Tag Archives: Trustwave

3 Things on Cyber All Firms Must Know

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

See also: 7 Key Changes for Insurers’ Cybersecurity  

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

 Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

See also: Quest for Reliable Cyber Security  

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

Pros and Cons of ApplePay Security

ApplePay, the mobile payments service introduced by Apple in October 2014, could ultimately set the security and privacy benchmarks for digital wallets much higher.

Even so, the hunt for security holes and privacy gaps in Apple’s new digital wallet has commenced. It won’t take long for both white hat researchers and well-funded criminal hackers to uncover weaknesses that neither Apple nor its banking industry partners thought of.

Here’s ThirdCertainty’s breakdown of the security and privacy issues stirred by Apple’s bold move into the digital wallet business.

ApplePay defined

Available on the iPhone 6 and Apple Watch, ApplePay stores account numbers on a dedicated chip. Apple refers to this chip as the “secure element” only available n the iPhone 6 and iPhone 6 plus. It is on this chip that your financial information is stored. It is only accessed when a random 16-digit number gets generated for a given transaction, and the number never makes it to the phone’s software, where hackers could reach it.

The devices then use near field communication (NFC) to send a simple token, instead of the full account number, to the merchant’s NFC-enabled point-of-sale register.

“This allows an ultra secure payment,” says Anthony Antolino, business development officer at Eyelock, a biometrics technology vendor. “The only remaining concern is keeping the smart phone under your control.”

Apple tightens down who can control each device by integrating itsTouch ID fingerprint scanner and its Passbook ticket-buying app into ApplePay. This new approach keeps personal information on the device – instead of moving account data into storage servers within easy reach of thieves. The hacks of big merchants in the U.S. and Europe, including Home Depot, Target, P.F. Chang’s and Neiman Marcus, show how adept data thieves have become at attacking stored data.

How ApplePay improves security

ApplePay validates a “data-centric security model,” argues Mark Bower, product management vice president at Voltage Security.

“The payments world needs to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data,” Bower says. “Tokenized payments reduce the risk of data breaches and credit card theft.”

Mathew Rowley, technical director at security consultancy NCC Group, observes that the U.S. payment card industry continues to require minimal security checks in authorizing credit and debit card purchases.

“Things like chip-and-PIN and two-factor credit cards have been implemented in other countries, but the U.S. seems to be behind the curve,” Rowley says. “Any additional logic built into the process of making payments will make it more secure.”

How ApplePay introduces new risks

Adding a mobile wallet function to the latest iPhone gives criminal hackers more incentive and opportunity to find fresh vulnerabilities, says Mike Park, managing consultant at Trustwave.

“Any new additions and functionality to a platform, even ones meant to enhance security, can expand the attack surface,” Park says. “With the introduction of this type of functionality into a platform, this makes every device a possible target.”

The more popular ApplePay becomes, the more likely cybercriminals will devote resources to cracking in. Research from legit sources already is available showing how to hack into NFC systems — for instance this 2012 report from Accuvant reseacher Charlie Miller.

It’s probable that elite criminal hackers “are looking to steal identities and mass harvest payment card information as they do in other platforms and verticals now,” Park says.

One simple crime would be to target Apple devices for physical theft. Another is to figure out how to remotely access and manipulate ApplePay accounts. “The weakest link is the consumer,” says Alisdair Faulkner, chief products officer at ThreatMetrix. “And ultimately a web page with a username and login, like iCloud, now has an unprecedented amount of information about you backed up into the cloud.”

Pushing payments to mobile devices makes Internet cloud services more complex – and complexity creates vulnerabilities.

“In the past, the only participants were the merchant, the merchant’s bank and your personal bank,” says Richard Moulds, vice president of product strategy at Thales e-Security. “Apple is stating that they will not know the details of individual transactions, which is very important; however, there is clearly the risk of attacks on the phone itself.”

‘Smart’ Homes Can Have Stupid Features

Do people want faster response by the police to a burglar alarm, or do they want lights they can control remotely? That is a core question that the alarm industry faces as it undergoes seismic changes. Does the alarm industry sell security, including fast response by police, or does it sell the “connected” home?

Many are leaning toward an emphasis on the connected home. That’s why Google bought Nest, known for its smart thermostats, for $3.2 billion in early 2014 and then announced recently that Nest would buy Dropcam for $555 million. Dropcam uses small cameras to provide security services, though not as the alarm industry is doing. The alarm industry connects cameras to a central station, where feeds are monitored and police notified if there is a break-in. Dropcam uses motion sensors to alert the user to any possible problems; the user then checks the video feed from his phone or computer and, if necessary, contacts the authorities for help.

Whether the alarm industry chooses to emphasize fast police response or follows Google and tries to offer broad home automation solutions, there will be broad ripple effects, including for insurers.

From a risk-management perspective, there are two issues. The first is whether the home automation improves police response and reduces losses. Ultimately, however, the second issue is even more crucial: Do the new home automation services actually introduce new risks and enable high-dollar losses through remote vandalism, including frozen pipes and catastrophic water damage?

Concerning the first issue: At a time when declining budgets are forcing police to reduce the number of officers responding to property crimes, home automation has hijacked a large slice of the alarm industry and is minimizing police response. Catching burglars and reducing property crime has become secondary to lifestyle convenience features and home automation revenue streams.

Increasingly, alarm/security is proposed as just one more feature in home automation. But the new offerings generally use legacy alarm solutions, which have a false alarm rate of 98%. As a result, these alarms are only assigned a priority 3 by law enforcement, so police response is slow, if it happens at all. By contrast, new alarms – based on monitored video feeds, and with break-ins verified — are treated like a crime in progress, a priority 1. Responding officers run hot because they expect to make an arrest.

In an effort to confuse the issue and continue to sell legacy alarms, home automation suppliers sell the ability of the homeowner to remotely view cameras in the home as “video verification.” This claim is exploiting a naïve consumer. Home automation cameras are not monitored by the central station, and they do not provide faster police response. Remote viewing by the owner ends up being a glorified nanny cam.

Unfortunately for insurers, home automation has become the primary message of some of the historical burglar alarm companies, which have reengineered their companies. Security companies are now chasing smartphone thermostats and Wi-Fi-based lighting instead of focus on delivering police response to an alarm.

A joint study by the San Bernardino, CA, sheriff and police departments in 2011 found that the arrest rate for a traditional burglar alarm was only 0.08%. A five-year study completed by Pharmacists Mutual in 2013 found that, when police response was less than five minutes, the officers made arrests 21% of the time. This means that the likelihood of an arrest for monitored, video-verified alarms and priority police response is more than 250 times better.

Video-verified alarm systems monitored by a professional central station represent real loss control tforthe insurer. Video-verified alarms reduce claims. Monitored video alarms actually mitigate losses by delivering faster police response to an actual incident. Police make arrests and prevent the loss itself.

Concerning the second risk-management issue: Home automation introduces new threats for the insurer – catastrophic claims caused by remote vandalism. Imagine the damage to a Minnesota home whose furnace was turned off by malicious hackers while the owners were on a winter vacation. The costs for bursting water pipes and flooding the property for days would make most burglary claims seem paltry in comparison.

The problem is that home automation and the connected home create risks that have not been adequately identified and considered by insurers. Much has been written regarding identity or data theft caused by hackers exploiting weak computer networks for passwords and credit card info. The financial losses from this type of crime have had little impact on traditional property/casualty insurers, but home automation changes the risk exposure because now remote vandals can invade the network and take over the infrastructure and appliances of a homeowner to maximize damage without ever setting foot on the property. Home automation devices become a Trojan horse for vandals, and the more devices are connected, the larger the risk as each device introduces another potential hole.

The press is finally beginning to educate readers about the issue. A July 30, 2014, article in Computerworld headlined “Home Automation Systems Rife with Holes” explains, “A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave. Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.” Security Today published an article on July 16, 2014, about how hacked light bulbs can reveal a homeowner’s Wi-Fi password and actually give the hackers control over the home automation system itself. This excerpt describes the problem:

“It’s all the new craze: the connected or smart home, where at the touch of a button on your smartphone you can dim your living room lights, close the garage…. But, with sophisticated technology comes risk if you aren’t vigilant in applying the latest security updates to your smart home. In fact, the latest risk involves LED light bulbs that can be hacked to change the lighting and reveal the homeowner’s Wi-Fi Internet password.”

The entire home automation system is only as secure as its weakest link or device – devices that need to be kept updated with security patches as flaws are discovered. Unfortunately, many of these connected home devices are static and not even capable of being updated with new software patches. The connected home is now the Wild West of home security, and property/casualty insurers are likely going to be the ones left paying the bill.

The bottom line is that the home automation industry introduces threats that run counter to the risk mitigation insurers have traditionally found by using discounts to promote monitored alarm systems. In analyzing these risks, David Bryan, Trustwave researcher, states, “Anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization.” The proliferation of devices, protocols, apps and portals mean that the problem is getting more complex instead of calming down.

It is time for insurance companies to review their “alarm discount” and make sure that the discount encourages behavior that actually reduces claims. The alarm industry is promoting home automation to the consumer, but the features and benefits don’t actually reduce risk. Underwriters can reduce risk and minimize losses by encouraging their policy holders to install monitored, video-verified alarm systems that deliver faster police response. Any insurance policy that offers discounts for home automation systems is encouraging new and unexplored risks posed by remote vandalism, and possibly worse.