Tag Archives: third certainty

As IoT Expands, Risks Grow Even Faster

Get used to it. The Internet of Things is here to stay. In fact, IoT is on a fast track to make all manner of clever conveniences part of everyday commerce and culture by the close of this decade.

Tech research firm Gartner estimates IoT endpoints will grow at a breakneck 32% compounded annual growth rate over the next few years, reaching an installed base of 20.8 billion IoT units by 2020.

See also: Insurance and the Internet of Things  

Tiny, single-purpose sensors designed to collect rich profile data on individual behaviors — as well as on company systems — can already be found in all manner of medical devices, automobiles, TVs, gaming consoles, webcams, thermostats, utility meters, household appliances, manufacturing settings and wearable tech. Much more is coming.

It is incumbent upon the businesses that deliver both the IoT devices — and the new internet-connected services that IoT sensors make possible — to address the security exposures that are part and parcel of this rapid scale-up. Fortunately, cybersecurity vendors are stepping up innovation to do just that. Gartner projects that worldwide spending on IoT security will reach $348 million in 2016 — up 24% from 2015 spending — and will climb steadily to $840 million by 2020.

I recently sat down with Johnnie Konstantas, director of security solutions at Gigamon, a supplier of network visibility technology, to discuss what’s on the horizon. The following text has been edited for clarity and length.

3C: What is the core security challenge accompanying our rapid deployment of billions of IoT sensors?

Konstantas: IoT sensors are quite small and pretty cheap, too, and they don’t have a lot of memory on them. Their whole point is to store a little bit of information and then just forward it on to the cloud. If you think about how we traditionally use things like encryption and a firewall to secure a mobile phone or laptop, that’s very hard to do on a small IoT sensor.

So what you have is a conduit into the corporate network deployed for the purpose of receiving intelligence, and you can’t really push perimeter protection out to these IoT devices.

There’s no question IoT sensors can potentially be a way in. The IoT endpoint could get infected with malware, or it could be used as a lily pad to jump in deeper.

3C: What defensive approaches look promising?

Konstantas: A lot of it comes down to continuous monitoring. These devices are going to always be on, transmitting intelligence. The idea is to continuously understand what the IoT device is forwarding or receiving 24/7. Sounds like a tall order, but doing that allows you to essentially perform analytics on IoT-generated traffic. And with the proper kinds of security analytics in place, you will be able to surface anomalies.

See also: How the ‘Internet of Things’ Affects Strategic Planning  

3C: Sounds like big data analytics with an IoT twist.

Konstantas: Yeah, exactly. Big data analytics is nothing new. Security analytics is nothing new. But both are actually seeing a resurgence. Call it SIEM (security and information event management) 2.0 for lack of a better word. This time, SIEM is not so much about collecting large volumes of data; it’s more about getting the right kinds of data. It’s about pruning my data feeds to figure out whether I have any risks associated with my IoT deployments.

3C: What key developments are on the horizon?

Konstantas: I’ve been in security since ’98, so I’ve seen a few patterns play out. The one constant has been that when cool technology emerges — like our ability to do commerce on the web or virtualized storage and computing — adoption tends to be a lot faster than the arrival of the technology to secure it. So it’s fair to say that our desire to take advantage of sensor networks and IoT is going to outpace our ability to roll out security infrastructure to secure them as well.

More stories related to the Internet of Things:
Technological armor evolves to keep IoT devices safe from attack
Ripples from Internet of Things create sea change for security, liability
Consumers should brace for home network intrusions in 2016

This post originally appeared on ThirdCertainty.

Firms Must Redefine Cyber Perimeter

The rising business use of cloud services and mobile devices has opened a Pandora’s box of security exposures.

Software as a service (SaaS) tools such as Salesforce.com, Gmail, Office 365 and Dropbox, as well as social media sites such as Facebook, LinkedIn and Twitter, are all being heavily leveraged by companies to boost productivity and collaboration. This SaaS trend also has opened up a whole new matrix of access points for malicious attackers to get deep inside company networks.

Wall Street recognizes that all organizations will have to acknowledge and make decisions on how to mitigate new business risks introduced by cloud services. And big bets are being placed on new technologies to help companies get a handle on these fresh exposures.

See also: The Need for a Security Mindset

ThirdCertainty recently sat down with David Baker, chief security officer at Okta, a cloud identity management vendor that’s one of dozens of security vendors developing cloud security systems. A $75 million round of private investment last fall pushed Okta’s market valuation to more than a billion dollars, vaulting it into so-called “unicorn” status.

Okta’s backers include a who’s who of venture-capital firms that are placing big bets on cybersecurity plays: Andreessen Horowitz, Greylock Partners, Sequoia Capital, Khosla Ventures, Altimeter and Glynn Capital, among others.

Baker talked to us about this particular big bet on cybersecurity tech. The text is edited for clarity and length.

3C: Congratulations on achieving unicorn status.

Baker: Thank you. We have a lot of work to do as a company to continue growing. The problem that we solve is really about enabling companies —  enterprises, as well as small, medium and big companies — to adopt the cloud.

3C: How would you frame the big challenge?

Baker: The problem for companies now is that the things I need to access in the cloud bring a whole host of security concerns. I have users working within my four walls, and they have to authenticate into these applications where I have critical business data. It could be information about my company’s source code, or email or all of the files we share. So what’s needed is a secure way of authenticating users into all of those systems.

It also is a challenge to provision that identity into the downstream applications and, just as importantly, to de-provision users. So when a user eventually is transferred to a different group or is terminated, their access has to be disabled. So it’s about managing that identity and also managing the access of that identity to these cloud services.

3C: Lots of employees set up their own Gmail or Dropbox account to be more productive. It sounds like they shouldn’t be doing that?

Baker: Correct. The security piece is knowing what set of tools you want your employees using, and then making sure you have an authentication mechanism in place to enable them to go securely into those cloud-based applications.

See also: Cyber, Tech Security Start to Merge

3C: The company sets the rules, and its employees should use only the company-sanctioned versions?

Baker: Correct. Users get exactly the version of Dropbox the company wants them to use, not their own personal account. Okta creates a secure connection to that version. The IT administrator can give the employees access to hundreds of apps. Right now, we have connectors to well over 4,000 different applications across the internet.

3C: Seems like we’re extending the traditional network perimeter. It’s not just the on-premises servers and clients that companies have to be concerned with, it’s everything out in the internet cloud that employees might try to use.

Baker: I’ll do you even one better. The perimeter really exists with respect to identity. When I’m sitting at home or in the coffee shop and using my cellphone to get access into an application, I am now the perimeter. So that’s why we like to say, really, identity is the new perimeter.

This article first appeared at Third Certainty.

More stories related to cloud security:
Be selective about what data you store and access from the cloud
Cloud apps routinely expose sensitive data
SOC-2 compliance crucial for keeping data safe in the cloud

IRS Is Stepping Up Anti-Fraud Measures

The Internal Revenue Service is taking as long as 21 days to review tax returns, according to research from fraud prevention vendor iovation, a clear sign that Uncle Sam has stepped up anti-fraud measures.

Even so, tax return scams that pivot off stolen identity data continue to rise for the third consecutive tax season. The latest twist: Tax scammers are increasingly targeting vulnerable populations—low-income, children, seniors and homeless—as well as prisoners, overseas military personnel and the deceased, according to an FBI alert.

Complimentary webinar: How identity theft protection has become a must-have employee benefit

And criminals have gotten very creative about conducting phishing campaigns to fool individual consumers—and key employees at targeted companies—into handing over personal tax-related information, useful for filing fake returns.

Tax software vulnerable

The FBI also says criminals often use online tax software to commit the fraud. That’s particularly troubling, considering what the Online Trust Alliance found in a recent audit of free e-filing services approved by the IRS. Of the 13 services audited, about half failed somewhat basic security protocols, such as email authentication and SSL configurations.

craig
Craig Spiezle, Online Trust Alliance executive director

Craig Spiezle, executive director of Online Trust Alliance, says some of the vulnerabilities, such as unsecure sites, are obvious to the casual person, let alone criminals.

“These sites are such high targets, you’d expect 100% of these to be like Fort Knox,” he says. “There’s no perfect security, but you would expect not to see (simple) vulnerabilities.”

Some e-filing sites, for example, had simple server misconfigurations or didn’t have current secure protocols; one provider failed to adopt an extended validation (EV) SSL certificate, leaving it open to spoofing.

Although not everyone is eligible for the free e-filing services that OTA audited, Spiezle says many of the paid e-filing services are run by some of the same parent companies, and thus use much of the same lightly protected infrastructure. He says it would be fair to assume that many of the paid e-filing sites would have the same 46% failure rate as the free e-filing services audited by OTA.

Personal information trades on black market

Even if cyber criminals don’t use stolen tax-related data for filing fraudulent returns, that information is highly valuable on the black market. Spiezle points out that it’s the only place where this type of rich information—such as income, employer, number of dependents, Social Security numbers and even bank accounts—is available all in one swoop.

“All that data that’s amassed is a treasure chest,” he says. “If you want to create a persona of someone’s identity, you have all the data in one place.”

The IRS expects that, this year, 80% of the estimated 150 million individual tax returns will be prepared with tax software and e-filed—and that’s music to fraudsters’ ears.

One typical avenue for cyber thieves is to file returns as early as possible, claiming refunds as large as $1,000 to $4,000 on untraceable prepaid debit cards. They can fly under the radar by filing very generic returns, and those multiple refunds turn into a lucrative operation.

“They have immediate access to that cash, as opposed to credit card fraud where the value is not as high and the delivery is through a retailer, so they have to figure out what to do with those goods,” says Scott Olson, vice president of product at iovation, a provider of device authentication and mobile security solutions.

Phishing, malware skyrocket

According to the Government Accountability Office, the IRS prevented $24 billion in fraudulent tax refunds related to identity theft in 2013, while paying out $5.8 billion in fraudulent refunds that it didn’t discover until a year later. And the number of fraud attempts is on the rise: As of March 25, the IRS reported a 400% increase in phishing and malware incidents related to the 2016 tax season.

Email phishing campaigns include links to web pages requesting personal information, useful for filing fake returns.

These fake pages often imitate an official-looking website, such as IRS.gov or an e-filing service, and also may carry malware, which can turn over control of the victim’s computer to the attacker. This January alone, the IRS counted 1,026 email-related fraud incidents, compared with 254 a year earlier.

Phishing scams also are targeting employers—because criminals know that’s where they can find large caches of income-related information. One growing trend is the so-called business email compromise (also known as “CEO fraud”), a variation of spear phishing. The phisher does deep research on a targeted company, then impersonates a senior executive to get a subordinate to do something.

vidur

Vidur Apparao, chief technology officer at Agari, which offers an email security platform, says malicious attachments and URLs compromised the bulk of spear phishing emails in the past. But what his company is seeing now is phishing ruses aimed at specific employees that leverage trust to get the recipient to take a specific action. Such attacks do not carry any viral attachments or bad URLs that can be detected. Yet they have proven to be very effective at duping the recipient into forwarding files containing employees’ W2 forms.

“Criminals are leveraging the cloud at three separate points, in ways they couldn’t before: developing social engineering content, sending out spear phishing attacks and getting back a response,” he says.

Basic security helps

According to the OTA, 92% of the publicly reported breaches in 2015 could have been prevented. Take email authentication. It’s almost a basic security tool that prevents emails from being spoofed. Those OTA-audited e-filing services that didn’t use it are contributing to the breaches.

“The lack of email authentication or the slow adoption in some cases has led to the prevalence of this easy type of attack,” Apparao says.

Spiezle says people need to be aware that emails and other tactics are becoming more sophisticated, and protect themselves accordingly.

“The problem is that we are all moving so fast, and we have all these devices and desktops—we are multitasking,” he says. “And the criminals play off that, and they’re getting more precise.”

This article was written by Third Certainty’s Rodika Tollefsen.

ransomware

Ransomware: Growing Threat for SMBs

Ransomware, a cyber scourge that appears on the verge of intensifying, poses an increasingly dire threat to small- and medium-sized businesses (SMBs) in 2016.

In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer, then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access.

Until now, most attacks have targeted consumers and, to a lesser extent, businesses working on Windows platforms.

That’s about to change. Security experts caution that small- and medium-sized business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools.

Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients

Experts say many of the malicious campaigns will likely be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets.

Estimates about the cost to victims from more widely used ransomware tools like CryptoWall and CryptoLocker range from tens to hundreds of millions of dollars.

Now, analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Last month, researchers at security vendor Emsisoft analyzed Ransom32, a malware tool many believe is a harbinger of things to come on the ransomware front.

Fewer are immune to attack

Ransom32 is the first ransomware tool written entirely in Javascript. That makes it easily portable to other platforms like Linux and Mac OS X.

Kowsik Guruswamy, Menlo Security chief technology officer
Kowsik Guruswamy, Menlo Security chief technology officer 

 

Kowsik Guruswamy, chief technology officer at Menlo Security, says that, unlike the JavaScript in a browser that is sandboxed to prevent access to the file system and other local resources, Ransom32 also is designed to have unfettered access to the system.

“Ransom32 is one-of-a-kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.”

Related video: A case for making software more resistant from the start

Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account.

The malware does not require any specific skills to operate, and it comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and lets the authors take a 25% cut from the total.

DIY kit for bad guys

Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was Tox, a malware tool discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack.

“Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.”

Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says.

Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves.

Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems.

SMBs have limited defenses

“Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].”

One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. Wosar says that in such situations it is just a matter of time before an attacker stumbles on a critical server and hijacks it for ransom.

Because the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and they become virtually undetectable in the process. All that is left behind is usually a note that informs the admin about the hack, with a means of communication to negotiate the price.

There already has been an increased interest from cyber criminals in specifically targeting companies, largely because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany.

“A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.”

This article was written by Third Certainty’s Jaikumar Vijayan.

The Moneyball Approach to Cyber

It took a while for me to understand baseball: I didn’t get it until someone pointed out that I was watching the game when I should have been watching the season.

Much of the game’s strategy snapped into focus — and the differentiation between game-day action and long-term success illustrates key lessons that information security executives need to learn.

Love it or hate it, Moneyball is part of the game now. Moneyball and sabermetrics-applying sophisticated statistical analysis to baseball records-helps teams avoid overspending on showy all-arounders and focus instead on key metrics, however unusual, to build a successful team.

Information security should follow the same strategy. (And most chief information security officers (CISOs) probably feel more kinship with the cash-strapped Oakland Athletics, pioneers of Moneyball, than with the flush New York Yankees.) CISOs will see that, as in baseball, relying on a few stars to carry the team is a short-sighted and potentially costly plan.

In his 2014 Black Hat keynote, computer security analyst Dan Geer declared the end of the era of information security generalists. It can be hard to measure the contributions of specialists. We understand the easy metrics intuitively-the “batting averages” of information security. But it is the hard and subtle metrics that really teach us something new. Getting these metrics will require automation and thoughtful changes to existing sources of unstructured data: processes performed manually can’t keep pace with business needs.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

Alongside the outmoded concept of star all-arounders, we also should toss the concept of clutch players. Statistically, they don’t exist, and seeking them out in a technical organization is asking to be deceived; individual heroics are dramatic but not sustainable. An organization’s long-term success won’t be seen in the individual who burns the midnight oil to deploy the patch of the week, but in the one who quietly solves the problems around reliable, rolling deployments.

CISOs should also listen to the refrain of baseball commentators: “fundamentals.” A team that cannot execute basic, everyday maneuvers flawlessly is not prepared to get fancy. There’s no point in deploying a shiny intrusion-detection system or hiring an expensive, full-contact “red team” unless operations can convince you that every last default password has been changed.

Finally, we can take one more lesson from the game: Every so often, be sure to stand up and stretch.