Tag Archives: ESET

Data Security Critical as IoT Multiplies

When this century commenced, delivering new technology as quickly as possible, with scant concerns about quality, became standard practice. Consumers snookered into buying version 1.0 of anything were essentially quality-control testers.

How soon we forget. As we enter the age of the Internet of Things, companies are pushing out computing devices optimized to connect to the Web with little thought to security implications.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

ESET security researcher Cameron Camp has been paying close attention to data security. He recently sat down with ThirdCertainty to share his observations (answers edited for clarity and length):

3C: New devices with the capacity to link to the Internet seem to hit the market every day, and eager early adopters snatch them up. Why should they slow down?

Camp: Companies are going to live and die on whether they get to market fast. I think security tends to be an afterthought, and I’m concerned that some of the manufacturers don’t really have a solid way forward right now.

3C: That sounds ominous. What can and should we be doing?

Camp: We have to think about security in new ways. We have to secure the person, the experience and the data in rest and in motion at all times, and that’s not going to be done with a PC attitude toward security.

We don’t understand how to protect that data at all times and on a multitude of platforms. If you’re working on machines at home, and a lot of them are connected, and you have a breach on one, you have a breach on lots of them. All hackers need is a toehold into your system.

3C: What if someone doesn’t buy every new gizmo that comes along? Are they safe?

Camp: Hackers are finding interesting and novel ways to break into all kinds of things. Routers are one of the first things that really need security to be dealt with, because everyone has one. If your router is one to three years old, it is a gateway to get into everything you own.

3C: Why don’t routers get patched like PCs?

Camp: The manufacturer will be notified that these things are wide open to attacks, and they don’t seem to want to do anything; they’re more interested in the next product cycle. People replace a router when it dies after five years. In the meantime, if four of those years they’re vulnerable, we have a big problem.

Manufacturers have to keep the revenue up; they don’t do that by supporting their routers forever, especially low-cost routers. In the Internet of Things, if you have many sensors around the house, and you raise the cost of those sensors by $1, it makes your system cost too much. Nobody’s going to buy it, and you’re going to be out of business.

3C: Everyone is worried about their routers now; anything else consumers need to be concerned about?

Camp: The people who are good at breaking into Internet of Things devices may not be good at exploiting them, but they are good at entry, and they’re going to sell that to the highest bidder.

Many of these devices run a full Linux operating system; that means they are a server. You can load things on them and exfiltrate data, because Linux was always built to be networked; it was built to be in a server environment.

3C: Is there some good news on the horizon?

Camp: I think there’s going to be a standardization around operating system ecosystems. We’re going to see default operating systems used on the Internet of Things so a manufacturer can focus on their own sensor, their own technology, and just drop in a secure operating system. Right now, there’s many different permutations. In five years, we’re not going to see that, we’re going to see just a few that everyone uses, so if there’s a security issue, people will understand more how to patch them.

How HR Can Stop Insider Data Theft

After Edward Snowden’s escapades, how could any company fail to take simple measures to reduce its exposure to insider data theft?

Yet large enterprises remain all too vulnerable to insider threats, as evidenced by the Morgan Stanley breach. And many small and medium-sized businesses continue to view insider data theft as just another nuisance piled on to a long list of operational challenges.

“I suspect too many companies are fixated on outsider threats, like malware infections and external hacking, to the extent that insider threats get overlooked,” says Stephen Cobb, senior security researcher at anti-malware vendor ESET.

More: 3 steps for figuring out if your business is secure

A low-level Morgan Stanley financial adviser with sticky fingers allegedly tapped into account records, including passwords, for six million of the Wall Street giant’s clients. He got caught allegedly attempting to peddle the stolen records on Pastebin, a popular website for storing and sharing text files.

The financial services sector has long been very proactive defending against all forms of data breaches for obvious reasons, and Morgan Stanley was able to nip this particular caper early on. Big banks and investment houses typically have highly trained teams, using a variety of detection tools and monitoring regimes designed to flush out any indication of a breach.

“Often you have analysts in a security operations center hunting for abnormal activity,” says Scott Hazdra, principal security consultant at risk management firm Neohapsis. “They can often spot suspicious data movement based on quantity, destination or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.”

Organizations outside of the financial services industry, however, are still on the lower end of the curve understanding this exposure, much less taking even basic steps to reduce it.

Given the nature of the exposure, security and privacy experts say human resource officials need to be on the front lines of mitigating insider data theft. In particular, HR department heads should be integrally involved in working with a company’s tech and security teams to define and deploy access rights to sensitive company data.

“With this collaboration and the right tool sets, companies can apply access controls that restrict employees to just the information they need to perform their jobs,” says Deena Coffman, CEO of IDT911 Consulting, which is part of identity and data risk consultancy IDT911. (Full disclosure: IDT911 sponsors ThirdCertainty.)

It’s a balancing act, of course. Quick and flexible access to company records drives productivity gains. At the same time, it creates fresh opportunities for granting unnecessary access privileges — and for theft.

“Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage,” says Steve Hultquist, chief evangelist at security analytics firm RedSeal. “Using automation to analyze and ensure compliance with a security policy is essential for protecting customer and corporate data assets.”

There should also be a structured process for communicating changes quickly to ensure that a terminated employee or departed contractor does not retain access privileges, Coffman says.

“Many of the inside attacks are IT employees with elevated privileges and little oversight on how and when those privileges are used,” Coffman says. “The use of privileged accounts should be monitored and logged. Separation of duties should be required on certain functions, and an annual outside review is a good idea.”

Cutting off terminated employees and partners should be swift and sure. Better safe than sorry.

“Too often, organizations don’t have a complete picture of what access each employee has, particularly if they have been there a while,” ESET’s Cobb says. “Getting employee departures right involves a coordinated effort from HR, IT and legal.”

A disgruntled employee, who’s not planning on going anywhere, is another type of exposure that should be addressed. American Banker is now reporting that the alleged perpetrator of the Morgan Stanley breach was promoted to financial adviser from sales assistant about a year ago and gained access to records by manipulating the bank’s wealth management software. The lawyer representing the accused adviser insists in the American Banker report that his client did not post any of Morgan Stanley’s data on Pastebin.

“All managers need to be aware of morale among reports, and there needs to be a process for taking concerns to HR in a discreet way while increasing monitoring of use of IT resources,” Cobb says.