makes sense that any company that processes, manages, and stores personal data must engage in the proper security protocols to protect user data and notify users of any data breaches.
Though not all data privacy laws explicitly require WAF adoption, data protection can be achieved with its implementation.
Take a look below at some of the laws around the world aimed at protecting user data.
|Europe||North America||Latin America|
|EU: GDPR (General Data Protection Regulation)||Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)||Brazil: Lei Geral de Proteção de Dados (LGPD)|
|UK: Data Protection Act 2018||US: Privacy Act of 1974 Family Educational Rights and Privacy Act (FERPA)||Mexico: Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP)|
|Sweden: Data Protection Act (DPA)||Argentina: Personal Data Protection Act 2000 (Law No. 25,326)|
|France: French Data Protection Act 2 (FDPA)|
|Germany: Federal Data Protection Act 2017 (Bundesdatenschutzgesetz – BDSG)|
|Israel: Privacy Protection Law (5741-1981)||South Africa: Protection of Personal Information Act 2013 (POPIA)||Singapore: The Personal Data Protection Act 2012|
|Hong Kong: Personal Data Privacy Ordinance Cap 486 (PDPO)|
|Australia: Privacy Act of 1988 and Telecommunications Act 1997|
|Malaysia: Personal Data Protection Act (PDPA)|
Is there a famous data privacy law we missed? Drop us a line!
The post Data Protection Laws & Compliance As Drivers of WAF Adoption appeared first on Cloudbric.
“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”
This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”
Come on, people.
Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?
While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.
If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.
Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).
From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.
The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.
While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.
For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.
Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.
While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.
That’s why we’re going to talk about hosting security issues that you should protect your site from.
How Web Hosting Affects the Security of Your Website
Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.
For example, if you’re a blogger or a business owner, you’ll get:
- A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
- A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
- High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
- Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.
Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:
- Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
- Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
- Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.
So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.
Beware of these Major Web Hosting Hazards
- Shared Hosting Issues
Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.
For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.
Can you believe it? 800 websites on one server! Talk about performance issues, right?
While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.
Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.
- Attacks that Exploit an outdated version of PHP
It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.
However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.
Source: Threat Post
“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”
For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!
“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”
On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.
Well, hopefully you’re not going to be one of them.
- More Sophisticated DDoS Attack Techniques
DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.
For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.
The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky
Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.
For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.
For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.
Source: The Register
Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.
Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.
Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.
Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.
Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.
The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.
Data Masking/Tokenization/Anonymization replaces sensitive information with fictitious data while retaining the original data format. The data masking process lets you continue to work with your data as if it were not encrypted. Databases, business applications and collaboration software continue to work as if the data was real, but unauthorized personnel only have access to the fake data and can’t extract meaningful sensitive information.
The ITAR (International Traffic in Arms Regulations) legislation details what measures businesses and individuals must take to comply with ITAR requirements and specifies severe penalties, both civil and criminal, for non-compliance. The reach of the regulations is broad and suppliers of all kinds may be subject to requirements to keep sensitive information secure and restricted.
Countries are establishing data residency regulation to protect private and classified data generated from their citizen by mandating storing this information within that country (the country of origin). The theory is that the laws of the country in which the data is stored apply to that data. Large cloud providers such as Amazon, Microsoft, Salesforce are opening cloud data centers outside their home countries (Cloud Data Center Expansion Race) to satisfy these laws. The question is “Does Data Residency Reduce Cloud risks?