Based on the articles, ‘Thingularity’ Triggers Security Warnings, by Mathew J. Schwartz and Cybersecurity Expert and CIO: Internet of Things is ‘Scary as Hell’, by Al Sacco
The Internet of Things (IoT) has invaded— from remotely controlled devices that can read a home thermostat or home automation system to personal iPhone and laptops that can connect to a company’s network. The amount of internet-connected devices is unstoppable. Cisco predicts that by 2020, 50 billion objects will be connected to the Internet.
As users enjoy the benefits and conveniences of these devices there is an enormous security risk for both home and enterprise networks alike. Consumers trust their devices and don’t realize how unsecure they really are and need to be warned. Here are a few alarming statistics:
- Mobile malware is embedded in many new PC’s right out of box.
- Antivirus solutions only protects against 30% percent of known viruses and malware.
- According to McAfee there are 69 new malware threats every minute or about one new threat every second.
Even though an iPhone has at least antivirus to protect it to a certain degree, most devices do not have any reliable security measures in place. Thermostats, printers, even refrigerators are all different types of devices now commonly connected to the network, but these items may not allow updates with the latest security patches or firmware. With no built-in software to update, if there is a bug, that device is now open to compromise with nothing to stop it. In fact, these devices are the weakest link in your network. Hackers realize this and will exploit those vulnerabilities. The explosion of the IoT provides cybercriminals exponentially more ways to gain access and infiltrate networks, thereby stealing both personal and company information.
There are many more challenges pertaining to security of the Internet of Things even with those devices which have some inherent security already established. For example, billions of devices are embedded in silicon which makes software flaws difficult, if not nearly impossible to fix. Many ATM’s are running on unsupported Windows XP. Those devices are not receiving any futher patches or antivirus signatures.
Communicating with consumers to keep them up to date on security matters is another struggle, because many consumers do not know how to update their own devices. In a survey conducted by security firm Tripware of wireless router customers, 68% didn’t know how to update their router’s firmware. What will these consumers do in the future when they may have to update their home automation systems or even baby monitors?
Until all devices that connect to the Internet can be updated in a reliable manner they will continue to plague network security, but there are some security measures you can implement now. Here are 7 tips to reduce exposure and avert possible propagation of malware infection for both home and business:
- Place IoT devices on a separate network. Don’t have your thermostat on the same network as your computer. (If Target had properly segmented its third party HVAC’s network that data breach may not have spread to Target’s internal network.)
- Don’t allow non-encrypted traffic to communicate with those devices.
- Have a PIN on your cellphone in case it gets lost or stolen and use MDM.
- Train your employees about security risks.
- Scan and monitor your networks.
What is the most important security take-away of the Internet of Things? If it is on the network it can be hacked, resulting in bringing cybercriminals one step closer to stealing personal and company private data. Prepare as best you can.
The Bring Your Own Device trend allows employee owned devices in the workplace to access company data and systems. There are inherent advantages and risks to this trend which has created quite a dilemma for many organizations.
The demand for BYOD originates from the consumerization mobility shift which has been growing steadily in recent years and continues to grow exponentially. According to Gartner “70% of mobile professionals will conduct their work on personal smart devices by 2018” The challenge for IT and organizations as a whole is to successfully manage this dilemma and thereby preventing it from turning into “Bring Your Own Disaster.”
There are several benefits for employees using their own devices at work including increased production and innovation as well as convenience. Their gadgets typically have cutting edge features compared to what is available in the workplace and since they are more familiar and comfortable using their own devices, they tend to more productive. For the growing mobile workforce BYOD offers convenience and flexibility too. At the same time there is a cost savings for organizations stemming from decreased investment in buying both hardware and software. Gartner projects a 9-40% savings using employee PCs.
However, these benefits don’t come without intrinsic security risks that focus around data breaches and the loss of intellectual property from access to corporate data. Additionally, there are possible compliance repercussions anytime a network is compromised. Furthermore, IT does not have complete control over these gadgets since they aren’t the owners which present yet more risk.
Here is a common example of what can easily go wrong with BYOD— An employee is at home and downloads a new app on his smart phone unaware that is tainted with malware. The next day he brings that device into work, bypasses the company’s firewall, and suddenly the "Trojan horse" is poised for attack. Data is transferred to a hacker without him or you in IT even knowing about it.
Another security consequence is the risk of lost or stolen cell phones. More than a third of consumers have had cell phones lost or stolen according to a survey from Norton by Symantec. 80% of people don’t even put a Personal Identification Number (PIN) on their phone! Suddenly, an untrusted party has access to the company’s internal network. So, how does one manage the seemingly unmanageable? Below are 5 BYOD tips to help organizations mitigate the risks.
- Set up a comprehensive BYOD policy. Assess which devices are off limits and which are allowed in an organization. Must a user have anti-virus running on their system before connecting to the corporate network? Must they have password protection on their devices? Is there a subsequent incident response mechanism established? Patch management?
- Create a guest network. Ensure unknown devices are always blocked from the corporate network so viruses and malware cannot cause data loss and data integrity issues.
- Invest in sound technology that can automatically block and quarantine devices until they are approved. Here at NetClarity our NAC solution solves the BYOD dilemma by identifying all network attached devices, limiting access and blocking untrusted devices automatically when needed. Our NAC can be used as an enforcer to any BYOD policy.
- Implement a Mobile Device Management solution when many devices are involved. Especially in larger organizations, an optional Mobile Device Management solution should be deployed to monitor access and policies and report any non-compliance.
- Review BYOD policy regularly. Are the policies that you implemented actually being used by employees within your organization? Do employees understand the policies and importance thereof? Who is in charge of these policies?
One thing is certain—BYOD is here to stay. Don’t let the benefits of BYOD turn into a growing headache and possible IT security disaster. With sound policy, awareness, and enforcement, the Bring Your Own Device trend can be managed successfully by organizations, with an overall increase in employee satisfaction and productivity creating a “win-win” situation for all.
Based on the articles- The Critical, Widespread Heartbleed Bug and You: How to Keep Your Private Info. Safe, by Ian Paul and What You Need to Know About Heartbleed, by Sharon Gaudin
In December of 2011 a bug now known as Heartbleed was introduced through a vulnerability in the Open SSL, an open source implementation of the SSL/TLS encryption protocol. Only recently discovered, Heartbleed allows malicious attackers to exploit this flaw by leaking data from a server’s memory. This enables an attacker to decrypt all sorts of private and trusted communications including: private keys, usernames and passwords, email and files, credit card numbers, health records, banking transactions etc. “Heartbleed is serious”, says Jason Orgill, Director of Product Management and Business Development. “It exposes information users are most concerned about protecting.”
Open SSL is one of the Internet’s most widely used encryption software packages. Heartbleed therefore may have affected approximately two-thirds of the world’s websites and a variety of devices, ranging from smartphones to home routers, printers, wireless access points, switches, tablets, and laptops. There is no way to know for sure if one has been attacked and to the extent to what was stolen, so everyone must assume the worst. Here are 5 practical ways to potentially stop the bleeding.
- Monitor credit cards and banking statements for any suspect activity for the next year. Make sure your email hasn’t sent out spam and be on the lookout for rogue posts in your social networks.
- Change passwords on any site you use that has been impacted, but only after the service provider has patched their site; otherwise, your new password will be exposed to the same issue. LastPass, Qualsys, and Filippo Valsorda are a few recommended online checkers to discover which websites have been compromised. Your new password needs to be strong, with at least six to eight characters, numbers and symbols. Don’t use the same password for more than one site because if the cybercriminal acquires the one, he could use it for multiple accounts. Finally, change you passwords every six months.
- Enterprises should audit their systems, update and patch, create new private keys as well communicating with all business partners about the severity of consequences to their IT operations to make sure everyone updates and is "on the same page". Be sure to have employees change passwords too.
- Initiate a password manager like LastPass or Dashlane to generate strong passwords for you and manage them in into various categories. This is really helpful because now you don’t have to memorize your various passwords and the password manager will log you in automatically every time you re-visit sites.
Heartbleed is critical and widespread. The bug has been circulating for two years now, with its' impact is not yet fully known. If you follow the above guidelines to keep your online accounts secure, your risk to data theft will surely be reduced.
Based on article, "Security Pros Talk About Playing Defense Against Cybercrime," by Ellen Messmer
As cybercrimes become more complex and prevalent around the globe, security experts from Citi and AIG, two financial services organizations, and the FBI, came together to share defense strategies at Pace University in New York. They discussed challenges faced most often from cybercrime with the hopes to stem the tide against both hackers and malicious insiders from stealing sensitive data from the enterprise.
Zero-day exploits was their number one concern. This type of attack is advantageous to hackers because it exploits previously unknown vulnerabilities. There hasn't been time to patch the holes yet, thereby making it difficult to mitigate. The panel of experts was optimistic though, because they believe threat-detection tools are advancing in this area. “At NetClarity, our Network Access Control solution combats zero-day exploits by deterring diffusion,” says Jason Orgill, Director of Product Management and Business Development. “We identify and isolate the malware infected host when it tries to phone home.”
Another daunting task that large companies face in particular, is managing the seemingly endless amount of incoming security alerts. This was one of the Achilles' heels from the recent Target data breach. The log data and alerts were present, but Target ignored them. Here too, the panel of experts believes that the security industry is making advances in managing the massive amounts of alerts and log data. A progression towards “dynamic defense" in which security tools can monitor, detect, analyze, and mitigate threats and vulnerabilities is advancing in the enterprise they believe.
Malicious insiders are yet another real threat to network security. In fact, in a recent survey by the industry analyst Ovum found that only 9% of businesses feel safe from insider threats. These include not only traditional insiders with access rights, but also privileged users- those who actually maintain the networks. Privileged users pose the biggest risk by virtue of their credentials; therefore, they are sought after most by hackers in order to gain access. A malicious insider could be someone for example who may sit at someone else’s computer and asks unusual types of questions, the panel asserted.
The security experts also warned against taking computers with valuable proprietary data overseas as a risk for data theft. The increasing attacks against SMB companies that don’t have the funds to prepare themselves compared to the budgets' of larger companies were yet another concern. Finally, the difficulty in chasing cybercriminals around the globe was mentioned as well.
The FBI plans to add 1,000 analysts next year to help turn the tide on cybercrime, but Citi and AIG acknowledged that there is a shortage in security professionals. They concluded that today’s threats are akin to cyberwar, which by its definition gives the advantage to the bad guys. One can only harden one’s network defenses to mitigate threats in order to avoid becoming the next victim.
Based on article- Incident Response Now Shaping Security Operations, by Kelly Jackson Higgins
In the flurry of recent data breaches, companies are starting to come to grips with the fact that cyber-attacks will happen. Target, a company that spends millions on security, was breached on such monumental proportions; we cannot assume anymore that it won’t happen to the rest of us. Network security strategy’s emphasis is moving towards how to best manage the aftermath of cyber-attacks. This shift in strategy not only includes damage control of the breach itself, but also encompasses ways to avoid devastating consequences to the corporate image and brand. An incident response plan (An organized approach to addressing and managing security incidents after they have occurred.) has moved “center-stage” in organizations’ security posture.
Target’s missteps included not responding to warnings from their own network monitoring system, dismissing their logs, network segmentation failures from their 3rd party HVAC vendor to name a few. Compounding the problem was Target's slow response in alerting customers after they had discovered the breach. An alarmingly accurate report had emerged a week earlier by Krebs on Security. “Anytime you are not controlling the release of information, you lose the opportunity to cast yourself in the role of the hero rather than the villain.” Jason Maloni, from Levick Strategic Communications, told the Minneapolis Star Tribune.
Even after the slow response communication woes continued. Customer service lines for Target’s Redcard credit cards were jammed and their social medial channels inundated with furious customers. Poor customer service was also experienced by those who had called in for more information. A security disaster had now turned into a communications disaster. Customer’s trust had been breached right alongside their data. Customer loyalty and the Target brand took a hit. Profit in the 4th quarter fell by 46% and sales fell by 5.3 % because the breach scared off customers worried about their private data. Scammers were now on the hunt too because of the poor response.
More than 60 percent of organizations say they have IR plans in place, according to a recent report by Arbor Networks and The Economist Intelligence Unit. Two-thirds of these organizations say that solid incident response in the wake of a breach can actually strengthen their reputation. “IR can’t be underestimated anymore”, says Cherie LaFlamme, Marketing Director at NetClarity. “Not only must you identify, contain, and eradicate the breach, but rapid communication and transparency to customers is a must to keep the trust and loyalty in hand,” she added.
With data breaches accelerating at high speed, there is a new sense of urgency to have a solid incident response plan embedded in enterprises’ security strategy. It must be comprehensive in order to prohibit attacks from spreading. At the same time, anchored in swift response time when communicating with customers, in order to keep trust and brand loyalty intact.
Based on the article- Data Breaches Eroding Usefulness of Personal Identification, argues new analysis by John E. Dunn
Another day, another data breach - A new analysis by NSS Labs found that roughly half of the largest data breaches to date occurred in 2013 alone. With breaches spiraling out of control, hackers are stealing personal identifiers, including social security numbers, birthdates, and health records amongst others. The prediction is that peoples’ most confidential data won’t be viable for authenticating themselves anymore; therefore, the usefulness of the data itself will no longer have much relevance. Additionally, cybercrime is so commonplace today that most people don’t even consider compromised data as alarming exceptions anymore, but more often, view them as almost normal.
Today, millions of users are registered with multiple online services. Forrester research predicts that E-retail spending will increase by 62% by 2016. Cyber criminals are on a mission to piece together bits of personal data from online searches, shopping, and social media pages. Over time when aggregated together, hackers are creating detailed profiles of users. The long term effects of this data mining will eventually erode the value of private data as we know it.
Personal data theft is indeed an immense challenge to companies, governments, and society at large. Here are 4 ways to minimize the erosion of confidential private data for the enterprise to apply:
- Enterprises should look to hold in their networks the minimum amount of data they need. Assess what is really truly valuable and remove the rest.
- Companies should enact a clear policy and develop tools for enforcing that policy to minimize the frequency and damage from data theft, thereby reinforcing overall security posture.
- Shift away from using static identifiers such as social security numbers and citizenship. These types of identifiers can’t change after theft has occurred, versus a credit card or pin number which can. Compromised accounts demand proper re-authentication as well.
- Clear notification laws should be enacted by governments, but until then, industry can establish a trusted clearing house to collect, analyze, and notify those with services at risk. Meaningful collaboration in assessing those at risk, with an action plan to decrease that risk in the future is essential as well.
Companies, governments, and society as a whole, need to take immediate action to slow down the overwhelming tide of destruction left behind by data breaches. If apathy and inaction continue ill-effects of cybercrime will only escalate.
- NetClarity's Security Team
Based on the article, Employees: The Weakest Link in Security? By Samuel Greengard
Employees are the weakest link in security a recent study by Boardroom Cyber Watch Survey 2013 finds, but more often than not it is unintentional. The Bring Your Own Device (BYOD) trend has compounded the problem leaving enterprise network security vulnerable to threats. With breaches and malware expecting to cost $491 billion in 2014,[i] there is a compelling need to train employees, construct viable security policies, and utilize practical monitoring tools and methods to impede hackers and malware from gaining entry to your network and sensitive data.
Here are 3 ways to minimize risk:
- Create sound policies. Security policies must be clear and include BYOD (decide which devices are strictly off limits, which are allowed, who has access and how) along with how to implement and enforce them. Furthermore, policies should not interfere with employees getting their work done.
- Educate and train employees. A few good methods to train employees include: enlisting a staff member as a “pretend social engineer” to call employees and request confidential information; send out fake phishing emails to see who clicks; administer random quizzes. Explain afterwards methods to apply to avoid becoming a victim next time when it may be real. For example, how to hover over links to detect the legitimacy of the destination URL, how to recognize red flags in emails such as spelling errors or intimidating language, recommending stronger passwords they for authentication, risks involved in personal clouds, and so forth. Then provide subsequent tests at a later time to make sure learnings stick. Reiterate the importance of security awareness to the company and its’ customers and point out that even upper management suffers from these types of security missteps from time to time.
- Control and monitor your policies. “A policy without a practical enforcement mechanism is not worth the paper it’s written on”, says Hal Charnley, CEO of NetClarity. He adds, “Our NAC solution is a powerful and practical enforcer of policy.” Many employees don’t pay attention or simply ignore existing policies. Sometimes it is also the case that they don’t even understand the underlining importance of the policies. Using tools to help monitor and control are crucial, including: mobile device management, two-step verification, encryption, endpoint security, and network monitoring among others. Ensure tools are in place when needed: for example, wipe lost or stolen smartphones or block unwanted devices from the network.
You can’t expect employees to become IT security experts, but with a little education, as well as smart policies and practical tools for enforcement, they can become your newest IT ally. Not only will they help you keep the network secure, but your job will become easier and less stressful, since threats will now be limited in scope and frequency.
-NetClarity Security Team
Based on the article – Focus on fundamentals to reduce data breaches, expert advises, by Linda Musthaler
In the wake of the glut of recent data breaches, companies are reassessing all aspects of their network security from A to Z. In part one of my blog, I discussed the details of the Target data breach and indicated that cyber-attacks are complicated and extensive; 110 million records were affected between November 27th and December 15th of last year, as shoppers swiped their credit cards at Targets’ point of sale (PoS) terminals nationwide.
Companies, including Target, are constantly looking for someone to take the blame when data theft occurs and then attempts to fix the problem ASAP, but there is never just one reason why an organization gets compromised. That would be too easy. For example, in Target’s case, not just one, but several mistakes occurred to create the “perfect storm” for hackers including: network segmentation and vulnerabilities oversight, malware, technology inefficiencies, human error etc. The newest statistics show this breach will cost Target up to a few BILLION dollars. Target had already invested millions of dollars into security before the cyber-attack occurred. Time to focus on a new strategy, but first, one must take to heart this mantra – Companies can’t be impervious to cybercrime, but they can implement some basic best practices to minimize how frequently crimes occurs and lessen the impact they may have.
Here are 5 fundamental best practices to take:
- Asset identification – Organizations often don’t know what is on their network. “At NetClarity, we frequently work with prospects as they conduct a full scan of their network with our NAC solution. Almost always, the IT administrator is surprised to see the devices that are revealed,” says Jason Orgill, Director of Product Management & Business Development. Did Target even know there was a third-party system directly connected to its core network? In network security there shouldn’t be any surprises. Businesses need to see all devices on their network and control access and interconnectivity.
- Configuration and change management – Did Target have any idea how the system from the HVAC vendor was configured and if it exposed Target to vulnerabilities? Why wasn’t FireEye’s network monitoring tool not configured to block the threat it was alerted too? IT needs to know how devices are configured and likewise when changes are made, to maintain that security.
- Data discovery – Many retailers don’t know when they have information stored in plain text and unencrypted on servers. They need to know where their data is located always.
- Network segmentation – It is imperative to have highly segmented networks and with different levels of visibility. This way, if a system does get compromised, it would limit its attack.
- Sound policy & employee education – “I have seen enterprises roll out very expensive systems to handle security monitoring, yet there is no subject matter expert for this technology or risks within the enterprise. Any organization looking to implement security technologies should make the same investment in their people…,” says Joe Schumacher, a security consultant for Neohapsis. [i] Furthermore, at least one employee from Target’s HVAC vendor succumbed to the phishing email attack which enabled the hackers to steal login credentials, thereby allowing them to conduct a more detailed reconnaissance of the retailer’s network. Robust policy and processes for managing security when breaches occur, added to knowledgeable employees ready to respond, is paramount for any enterprise.
Data breaches are indeed costly. A recent joint study from the IDC and the National University of Singapore predicts “…that enterprises around the globe will spend around $500 billion in 2014 on making fixes and recovering from data breach and malware. Consumers worldwide will likely spend $25 billion as a result of those security threats.”[ii]
The stakes are high: Focusing on the fundamentals is essential in limiting the damage, size, and frequency of any breach. Applying these principles is prudent not only to keep the company and customers' data intact, but likewise to ensure it's not the next big headline in the news. If Target had followed these practices, their breach would have been minimized and probably wouldn’t have made the headlines. The good news: The rest of us can learn a lot from Target’s story with the hopes that we can do a better job in protecting our networks and customers' data in the future.
Learn from the Target “blame game” but focus on the basics to reduce future data breaches
Based on article- "Focus on fundamentals to reduce data breaches, expert advises," by Linda Musthaler, from Network World, March 7th, 2014
Question- What went wrong in the Target breach that stole credit/debit card data from 110 million records?
Answer- Lots of things and the blame is being divvied up all around. Here is my newest list:
- Target’s sensitive payment network was not sufficiently segregated from the rest of their business network. The hackers got in via a 3rd party HVAC company with access to Target’s network.
- A malware attack, specifically an email phishing campaign (two months prior to the data theft) focused on the same HVAC company in which some of its employees took the bait. Login credentials were stolen.
- Oversight on security of point-of-sale terminals (PoS) deployed at remote sites. The makers of these devices are slow to roll-out new patches, therefore an easy target to hack.
- Insecure credit card technology. The US is lagging behind Europe in migrating to EMV (Europay, MasterCard and Visa) cards. Malware stole customer’s personal information including names, addresses and phone numbers right after they swiped their credit/debit cards and before the company could encrypt that information. This action led to consumer fraud. The EMV technology would essentially eliminate this type of “face to face skimming” fraud.
- Insufficient PCI-DSS compliance standards. PCI-DSS does not require encryption of network traffic within a retailer. Segmenting payment systems from other systems on the network is also not part of their requirements.
- Human error which I would include under the category of weak policy and processes for managing security systems. Target was warned on two separate occasions by alerts from FireEye, the vendor of its newly installed network monitoring tool, that there was malware on its networks before it was hit by hackers. Target ignored the warnings. Additionally, FireEye’s product could have even been configured to block the threat, but the feature was not activated. Target’s CIO has since resigned.
While is it indeed important to figure out what went wrong on all levels in an aftermath of a breach of any company’s network security, organizations need to come to terms with the truth - You can’t stop all the bad guys from coming in no matter what you do. Hackers will always find new and clever ways to attack a company’s network, and although there is no silver bullet, organizations can focus on fundamental sound practices to reduce future breaches impact and frequency. Just imagine if Target had only a few thousand credit/debit card’s data stolen. What a different story that would be, versus 110 million…which by the way eclipses fellow retailer TJ Max’s 90 million records stolen in 1997, thereby taking first place for the largest retail data breach in history.
Stayed tuned for part-two of this blog - Best practices your organization can take to reduce data breaches.
- NetClarity's Security Team
Summary of Kelly Jackson Higgins' article Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing from 04/11/2014
As the dust settles from the recent Target breach retail companies are scrambling to analyze their own network’s security to avoid becoming the next victim. “When the second largest retailer with hundreds of millions of dollars invested in cyber security is breached, retailers and the rest of us need to pause, assess and harden up our policies and network defenses,” say Jason Orgill, Director of Product Management and Business Development at NetClarity. Up to 110 million records or about a 1/3 of the US population were affected during the holiday shopping season last year after the Target breach, stealing personal information from credit and debit cards and leading to many consumer scams.
The retail industry has now come together to consider creating the formation of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC) to share information about the latest cyber attacks and threats plaguing their industry and others in order to better protect their customers’ payment card data and other information. Other ISACs from various industries have formed in the past including the electricity, supply chain and education sectors.
The ISAC would also be an opportunity to collaborate on innovative technologies to help stay ahead of the curve on the newest advanced threats. For example, implementing chip based credit cards, an advanced technology available already deployed in Europe, would eliminate face-to-face and skimming fraud. This happens when either a person or gadget attached to a scanner illegally captures credit card information during a transaction. (Not yet mandated in the US until 2015.) And since segmenting payment systems from other systems on the network are not even required by the Payment Card Industry Data Security Standard (PCI DSS), there would be yet another opportunity to brainstorm over best practices currently held in the industry as well.
Additionally, the National Retailers Federation (NRF) and other retail trade associations have also partnered with financial associations to explore information sharing over network breaches, malware, vulnerabilities and threats as well as technology advancements.
The formation of the ISAC is an important and positive step in the battle against cyber crime. Sharing security information will benefit all parties involved with the common goal to combat future cyber threats looming on the horizon and therefore protect their customers from data theft.
- NetClarity's Security Team