Monthly Archives: September 2016

More than half of the workforce at about half of all companies in business are using cloud applications, like Dropbox or Salesforce. And that uptake is driving adoption for security-as-a-service offerings.

The fresh survey, from Thycotic, also shows that about 32.5%—the largest percentage of respondents—said that 75% or more of their employees have access to an application in the cloud. The top three usage scenarios are email, storage and collaboration/project management—all areas involving rich repositories of company data. 

When asked how important it is to protect privileged accounts that have access to company data, the vast majority—85.8%—said that it was “very important.” But only 62% said they feel that these accounts are already very secure and well-guarded. It indicates a gap and potential area of future investment.

Growing businesses require a mature focus on protecting the network and data from crippling threats that take advantage of unmanaged privileged accounts to gain undetected access to the network. Interestingly, the survey found that the embrace of the cloud extends to security solutions, too. The survey found that 60.6% said they would be “very likely” to use a cloud platform to protect passwords on privileged accounts.

“Our assumption was that because organizations often are often worried about security when they implement a SaaS solution, that they would be hesitant to use an SaaS deployment model for protecting their company’s information assets,” said a company spokesperson. “That assumption proved to be wrong.”

The results fit with findings from the 2016 Gartner Market Guide for Privileged Access Management (PAM), which predicts that by 2019, 30% of new PAM purchases will be delivered as a service or run in the cloud (up from less than 5% today). This growth suggests that the need for managed virtual infrastructure and cloud services will become more critical.

Dovetailing with the trend, Thycotic has announced Secret Server Cloud, a cloud-based privileged account management solution engineered to keep organizations’ most valued assets in the cloud by allowing enterprises to discover, manage and protect their privileged accounts.

“The next killer app in the cloud is privileged account management as a service,” said Joseph Carson, Thycotic security specialist. “Many companies are moving away from traditional brick and mortar offices and with this we see many of those companies moving to the cloud to fully run and operate their business. However, as those businesses start to grow quickly and even as traditional companies use more and more cloud services, managing and securing all of those privileged accounts start to become a major challenge.”

via: infosecurity-magazine

From HIPPA to SOX, whether you work for an organization controlled by compliance standards or you are an independent IT firm looking to build your enterprise business, industry regulations regarding data security can sometimes cause a real headache.  Keep reading for a single set of guidelines to follow that can be applied to all industry regulations at once.

  Why Data Security Regulations Exist

Industry mandated data security requirements are there for a good reason. Where there is personal data, there are hackers trying to get at it. After all, social security numbers, credit card numbers, birthdates and more are all extremely valuable on the black market.  

According to the Identity Theft Resource Center (ITRC), there were 780 electronic data breaches in 2015. These breaches affected over 175 million records in a variety of industries including healthcare, banking, education and government agencies. Broken down by industry, the numbers look like this:

Healthcare
Breaches: 276
Records lost: 121,629,812
Banking/credit/financial
Breaches: 71
Records lost: 5,063,044
Education
Breaches: 58
Records lost: 759,600
U.S. Government/Military
Breaches: 63
Records lost: 34,222,763
Business
Breaches: 312
Records lost: 16,191,017

Five Steps to Compliance

Despite different industries being required to follow differently named guidelines, there’s a pretty good overlap for those items that IT really needs to worry about.   

Although some personal information that may not fall under any compliance standards, from an IT perspective, it’s safe to assume that any and all customer, employee or other personal information needs to be protected from breach or accidental exposure.   

In order to obtain and maintain compliance to any industry or government mandated protocol, you must have documented and validated policies and procedures that are in use by your company.   

The steps you need to follow as IT regarding security policies and procedures are fairly standard, regardless of the industry you serve: 

1. Risk Analysis

Risk analysis, sometimes also called gap analysis or security risk assessment, is the first step toward developing a data security policy. Security risk assessments should be conducted annually, biannually or any time something changes, such as the purchase of new equipment or expansion of company services.   

The purpose of risk analysis is to understand the existing system and identify gaps in policy and potential security risks. As explained by the SANS Institute, the process should work to answer the following questions:

What needs to be protected?
Who/What are the threats and vulnerabilities?
What are the implications if they were damaged or lost?
What is the value to the organization?
What can be done to minimize exposure to the loss or damage?

Areas to review for proper security:

Workstation and server configurations
Physical security
Network infrastructure administration
System access controls
Data classification and management
Application development and maintenance
Existing and potential threats

Methods of security to review:

Access and authentication: access should be physically unavailable to anyone who is not authorized
User account management
Network security
Monitoring
Segregation of duties
Physical security
Employee background checks
Confidentiality agreements
Security training

Resources from the SANS Institute also give excellent instruction for conducting a thorough risk analysis for your company.

2. Development of Policies and Procedures  

Based on the outcome of the risk analysis conducted, security policies and procedures for safeguarding data must be updated or, if none currently exist, written from scratch.   

Identify, develop and document:

A comprehensive plan outlining data security policies
Individual staff responsibilities for maintaining data security
Tools to be used to minimize risks, such as security cameras, firewalls or security software
Guidelines concerning use of internet, intranet and extranet systems

3. Implementation  

Once your company policies and procedures have been identified, planned out and documented, they need to be implemented and followed.

Purchase security software and other tools that have been identified as necessary
Update existing software and operating systems that are out-of-date
Conduct mandatory security training and awareness programs for all employees, and require signatures on mandatory reading materials
Conduct background checks of all employees
Vet third-party providers to be sure that they maintain and document compliant security protocols identical to or more robust than those in place within your company

4. Validation  

In order to prove that your company is compliant with industry regulations, you must have a third-party data security company validate your company’s security protocols, procedures and the implementation of those policies and procedures. This should be done annually or biannually.   

This process can be pricey, time-consuming and intrusive; however, this type of verification will both help your business to maintain data security, and add value to your services for use by your customers.  

A SSAE16 SOC 2 Type II security protocol can cover a large spectrum of industry regulated data security requirements, including all of those discussed in this article:  

HIPAA
GLBA
SOX
FERPA
FISMA
NIST

5. Enforcement  

Security policies and procedures can be enforced through education and penalties.    You may have noticed that education falls under both implementation and enforcement. This is absolutely the most important part of your company security and must be offered continuously.

Mandatory training and awareness programs must be scheduled for employees to ensure sensitive and confidential data is protected. Be sure that anybody who might touch protected data is trained on current policies and risks, and kept current as policies are updated or new risks identified.  

For example, be sure that all relevant employees are aware of email phishing scams, how to identify them, what to do if somebody thinks they may be targeted and what to do if they have become a victim, possibly exposing protected data. As new types of scams come into being, send company-wide emails detailing methods of identification and protection.  

The second part of enforcement is eliminating the temptation to ignore protocols and encouraging compliance. This can be done by issuing penalties, financial or otherwise, for those who do not follow important procedures.

  There You Go—Simple!

Okay, maybe it’s not exactly simple. But, if you want to avoid adding your business or your clients to the data breach stats, data security measures must be thorough. Industry compliance and overall data security will help maintain the safety of your organization’s data, and add a great selling point when pursuing clients.

via:  itproportal

Following the  iPhone 7 announcement, Apple is announcing that new AppleCare+ members will be able to get their cracked screens fixed for $29. This is big news for everyone who uses an iPhone with AppleCare+, and ultimately, anyone who owns an iPhone to begin with.

It’s worth noting how much AppleCare+ costs — $149 for the iPhone 7 Plus, or $129 for the iPhone 7 — on top of the existing cost of buying a new iPhone 7 or 7 Plus ($649 or $769 unlocked, respectively. By comparison, getting a cracked screen fixed without having AppleCare would cost you $149 , so there is some benefit to be had by enrolling.

However, the fun stops when you read the fine print: having an AppleCare+ subscription, which costs $129, includes only two repairs from accidental damage, plus a service fee. After you’ve somehow broken your iPhone 7 twice (thus confirming that you’re accident-prone), all repairs will cost $29 thereafter. This updated pricing applies to existing AppleCare+ customers as well.

As for the last-generation flagship iPhones (the 6S and 6S Plus), an AppleCare+ subscription will be the same pricing structure ($149 and $129), with the same policies as iPhone 7 AppleCare+ customers.

Try not to break your shiny new phone, is my personal recommendation.

via:  techcrunch

Now your sweaty body can power your phone. Like Neo in the Matrix, a new system created by researchers at North Carolina State University lets you generate electricity with a wearable device. Previous systems used massive, rigid heat sinks. This system uses a body-conforming patch that can generate 20 μW per centimeter squared. Previous systems generated only 1 microwatt or less.

The system consists of a conducive layer that sits on the skin and prevents heat from escaping. The head moves through a thermoelectric generator and then moves into an outer layer that completely dissipates outside the body. It is 2mm thick and flexible.

The system, which is part of the National Science Foundation’s Nanosystems Engineering Research Center for Advanced Self-Powered Systems of Integrated Sensors and Technologies (ASSIST), has a clear path to commercialization.

The goal is to embed these into health tools that can measure your vital signs without needing to be recharged. “The goal of ASSIST is to make wearable technologies that can be used for long-term health monitoring, such as devices that track heart health or monitor physical and environmental variables to predict and prevent asthma attacks,” said researcher Daryoosh Vashaee, an associate professor at NC State. “To do that, we want to make devices that don’t rely on batteries. And we think this design and prototype moves us much closer to making that a reality.”

via:  techcrunch

Windows Trojan called DualToy has been discovered that can side load malicious apps onto Android and iOS devices via a USB connection from an infected computer.

Researchers from Palo Alto Networks said DualToy has been in existence since January 2015, and it originally was limited to installing unwanted apps and displaying mobile ads on Android devices. About six months later, the Trojan morphed and began targeting iOS devices by installing a third-party App Store in hopes of nabbing iTunes usernames and passwords.

“When DualToy began to spread in January 2015, it was only capable of infecting Android devices… We observed the first sample of DualToy capable of infecting iOS devices on June 7, 2015. Later in 2016, a new variant appeared,” wrote senior malware researcher Claud Xiao in a technical description of the Trojan.

Researchers said once DualToy infects a Windows machine, it looks for the Android Debug Bridge (ADB) and iTunes, and downloads drivers for both if they’re missing in order to infect mobile devices once connected. “Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Xiao wrote.

Researchers say they have observed 8,000 unique samples of the DualToy variant to date, and add they can’t be sure how many mobile devices have been infected by the malware.

Risk of iOS attacks, at the moment, are negligible because the Apple App certificate needed to install the fake App Store installed by DualToy on iOS devices has expired, researchers said.

Palo Alto notes, during the past two years there have been similar cases of Windows and Apple iOS malware designed to attack mobile devices via side-loading techniques.

“This attack vector is increasingly popular with malicious actors… WireLurker installed malicious apps on non-jailbroken iPhones. The HackingTeam’s RCS delivered its spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones,” Xiao said.

So far, DualToy mainly targets Chinese users, but researchers say it has also infected users in the United States, United Kingdom, Thailand, Spain and Ireland.

Xiao said, in order for the Trojan to infect an iOS device the target must have already set up a trusted pairing relationship between the PC and the iPhone or iPad.

Researchers say its unclear how DualToy Trojan gets on Windows machines. But once DualToy is on a PC, it downloads from a command-and-control server a file called adb.exe, which is the standard Android Debug Bridge on Windows clients. But more recent variants of DualToy drop a custom ADB client, tadb.exe, onto a victim’s PC. The malware also downloads two installers AppleMobileDeviceSupport64.msi and AppleApplicationSupport64.msi, part of Apple’s official iTunes for Windows software.

On Android devices, DualToy installs several Chinese language apps that researchers suspect attackers are getting paid per install by game developers. On iOS devices, DualToy installs a fake iOS App Store used to try to trick users into divulging their iTunes username and password.

The use of a fake iOS App Store is not unique. “The app is yet another third party iOS App Store just like ZergHelper. It also has exactly the same behavior as AceDeceiver. When launched for the first time, the app will ask the user to input his or her Apple ID and password,” Xiao wrote.

via: threatpost

The majority would be completely clueless, according to Promon.

Would you be able to notice if your smartphone got infected with a virus, or if it was under any other kind of cyber-attack?  If you answered Yes, you’re in the 11 per cent minority. The rest, 89 per cent, wouldn’t know if their device has been infected through a cyber-attack.

These are the results of a new survey by app security specialists Promon. The company says this spells trouble for businesses, particularly. The majority of respondents (41 per cent) thinks just avoiding public Wi-Fi when accessing business critical data was enough to keep it safe, while 27 used some sort of security apps. However, there is almost a quarter (22 per cent) of users that have done nothing to protect their devices.

“This study has shown once again that consumers need to be educated about the growing mobile threat, but much more importantly, that businesses need to have a proactive approach and focus on safeguarding their customers’ sensitive data and systems,” commented Lars Lunde Birkeland, Head of Communication at Promon.

Almost half (43 per cent) of respondents relied on passwords to keep their smartphones safe, the report said, despite security experts’ warnings that they usually aren’t enough. The number of mobile viruses and other malware is also rapidly growing.

“This highlights the urgent nature of the problem. With the number of mobile vulnerabilities on the rise and users so unaware of the dangers, businesses are caught in the middle of the battlefield, and it is their own reputations that are at stake,” said Birkeland.

via: itproportal

US Food and Drug Administration is investigating charge that St. Jude medical devices can be exploited by hackers.

The U.S. Food and Drug Administration plans a “thorough investigation” of allegations about vulnerabilities in cardiac devices made by St. Jude Medical Inc, the agency’s official responsible for cyber security said on Thursday.

The FDA began its investigation in late August after short-selling firm Muddy Waters and cyber security firm MedSec Holdings Inc said they were betting St. Jude shares would fall, making allegations that its pacemakers and defibrillators have cyber security flaws that hackers could exploit to harm patients.

St. Jude responded by suing the companies, saying the allegations are defamatory and false.

“Regardless of the way a vulnerability comes to our attention, we take those allegations very, very seriously,” the FDA official, Suzanne Schwartz, said in a telephone interview. “We are putting all of our focus on making sure that we have an understanding of what these allegations are and do a thorough investigation of the claims.”

It was unprecedented for a cyber security researcher to publicize claims about cyber bugs as part of a short-selling strategy.

The approach also violated advice that the FDA issued in January in draft guidelines for dealing with cyber security vulnerabilities in medical devices. They urge researchers to work directly with manufacturers when they uncover suspected security bugs.

Schwartz said that vulnerabilities can typically be dealt with most efficiently when researchers work directly with manufacturers to address suspected problems. She said she hoped others would not follow the approach taken by Muddy Waters and MedSec.

via:  reuters

General Motors has been forced to recall over four million cars following a software defect linked to at least one death.

The bug forces the air bag sensing and diagnostic module (SDM) software to activate a diagnostic test if it encounters certain driving conditions, according to the National Highway Traffic Safety Administration (NHTSA).

Doing so means the front air bags and “seat belt pretensioners” won’t deploy in the event of a crash, the agency claimed.

The affected vehicles are:

“Model year 2015-2017 Chevrolet Silverado 2500 HD, 3500 HD, Tahoe, Suburban, GMC Sierra 2500 HD and 3500 HD, GMC Yukon, GMC Yukon XL, Cadillac Escalade and Cadillac Escalade ESV vehicles and 2014-2017 Chevrolet Corvette, Silverado 1500, Trax, Caprice Police Pursuit Vehicle, GMC Sierra 1500, Buick Encore, and 2014-2016 Buick Lacrosse, Chevrolet Spark EV and SS vehicles.”

General Motors is set to notify owners of the affected models to take their car to their local dealer, who will reflash the SDM firmware free of charge.

Security researcher Scott Helme argued that it’s unacceptable for car manufacturers to build vehicles containing software which can’t be updated over-the-air (OTA).

He likened the situation to owning a laptop which can only get updates by taking it back to the shop where it was bought.

“As we increase the amount of software in any system we increase the likelihood of bugs being introduced. Unfortunately for GM it seems that they don’t have any OTA update capabilities and will now have to physically recall the 4.3 million vehicles for update, which likely carries a substantial financial cost,” he told Infosecurity.

“As vehicles continue to adopt more and more complex software systems I think it’s essential that they are able to receive OTA updates, especially in a case like this where the update is safety critical. GM could do a staged roll out and have the vehicles updated within a matter of days or weeks, compared to what is likely to be months or more for a recall, if some vehicles get recalled at all.”

via:  infosecurity-magazine

Basic security controls and malware-detection tools could have prevented the breach of more than 21 million records at the US Office of Personnel Management in 2015, claims a congressional report.

Basic security controls could have prevented the breach that exposed the personal data of more than 21 million current and former government employees, according to a congressional report.

The 2015 breach at the US Office of Personnel Management (OPM) included 19.7 million background investigation applications and 1.8 million non-applicants.

The breach was in addition to the 4.2 million records exposed in the first OPM breach in December 2014, which the report said was a missed opportunity to put effective defences in place.

The report by the House Committee on Oversight and Government Reform said the OPM failed to recognise from the 2004 breach that it was vulnerable to attacks by sophisticated, persistent adversaries, and failed to put in place the basic necessary security controls, reported Associated Press.

The congressional report said the OPM also failed to deploy security tools to detect malicious code and other threats quickly enough. When such a tool from security firm Cylance was eventually deployed, it found malware throughout the federal computers, according to an engineer quoted in the report.

In an interview, committee chairman Jason Chaffetz said that the breach was entirely preventable. “With some basic hygiene, some good tools, an awareness and some talent, they really could have prevented this,” he said.

The report stated that for two months after the first breach in March 2014, the OPM worked with the FBI, the National Security Agency (NSA) and others to monitor the intruder and developed a plan to expel the individuals or individuals responsible from the network, but they failed to detect another, possibly related, intrusion.

The second intruder used credentials stolen from a third-party contractor to log into the OPM network, install malware and create a back door to return several times in the following months to copy the data, which also included personnel files and fingerprint data.

OPM acting director Beth Cobert said in a statement that the agency disagrees with much of the report. The report “does not fully reflect where this agency stands today,” she said, adding that the hack “provided a catalyst for accelerated change” within the OPM, including hiring new cyber security experts and strengthening its security.

The OPM hack is widely believed to have been part of a China-based cyber espionage campaign, and although the report does not give any details about who was responsible, it said the breaches were likely perpetrated by the group Deep Panda, which has been linked to the Chinese military.

CESG director of cyber security Alex Dewdney told RSA Conference 2016 in San Francisco that the OPM hacks were “very scary” for those responsible for UK government cyber security.

“It scared people who had not thought much about cyber security,” he said, adding that this was really helpful because it resulted in the recognition by the UK government of the need to reform the role of its senior information risk office (Siro).

The breaches inspired a fast-paced survey of the UK government’s holdings of bulk data, said Dewdney, as well as a measurement of the extent government departments were adhering to a “fairly basic set” of control measures, which in turn led to remedial action.

via:  computerweekly

An exploding phone is by no means a good thing, but if it has to explode, it’s hard to think of a worse place for it to do so than on a plane. Well, not that hard, but it’s definitely a bad one. In the wake of the occasional combusting Galaxy Note 7 and its subsequent recall, the FAA has advised passengers to exercise caution when flying with the device.

The administration ruined Samsung’s afternoon with just 42 words:

In light of recent incidents and concerns raised by Samsung about its Galaxy Note 7 devices, the Federal Aviation Administration strongly advises passengers not to turn on or charge these devices on board aircraft and not to stow them in any checked baggage.

They didn’t even issue a statement like this when hoverboards were blowing up left and right — of course, airlines ended up banning them anyway. No word yet from the Consumer Product Safety Commission, which does the official recalls for troublesome devices like this.

Please, Galaxy Note 7 owners. Fly safe, and if you haven’t already started the process of swapping in your device for a new, less inflammable one, do so today.

via:  techcrunch