Tag: security

Security Defenses are Not Adequate

We have just completed an extensive survey of security and compliance professionals in mid-sized and large organizations, asking about the current state of their cyber security defenses. We will soon be publishing a white paper discussing the results. Here’s a bit of what we found:

  • Fifty-five to 58 percent of organizations admitted that they are not fully protected against security threats like payment scams, spear phishing attacks and email spoofing.
  • Four of the top five concerns that security and compliance professionals have in the context of their organizations’ cyber security are focused on email-related threats.
  • Sixty-five percent of security and compliance professionals admitted that their organization has suffered a successful attack and/or data breach during the past 12 months, with the most common being a phishing attack successfully infecting systems on their network with malware (28 percent), and a targeted email attack launched from a compromised account successfully infecting an endpoint with malware (25 percent).
  • Corporate executives represent 16 percent of the attack surface in the typical mid-sized and large organization, despite the fact that they account for only two percent of the total number of employees.
  • Forty-two percent of those surveyed told us that their anti-ransomware defenses are either not improving the catch rate for ransomware attempts over time or the catch rate is actually going down.
  • Only 28 percent of those surveyed believe that their end-user training regimen focused on web surfing best practices is “very good” or “excellent”; only 39 percent believe that their user training for detecting and addressing phishing and other unwanted emails is this good.
  • The average cyber security budget will increase by 7.4 percent in 2018 compared to last year; 67 percent of organizations are increasing their budget and only two percent are decreasing it.

Please let us know if you’d like an advance copy of the white paper.

Here are some upcoming security conferences that should be on your radar:

  • InfoSecWorld, Lake Buena Vista, Florida (March 19-21)
  • Black Hat Asia, Singapore (March 20-23)
  • RSA Conference, San Francisco, California (April 16-20)

What About Shadow IoT?

There has been so much talk about “Shadow IT” — employees using their own smartphones, tablets, cloud applications and mobile apps — and its impact on corporate IT that many don’t worry about it anymore. Many IT decision makers have simply acquiesced to the idea that employees will use their own devices, mobile apps and cloud applications, and so are finding ways to work within this new reality as opposed to fighting it. To be sure, Shadow IT has major implications for security, the ability to find and manage corporate data, the ability to satisfy compliance obligations and the like, but Shadow IT is here and it’s here to stay.

But what about “Shadow IoT”? There are a large number of personally owned IoT devices already accessing corporate networks, such as Apple Watches, Fitbits, Alexa/Google Home devices and the like. For example, an Apple Watch can be used to access corporate email and text messages, Fitbits send emails to wearers with their weekly status reports, and , to name just a few examples on the tip of this iceberg. Fueling this trend is growing corporate acceptance of the idea of integrating IoT with business processes — companies like Salesforce, Capital One, AETNA, SAP and SITA, among others, are embracing use of the Apple Watch and developing applications for it. Moreover, the use of wearable IoT devices can increase employee productivity — a Rackspace study found that productivity and job satisfaction both benefited from their use.

While personally managed IoT devices represent an enormous boon to their owners, they also can create a number of security risks. For example, researchers at the University of Edinburgh were able to circumvent the encryption that Fitbit uses to send data, leaving users vulnerable to theft of their personal information. In 2015, a Fortinet researcher discussed a proof-of-concept that could infect a Fitbit device with malicious code that could then send malware to a PC connected to the device (a claim that Fitbit denied). Researchers at Binghamton University found that sensors in wearable devices could be used to determine passwords and PINs with up to 90 percent accuracy. Apple Watches have been banned from cabinet meetings of UK government ministers over fears that the devices could be hacked and used to listen in on these meetings.

Does your organization have a policy to protect against Shadow IoT? What security measures have you implemented specifically to address this threat? I’d like to get your feedback on what your organization is doing for a future blog post.

BYOD OK?

We have recently completed a survey of IT decision makers that are knowledgeable about security issues in their organizations, and we found something surprising: the concern about “shadow IT” — employee use of unauthorized cloud apps or services — is significantly lower in this year’s survey than it was just over a year ago. While there can be variability between surveys because of sampling and other issues, the difference we found is not explained by sampling variability, but instead represents a significant shift of concern away from the problem of shadow IT and BYOD/C/A (Bring Your Own Devices/Cloud/Applications).

Why?

Three theories:

  • First, we have not seen big, headline-grabbing data breaches result from the use of personally owned smartphones, tablets, laptops and other employee-owned and managed devices, cloud applications and mobile applications. While these breaches occur and clearly are a problem, the horror stories that were anticipated from the use of these devices have been few and far between.
  • Second, senior management — both in IT and in lines of business — have seemingly acquiesced to the notion of employees using their own devices. They realize that stopping employees from using their own devices to access work-related resources is a bit like controlling ocean surf with a broom.
  • Third, there are some advantages that businesses can realize from employees using their own devices. While lower business costs are an important advantage because IT doesn’t have to purchase devices for some employees, another important benefit is that IT doesn’t have to manage them either. For example, when an employee leaves a company and company-supplied devices need to be deactivated, some organizations aren’t exactly sure who’s responsible for doing so — IT, the employee’s manager, HR or someone else. A survey we conducted some time back asked, “when an employee who had a company-supplied mobile phone leaves your employment, how confident are you that you are not still paying for their mobile service?” We found that only 43 percent of respondents were “completely confident” that the mobile service was deactivated, and 11 percent either were “not really sure” or just didn’t know. Employees using their own devices and plans gets around this problem nicely.

To be sure, unfettered and unmanaged use of employee devices in the workplace is not a good idea. It can lead to a number of problems, such as the inability for IT to know where all of a company’s data is stored, the inability to properly archive that data, the inability to produce all of it during an eDiscovery effort or a regulatory audit, lots of duplicate data, a failure to establish an authoritative record for corporate data, a greater likelihood of data breaches if a device is lost, and the potential for not being able to satisfy regulatory obligations.

That last point is particularly important, especially in the context of the European Union’s General Data Protection Regulation (GDPR). A key element of the GDPR is a data subject’s “right to be forgotten”, which translates to a data holder’s obligation to find and expunge all data it has on a data subject. If an organization cannot first determine all of the data it holds on a data subject and then cannot find all of that data, it runs the risk of violating the GDPR and can pay an enormous penalty as a result.

In short, BYOD/C/A offers a number of important advantages, but it carries with it some serious risks and should be addressed as a high priority issue in any organization.

 

Best Practices for Dealing With Phishing and Ransomware

We have just published a white paper on phishing and ransomware that we welcome you to download and review. Here are some of the key takeaways from the paper:

  • Both phishing and crypto  ransomware are increasing at the rate of several hundred percent per quarter, a trend that Osterman Research believes will continue for at least the next 18 to 24 months.
  • The vast majority of organizations have been victimized by phishing, ransomware and a variety of security-related attacks during the past 12 months. In fact, phishing and ransomware are among the four leading concerns expressed by security-focused decision makers as discovered by Osterman Research in the survey conducted for this white paper.
  • Security spending will increase significantly in 2017 as organizations realize they need to protect against phishing, ransomware and the growing variety of other threats they face.
  • Most organizations are not seeing improvements in the security solutions they have deployed and in the security practices they follow. While many of these solutions are effective, most are not improving over time, in many cases because internal staff may not have the expertise to improve the performance of these solutions over time. On balance, only two in five of these solutions and practices are considered “excellent”.
  • Security awareness training is a key area for improvement in protecting organizations against phishing and ransomware, since our research found that organizations with well-trained employees are less likely to be infected.
  • There are a variety of best practices that organizations should follow in order to minimize their potential for becoming victims of phishing and ransomware. Among these best practices are implementing security awareness training, deploying systems that can detect and eliminate phishing and ransomware attempts, searching for and remediating security vulnerabilities in corporate systems, maintaining good backups, and using good threat intelligence.

You can download the paper here.

As an aside, I will be attending the Virus Bulletin International Conference next week in Denver and encourage you to do likewise if you’re at all focused on security. I have been to this event before and can vouch for its tremendous value as a place to learn about trends in cyber security and to advance your education about all things security.

Dealing With Phishing and Next-Generation Malware (Part 2)

This is a continuation of my last post focused on ways that decision makers can address problems with phishing and next-generation malware:

Establish detailed and thorough policies: Most organizations have not yet established sufficiently detailed and thorough policies for the various types of email, Web and social media tools that their IT departments have deployed or that they allow to be used. Consequently, we recommend that an early step for any organization should be the development of detailed and thorough policies that are focused on all of the tools that are or probably will be used in the foreseeable future. These policies should focus on legal, regulatory and other obligations to:

  • Encrypt emails and other content if they contain sensitive or confidential data.
  • Monitor all communication for malware that is sent to blogs, social media, and other venues.
  • Control the use of personally owned devices that access corporate resources.
  • Creating detailed and thorough policies will help decision makers not only to determine how and why each tool is being and should be used, but it also will help decision makers determine which capabilities can or cannot be migrated to cloud-based security solutions and which should be retained in-house.

Implement best practices for user behavior: The next step is to implement a variety of best practices to address the security gaps that have been identified. For example:

  • Employees need to employ passwords that match the sensitivity and risk associated with their corporate data assets. These passwords should be changed on an enforced schedule, and should be managed by IT.
  • Employees should be strongly encouraged and continually reminded to keep software and operating systems up-to-date to minimize a known exploit from infecting a system with malware.
  • Employees should receive thorough training about phishing and other security risks in order to understand how to detect phishing attempts and to become more skeptical about suspicious emails and content. It is important to invest sufficiently in employee training so that the “human “firewall” can provide the best possible initial line of defense against increasingly sophisticated phishing and other social engineering attacks.
  • Employees should be tested periodically to determine if their anti-phishing training has been effective.
  • Employees should be given training about best practices when connecting remotely, including the dangers of connecting to public Wi-Fi hot spots or other unprotected access points.
  • Employees need to be trained on why not to extract potentially suspicious content from spam quarantines that might end up being phishing emails.
  • Employees need to be given a list of acceptable and unacceptable tools to employ for file sync and share, social media and other capabilities as part of the overall acceptable use policies in place.
  • Ensure that all employees maintain robust anti-virus defenses on their personally managed platforms if access to any corporate content will take place on them.
  • Employees should be reminded continually about the dangers of oversharing content on social media. The world will not be a better place if it knows that you had breakfast in Cancun this morning, but it could give cybercriminals a piece of information they need to craft a spearphishing email.

Deploy alternatives to solutions that employees use today: Decision makers should seriously consider implementing tools that will replace many of the employee-managed solutions in place today, but that will provide users with the same convenience and ease of use. For example, IT may want to deploy an enterprise-grade grade file sync and share alternative for the consumer version of Dropbox that is so widely used today. They may want to implement a business continuity solution that will enable corporate email to be used during outages instead of users falling back on their personal Webmail accounts. They may want to consider deploying an enterprise-grade file-sharing system that accommodates very large files if the corporate email system does not allow these files to be sent.

Implement robust and layered security solutions based on good threat intelligence: It almost goes without saying that it is essential to implement a layered security infrastructure that is based on good threat intelligence. Doing so will minimize the likelihood that malware, hacking attempts, phishing attempts and the like will be able to penetrate corporate defenses.

An essential element of good security is starting with the human component. As we discussed above, users are the initial line of defense in any security system because they can thwart some potential incursions like phishing attempts before technology-based solutions have detected them. Consequently, we cannot overemphasize the importance of good and frequent user training to bolster this initial line of defense, the goal of which is to heighten users’ sensitivity to phishing and related threats, and to help users to be less gullible. By no means are we suggesting that users can be the only line of defense, but they should be incorporated into the overall security mix.

Determine if and how the cloud should be used: A critical issue for decision makers to address is whether or not internal management of security, as well as other part of the IT infrastructure, is a core competency that is central to the success of the organization. Key questions that decision makers must answer are these:

  • Will our security improve if solutions remain on-premises?
  • Will managing security on-premises and managed by in-house IT staff contribute more to the bottom line than using a cloud-based provider?
  • Should a hybrid security approach with both on-premises and cloud-based solutions be use? If so, for which systems?

An important requirement in accurately evaluating the use of cloud-based security solutions is for decision makers to understand the actual and complete total cost of ownership for managing the current, on-premises infrastructure. Osterman Research has found consistently that many decision makers do not fully count all of these costs and are not confident in their estimates. If decision makers do not understand accurately what it costs their organization to provide a particular service to their users, this leads to poorly informed decision-making, as well as an inability to determine the potential cost savings and the return-on-investment from competing security solutions.

If you’d like to download our recently published white paper that explores these issues, you’re welcome to do so here.

What Threats Should You Be Concerned About? (Part 1)

Organizations of all sizes face a wide variety of threats, ranging from seemingly innocuous incursions like spam that create storage problems and general annoyance, to highly targeted email attacks that can create major breaches of sensitive or confidential information. Among the range of threats to consider are the following:

Phishing emails: Phishing emails are comparatively unfocused email messages that are designed to elicit sensitive information from users, such as login credentials, credit card information, Social Security numbers and other valuable data. Phishing emails purport to be from trustworthy sources like banks, credit card companies, shipping companies and other sources with which potential victims already have established relationships. More sophisticated phishing attempts will use corporate logos and other identifiers that are designed to fool potential victims into believing that the phishing emails are genuine.

The impact of phishing emails should not be underestimated. An Osterman Research survey conducted in late 2014 found that there have been a variety of security incidents that were attributable to malicious emails, such as 41% of organizations that have lost sensitive data on an employee’s computer and 24% that have lost sensitive data from the corporate network.

Spearphishing emails: A spearphishing email is a targeted phishing attack that is generally directed at a small group of potential victims, such as senior individuals within a company or other organization. Spearphishing emails are generally quite focused, reflecting the fact that a cybercriminal has studied his or her target and has crafted a message that is designed to have a high degree of believability and a potentially high open rate.

One of the reasons that spearphishing is becoming more effective is that potential victims provide cybercriminals with the fodder they need to craft believable messages. For example, Facebook, Twitter, LinkedIn and other social media venues contain enormous amounts of valuable information about travel plans, personal preferences, family members, affiliations, and other personal and sensitive information that can be incorporated into spearphishing emails.

Remote users accessing corporate resources: Employees, contractors and others who access resources on the corporate network, such as those working from home or in another remote site, are a key source of threats. An unprotected user accessing a corporate asset, such as Outlook Web Access that is not accessed via a VPN, or a laptop computer that becomes infected and later is connected to the corporate network, can constitute a serious threat. This is becoming a serious problem for most organizations as users employ personally owned devices like their own smartphones, tablets and other traditionally consumer devices in a workplace setting.

Consumer file sync and share tools: Closely related to the point above is the widespread and growing use of consumer file sync and share tools like Dropbox, Microsoft OneDrive and Google Drive, among many others. These tools are commonly used by employees to make their files available on all of their desktop, laptop and mobile platforms for access when traveling, when they work from home, or when they are otherwise away from the office. While these tools are quite useful and generally work as they are intended, they represent an important incursion point for malware. For example, an employee who accesses his or her corporate files on a home computer, many of which do not have the latest anti-virus updates and whose use is not controlled by any sort of sophisticated security infrastructure, can inadvertently infect these files with malware. When the files are synced back to the employee’s desktop computer, malware can readily infect the network because it may have bypassed corporate email, Web gateway and other defenses. In an alternative infection scenario, an employee working from home can have files infected from their home computer and then send these files to a client or business partner without the files ever having passed through the corporate security infrastructure.

Watering holes: This is a type of social engineering attack in which cybercriminals will identify key Web sites that are frequented by individuals or groups they would like to infiltrate, such as mobile app developers. These targeted Web sites are then infected with malware, the goal of which is to infect members of the affinity group. An example of one such attack was an iOS mobile developers’ forum that hosted malware and was targeted against Apple and Facebook.

I will continue the list in my next blog post. We’re producing a white paper focused on addressing these issues – if you’d like a pre-publication copy of the paper, send us a request at and we’ll send it to you right away.