Monthly Archives: August 2017

Apple to remove home button in upcoming high-end iPhone, report says

The home button is headed to the trash bin, if a report by Bloomberg is to be believed. According to the report, Apple is ditching the button to make room for a larger screen in one version of the next iPhone. Instead of a home button, users will perform actions using on-screen gesture controls involving a sort of dock of icons.

If true this would be the biggest change in iPhone design since the launch of the device in 2007.

The home button has been a staple in iPhone design since the beginning. It’s used to wake a device, return to the app grid, and, more recently, for Touch ID fingerprint recognition. All those tasks would be performed differently if removed. However, the Bloomberg report carefully states only the high-end version of the upcoming iPhone is losing the home button, which jibes with other rumors from the past few months.

View image on Twitter

View image on Twitter


Instead of pressing a home button, users would interact with a thin software bar that can be moved around for different actions. Drag it to the middle of the screen to open the phone, or if in an app, activate the multitasking menu. Users can change apps or go back to the home screen, Bloomberg says. And it shouldn’t end there. If this report is true, Apple likely has cooked up all sorts of logical interactions for this software bar.

Apple has been foreshadowing the removal of the home button for some time. For the iPhone 7, it replaced the button with a non-moving version that simulated a click through with tactile response. The iPad also recently gained an app menu reminiscent of OS X’s dock. Bloomberg uses this as an illustration of the upcoming iPhone changes.

This is just part of what’s set to be a radical redesign of the next iPhone. Other rumors state the iPhone could mute notifications when you’re looking at it, include face scanning technology that works even when the phone is on the table, and include a screen that fills the frame of the phone except for a little notch that houses sensors, cameras, and earpiece.

It’s rumored that Apple is preparing to launch three versions of the next iPhone. It’s unlikely all versions will lose the home button for several reasons. The iPhone is Apple’s best-selling device and the removal of the home button is likely to be met with controversy. There’s no reason to rock the boat for everyone. Plus, the high-end version of the next iPhone will likely have much slimmer margins than an upgraded iPhone 7. Apple has long used incremental updates combined with bi-yearly design changes to keep margins healthy and it’s unlikely that will change. However, following this formula, the home button will disappear from all versions in following releases in 2018 or 2019.

Whatever it looks like we’ll be onsite when Apple unveils the next iPhone on September 12 with complete coverage.


via:  techcrunch

PayPal launches its first cash back credit card to boost PayPal usage in stores

PayPal is today launching a new credit card, the PayPal Cashback MasterCard – its first card to offer shoppers direct cash back on purchases, instead of points that vary by category. The card, introduced in partnership with Synchrony Financial, will offer 2 percent back on purchases, with no annual fee, no minimum redemption amount, no restrictions on how to spend cash rewards, and no expiration, the company says.

It will also include security protections from PayPal, as well as standard MasterCard benefits like extended warranty coverage, purchase protection, and identity theft resolution assistance. PayPal purchases, meanwhile, will receive PayPal Purchase Protection at no additional cost.

The card is only available to PayPal members, and it’s automatically added to users’ PayPal’s wallets, once approved. That means consumers can begin to use the card even before it arrives in the mail.

This is not the only credit card PayPal today offers, but it may become its most compelling in short order, especially given consumers’ preference for cash back cards.

The other cards include a PayPal Extras MasterCard for consumers that uses a more traditional 3-2-1 rewards points system, where you can earn more points for things like gas stations and restaurant purchases, as well as money spent on PayPal and eBay.

Ebay, which spun off from PayPal back in 2015, has a similar card that’s still managed by PayPal, alongside its other payment and credit offerings for eBay customers. Those also include PayPal Credit, an online credit line which can be used at businesses accepting PayPal.

The move to introduce a cashback card is part of PayPal’s quickly evolving strategy to increase its traction at point-of-sale, where mobile payments alternatives like Apple Pay, Android Pay, and Samsung Pay are gaining ground.

To that end, PayPal has been partnering across the industry – even with payments rivals like Apple, as well as bank issuers like Chase and Citibank, tech companies like Facebook, Google and Samsung, and those with their own digital wallets and checkout systems, like Baidu, Visa, and MasterCard.

PayPal, which today has more than 210 million users, hopes this new cash back card will help with its larger agenda to increase PayPal usage online and in stores.

“Cardholders can manage their accounts, redeem Cash Rewards and make payments by logging into their PayPal account, giving customers another reason to access and use their PayPal accounts,” a company spokesperson explains.

PayPal already knows that its cardholders use its service more often than others, which in turn, increases the number of transactions per account. On average, PayPal customers who adopt a PayPal credit card spend 35 percent more than those without.

“Early results show that PayPal customers with a PayPal credit card log in to the PayPal mobile app and three times more often than before getting the card, creating more opportunities for engagement,” the spokesperson noted.


via:  techcrunch

User Account Attacks Jumped 300% Since 2016 – Microsoft Report

Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management, researchers found.

Microsoft researchers detected a 300% increase in user accounts attacked over the past year, and 44% growth in the number of account sign-ins attempted from malicious IP addresses.

The data comes from Microsoft’s latest Security Intelligence Report (SIR) released today with data from Q1 2017, and discusses vulnerabilities, exploits, malware, and unwanted software. Intelligence comes from billions of security signals Microsoft processes in its consumer and enterprise services each month.

This report represents a couple of changes from the usual SIR. Data is split into two categories, cloud and endpoint, and represents a shorter timeframe of one financial quarter compared with the usual six-month window. Microsoft says it plans to share data on a more regular basis.

Here’s a closer look at the findings, gathered by Microsoft’s identity security and protection team:

Account compromise and cloud weaponization

With respect to the 300% jump in user account attacks, most were the result of weak, guessable passwords, followed by targeted phishing attacks and breaches of third-party services. As more sites are breached and passwords stolen, more attackers will attempt to reuse victims’ credentials on multiple websites.

“One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites,” the report states. Businesses can further cut their risk by telling users to adopt complex passwords, multi-factor authentication, and solutions for credential protection and risk-based conditional access.

The 44% spike in sign-in attempts from malicious IP addresses could be reduced with security policies focused on risk-based conditional access. Researchers suggest comparing requesting devices’ IP addresses to a set of known IP addresses and trusted devices.

Attackers frequently compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning.

The Azure Security Center, which monitors for cloud weaponization, discovered 51% of outbound attacks involved communication with malicious IP addresses. Twenty-three percent were RDP brute force attacks, 19% were spam, 3.7% involved port scanning or sweeping, and 1.7% involved SSH brute force.

More than two-thirds of incoming attacks on Azure services came from IP addresses in China and the United States, at 35.1% and 32.5%, respectively. More than 89% of malicious IP addresses contacted by compromised Azure virtual machines were located in China; only 4.2% were located in the US.

Key business challenges in protecting against cloud attacks include mitigating unauthorized access to cloud accounts, and preventing attackers from using the cloud to gain a foothold, says Microsoft.

Global growth of ransomware

Ransomware attacks disproportionately hit customers in Europe compared with the rest of the world. In March 2017, targets included the Czech Republic (0.17%), Italy (0.14%), Hungary (0.14%), Spain (0.14%), Romania (0.13%), Croatia (0.13%), and Greece (0.12%), all of which had above-average ransomware rates for the month.

“Attackers evaluate several factors when determining what regions to target, including country GDP, average age of computer users and Bitcoin or available method of payment, among others,” a Microsoft spokesperson said. “Language of a region is also a major component. Outcomes depend on an attacker’s ability to personalize a message to convince a user to click through or run a malicious file.”

Ransomware overall is growing, as indicated by respondents in the Dark Reading Strategic Security Survey. Twenty-three respondents reported falling victim to ransomware, a slight uptick from 20% the year prior.

“The prevalence of ransomware attacks necessitates that all companies have playbooks detailing how their security teams will identify and respond to a ransomware incident in both their production and corporate environments,” says Dr. Chris Pierson, CSO of Viewpost, adding how it’s imperative to both create and practice plans.

“When looking at the ransomware response, we must move beyond AV to more anomaly-based controls that can identify and stop the mass encryption of various devices and servers,” he adds. “We must also ensure the response includes the ability to stop lateral movement in the company,” he says. Microsegmentation can help prevent this expansion.

Go phishing

Sites targeting online services made up the largest number of active phishing URLs during 1Q17. Those targeting financial institutions accounted for the second-largest share of attacks in Q1 and largest share of impressions for both February and March.

On a geographical level, countries hosting higher-than-average concentrations of phishing websites included Ukraine (13.2 per 1,000 hosts in March), South Africa (10.3), Indonesia (9.6), and Denmark (9.7). Regions with low concentrations included China (0.6), Taiwan (0.6), Korea (0.7), and Mexico (1.2).

A phishing study from Imperva discovered most attackers don’t hesitate to click links or open documents. Most neglect to use sandboxes or anonymity services to cover their tracks, giving outsiders the ability to track them.

“Timely detection of the credential theft, either by the victim or by his organization, and taking measures to re-protect the account, in this case revoking the password, reduce dramatically the chances of the account being actually hacked,” says Luda Lazar, cyber threat researcher at Imperva.

Malware impressions were more common than phishing impressions during Q1. There were 381 malware impressions per 1M pageviews in March, compared with 13.0 phishing attempts for the same amount of pageviews. Malware primarily affected Hungary, Egypt, and Indonesia.

China, which had a comparatively low concentration of phishing sites, had one of the highest levels of malware hosts, with 45.9 malware hosting websites per 1,000 hosts. Other hotspots for malware hosting included Singapore (21.6), Ukraine (19), and Hong Kong (18.9).


via: darkreading

50% of Ex-Employees Can Still Access Corporate Apps

Businesses drive the risk for data breaches when they fail to terminate employees’ access to corporate apps after they leave.

When employees are terminated or move on to new roles, they’re often taking access to corporate data with them. For some companies, this access leads to a data breach.

Researchers at identity management firm OneLogin polled 500 IT decision makers to learn about how they provision and deprovision, or terminate, staff login information in-house. Results indicate most aren’t doing enough to protect against the threat of ex-employees.

Twenty percent of respondents report their failure to deprovision employees from corporate applications has contributed to a data breach at their organization. Of those, 47% say more than 10% of all data breaches have been the result of ex-employees.

Nearly half of respondents are aware of former employees who can still access enterprise applications following their departure. Half of ex-employees’ accounts remain active for longer than a day after they leave. One-quarter of respondents take longer than one week to deprovision former employees, and one-quarter don’t know how long accounts remain active after workers leave.

“The value of the data at risk is higher than ever,” says Tom Thomassen, senior staff engineer of security at MarkLogic. In the early stages of the cloud, businesses first moved less critical information to data lakes and cloud environments; as they began to trust the cloud, they moved larger amounts of mission-critical data to centralized data environments.

“The net result is data breaches that are much more devastating than in the past and unfortunately, more frequent,” he adds.

The threat of ex-employees has grown as companies adopt third-party apps for various processes, says OneLogin CISO Alvaro Hoyos. Up until the 2000s, people would have a few applications installed on their desktops — spreadsheets, processors, general ledgers. Then they began to transition to cloud services.

“Over time, a lot of companies have been migrating their internal applications, used to run their own businesses, to the cloud.”

Instead of using homegrown systems, businesses will turn to the growing number of vendors creating different tools for specific needs. Cloud providers specialize in systems for commission, ledgers, marketing, purchasing, paying invoices, doing expenses. As the surface area expands, companies have to deprovision 20- to 30 applications per worker instead of the usual four or five.

“There’s this proliferation of applications,” Hoyos continues. “Because of that, the risk has increased exponentially.”

Each ex-employee presents a different threat depending on their role and access level. A former salesperson, for example, could use old credentials to get valuable information like sales forecasts, contacts, and lists of prospects to give to competitors. They may not have access to their corporate office or email, but to a Dropbox or Box account where information is stored.

Similarly, operations employees have access to more applications, including custom applications and internally created applications. An engineer could create an unauthorized system, or copies of a system, in the cloud without other employees’ knowledge.

Operations employees were the hardest to deprovision, reported 26% of respondents, followed by engineering and sales (20%), HR (18%), finance and customer support (16%), and marketing (13%).

The amount of time it takes to deprovision an employee depends on how many applications they used and how long they’ve been gone from the business, says Hoyos. Terminating someone can take minutes or hours, depending on the application. Admins also have to think about how different tools integrate with one another.

“There are several ways to mitigate, prevent, and protect against insider threats,” says Thomassen. Generally these techniques fall into three categories: access control, monitoring, and detection.

With respect to access control, it’s best to use industry standards for authentication like LDAP, PKI, Kerberos, two-factor authentication, implemented at the organization level, or ensure accurate identification. Databases are set up to do this, he says, and some provide more granular authorization than others.

Monitoring data to see how it’s updated and accessed is tough, he says. Most tools for this attempt to gather enormous amounts of information from around the network related to server activity, user logins, and network access so they can detect possible breaches and unauthorized access.

“This is very difficult and this is one reason why there are so many data breaches today,” Thomassen adds.

Businesses are still grappling with how to tackle the insider threat. Sixteen percent of respondents in the Dark Reading Strategic Security Survey said preventing data theft by employees was one of their greatest IT security challenges.

Verizon’s Data Breach Investigations Report found in 60% of cases involving insider and privilege misuse, insiders leave with data in the hope of converting it into cash. Sometimes it’s unsanctioned snooping (17%) or taking data to a new employer to start a rival company.


via:  darkreading

Facebook adds new ways to revisit your memories and milestones

Facebook today is expanding on the popularity of its two-year old “On This Day” sharing prompt, with the addition of new features that let users revisit their memories, as well as celebrate milestones related to their friendships on the social network. While “On This Day” provides a look back in time, starting with memories from the same day last year, two new options will instead focus on your more recent memories.

The company will now begin to bundle your past posts into monthly or seasonal sharing prompts. For example, you might see recap stories for things like your summer memories or your January memories.

Like “On This Day,” these new sharing prompts are private to you, unless you choose to post them to your Facebook profile. They’ll also appear in your News Feed, where you’ll see the collection of photos Facebook has picked for you along with the “Share” button below.

The recap feature arrives at a time when Facebook is struggling with consumer adoption of its Snapchat Stories clone, which unlike Instagram Stories, has not taken off. Facebook even began showing grayed-out images of friends’ photos earlier this year in Stories, in an effort to increase usage.

Facebook believes that Stories is simply a new sharing format that every network will eventually offer. However, many people think of Facebook as a more permanent record of life events, thanks to its ability surface old memories, search or scroll back through timelines to see historic personal moments, like the date you got married, started a new job, moved to a new home, and so on.

That’s why a recap feature makes more sense for Facebook, as opposed to the recency associated with Stories. It’s a better fit for a network that’s encouraged people from day one to document what matters in their lives, not what’s disposable.

In addition to this, Facebook is also today launching new friendship milestones. While the social network already allows users to celebrate their friendship anniversaries on Facebook with playful posts and videos, these new moments will focus on notable achievements – like when the number of friends you have hits a nice, round number like 100, or when your posts have been liked 1,000 times, for instance.

These messages are shown only to you, and are oddly not shareable at launch. However, Facebook says that will change in the future.

Meanwhile, “On this Day” is now finally available to all on Facebook, the company also says. Facebook has improved its filtering process to keep those memories associated with negative events or feelings from popping up in its suggestions, it notes.

Features like these are minor updates in the grand scheme of things, but they have a larger goal: to keep users posting to Facebook.

Last year, there were reports detailing how Facebook sharing – specifically “organic sharing,” meaning personal updates –  was in decline. Since then, Facebook has made a number of changes to make sharing and participating more engaging, as with the rollout of colored backgrounds for status updates, support for GIFs in comments, among other things.

Facebook says the new features are rolling out now, and will be expanded to include more prompts in the months ahead.


via:  techcrunch

Tesla’s electric semi truck will reportedly get 200 to 300 miles per charge

Tesla’s already announced plans to reveal at an event in September an all-electric semi truck designed for cargo hauling, but we don’t know much about it beyond that yet. Now, Reuters reports that the vehicle will get between 200 and 300 miles of range per charge, which means it can manage medium-length routes without much issue.

As the report notes, this doesn’t put the Tesla semi in direct competition with long-haul fuel-powered rigs; those can go upwards of 1,000 miles on a single tank. But 300 miles is still long enough for a decent chunk of routes considered at the entry-level of the “long haul” category.

Tesla has said it’s working directly with potential customers and talking to them about their needs in developing the electric semi truck, and Tesla CEO Elon Musk has said he’s optimistic about their interest for what Tesla will ultimately reveal. The truck will also apparently feature self-driving capability, according to an earlier Reuters report. Tesla has met with state DMVs regarding potential tests of autonomous big rig technology.

Cost will be a huge deciding factor in how attractive the Tesla truck is as an option to commercial logistics companies. Batteries that could support that length of range for heavy loads would likely be extremely expensive, but Tesla will probably sell the idea on long-term savings in terms of maintenance requirements and fuel costs.

We’ll find out soon enough what the actual range is for the Tesla semi, as the plan still seems to be to unveil it fully in September. Self-driving could also help Tesla sell the idea, especially since it sounds like Musk anticipates at least a year or two until the vehicle enters production at scale.


via:  techcrunch

Why Cybersecurity Needs a Human in the Loop

It’s no longer comparable to Kasparov versus Deep Blue. When security teams use AI, it’s like Kasparov consulting with Deep Blue before deciding on his next move.

A typical cybersecurity analyst is never short of work, a lot of which can be futile. According to a 2015 Ponemon Institute study, by the end of the year the average security operations center has spent around 20,000 hours just on chasing alerts that prove to be false alarms. Traditional security systems generate a lot of noise that needs to be waded through, which creates even more work. At the same time, a vast pool of security information is published across multiple media in natural languages that can’t be quickly processed and leveraged by these systems.

Cognitive security, or artificial intelligence, can “understand” natural language, and is a logical and necessary next step to take advantage of this increasingly massive corpus of intelligence that exists. These solutions, which have recently come into the market from a number of vendors including IBM Resilient, can be effective in all functions of cybersecurity, but perhaps none more so than in the response phase. Here the key metric is how quickly your team can mitigate the threat and get back to normal operations. Pairing humans and cognitive security solutions will help make sense of all this data with speed and precision, accomplishing response in a fraction of the time. 

But using cognitive solutions is not about man vs. machine. To borrow from an earlier era of artificial intelligence, it’s not as much Kasparov vs. Deep Blue as it is Kasparov consulting with Deep Blue before deciding on his next move against an unknown opponent. Defense works best when people and machine work together.

There are three fundamental reasons why this is true, especially when responding to a cyber incident:

  1. Level playing field: Cyber attacks and their breaches aren’t executed by technology; they’re the work of human beings. Therefore, it’s good business sense to level the playing field by having real humans on the other side of this. It’s even been referred to as “hand-to-hand combat.” This symbiosis between cognitive technology and human being is crucial and will ensure your organization is best equipped to respond.
  2. Information curation: While cognitive solutions can process information in nanoseconds and make key suggestions, not all information is relevant. Systems need to accept input from the analyst to set the broader context of an incident. They also need to be able to describe and document their findings and remediation steps and rank the information, Spotify-style, to separate what was relevant from any red herrings. This all helps to inform the next suggested response.
  3. Risk of false positives: The cost of a cyber attack is well researched, but the cost of a false positive is more elusive. Consider a penetration test: an automated incident response system may see what looks like an attack on the database and shut it down. This kind of decision is a high-stakes scenario that needs a human in the loop.

AI-Assisted Incident Response & the Skills Shortage
Another key benefit: artificial intelligence will help address the talent management issue of “infosec burnout.” One analyst who documented how long it takes to fill open senior-level security positions
theorizes that people bail early in their security careers after getting a taste of what the job is all about. Stress in this job is real but can be reduced if analysts work at a more strategic level by curating, not just reacting, and by consulting with a cognitive system that can share what others have done.

In the face of an increasingly hostile environment, keeping humans in the loop and backing them up with a data-rich cognitive system is what will give businesses their best shot.


via:  darkreading

The Responsibility of Everyone – Cybersecurity

The battle against cybercrime can only be won if we’re all focused on the same goals. Here are four ways you can get involved.

Governments, businesses, and citizens around the world face an ever-increasing risk from cyberthreats. Recently, the WannaCry ransomware attack wreaked global havoc, affecting an estimated 200,000 organizations across 150 countries. Such attacks — which work by encrypting data until an organization or individual pays a ransom — are becoming more common, despite the best efforts of software companies, information security specialists, and government and law enforcement agencies to prevent them.

A recent Accenture survey of 2,000 cross-industry security executives revealed that roughly one in three targeted breach attempts are successful. Although the public sector shoulders the brunt of cybercrime activity — 50 times more attacks were launched against government in 2016 than any other industry — everyone, from corporate executives to consumers, has a role to play in preventing future attacks. Here are some ways to take action.

Understand the risks: Email has become one of the most common mechanisms by which security threats are delivered to unsuspecting recipients, in government, industry, and the general public. These threats, which often appear in the form of malicious attachments or links to harmful websites, are becoming increasingly sophisticated, so much so that even practiced security experts are now challenged to identify harmful content.

An Accenture survey of 5,400 citizens across six countries (the US, UK, Australia, Singapore, France, and Germany) found that 61% of respondents are concerned about identity theft and phishing when using digital services, and for 49%, a fear of financial-related fraud is causing them to limit their use of online services.

To reduce the number of people falling prey to such cybercrimes, government must help build user awareness, especially among more vulnerable populations. At the same time, increased efforts by Internet service providers to identify malicious payloads and links in email traffic will help lower the number of successful cyber attacks. For employers, this means training employees to recognize digital dangers at work and providing guidance on how to respond if an employee believes he or she is a victim. As a key part of this, employers should conduct regular checks to assess both employee adoption of and adherence to data security guidelines and policies. Software companies must also examine their role in driving threat awareness among customers, working in tandem with government and other industry stakeholders.

Adopt new security technologies and processes: Many PC users rely on outdated operating systems or fail to install updated antivirus software and security patches. Even those with up-to-date systems often ignore security alerts. While adopting a proactive approach will always be a key challenge within the general public, that can easily be addressed within the workplace. Employers must reinforce security behaviors for employees while enhancing existing security protocols to help employees cope with increasingly sophisticated cyber attacks. For example, strengthening email controls and passwords, and utilizing stronger spam filters can prevent malicious correspondence from reaching employees.

New cloud technologies can also improve security, including the use of cloud-based email analytics solutions to identify and quarantine known threats. Artificial intelligence (AI) and biometrics must also play a part. AI can dramatically increase security in IT environments by using behavioral profiling to detect anomalies that may indicate a threat.

Recently, there has been a dramatic upswing in research and development around how AI, machine learning, and predictive and behavioral analytics can be used to confront evolving threats. Citizens support these changes; recent research from Accenture found that two-thirds of US citizens (66%) said they would be willing to sacrifice convenience for increased data security, and nearly half (47%) support the use of biometric technologies to verify identity and enable secure access to services.       

Secure IoT devices: While most citizens (53%) view Internet of Things technologies as a positive development in daily life, there are significant security considerations. First, when deploying IoT technologies, users must understand and prepare for associated security risks. Second, as the IoT (and the industrial IoT) becomes an integral part of critical national infrastructure, governments must develop defense and security measures to address threats. From a commercial perspective, device manufacturers must build security into their products, applications, and solutions to provide added protection and resilience.

Utilize citizen support: Some government agencies and private companies have begun to leverage citizen support to enhance cybersecurity defenses. Accenture’s survey identified a strong desire among citizens to work with government to fight cybercrime and ensure data privacy and security. More than half of respondents (58%) said they would undertake national service of some kind to support security efforts, and 49% said they are willing to work for their national defense agencies to help secure citizen data and protect critical national infrastructure.

Bug bounty programs are another innovative way to harness citizen support to protect IT systems and infrastructure. A bug bounty program refers to an arrangement in which websites and software developers recognize or compensate individuals for reporting bugs or other vulnerabilities. These programs originated with software companies but have since expanded and are now used by government agencies. During the 2016 “Hack the Pentagon” event, nearly 140 vulnerabilities were reported to the US government.

In the UK, the National Cyber Security Centre (NCSC) recently launched its Vulnerability Co-ordination Pilot to facilitate public reporting, while both the NCSC agency in the Netherlands and the Australian Cyber Security Centre (ACSC) run similar programs. Crowdsourcing cybersecurity allows government and private-sector organizations to leverage a much wider range of expertise than any one entity alone could hope to possess.

In today’s connected world, government, citizens, employees, and technology industry stakeholders must all be actively involved in preventing and fighting digital threats. Effective cybersecurity depends on all stakeholders working together to understand, prevent, and respond to these attacks. Although incidents like WannaCry will still occur, together we can help limit their impact.


via:  darkreading

What CISOs Need to Know about the Psychology behind Security Analysis

Bandwidth, boredom and cognitive bias are three weak spots that prevent analysts from identifying threats. Here’s how to compensate.

Even if you have dozens of point security products, security analysts are still your final line of defense. You tasked them with evaluating the thousands of events your security products generate to determine if something harmful is lurking in your environment. This is a daunting responsibility in the face of expanding data volumes.

To put it into perspective, a recent Ponemon Study shows that in a typical week, an organization may receive 17,000 malware alerts. If the company has three to five dedicated security analysts, each would have to review nearly 3,000 to 5,000 alerts per week.

Analysts, being human, have three weak spots, and they and their managers must be aware of them to avoid missed threats.

The process of investigating each security alert tends to be boring, but the volume of such events continues to increase at an unprecedented rate. Hiring to keep up isn’t a viable option because of skill-set and budget constraints. As a result, analysts are overwhelmed with the number of alerts they must process every day. This fatigue leads to individuals rushing through investigations, with a strong tendency to skip key steps, thus increasing the probability of missed breaches.

The nature of security operations (SecOps) is that the system evaluates millions or billions of events each day, and only a tiny percentage are suspect. Of those, analysts review thousands and only a few merit further escalation. Boredom leads to complacency, which leads to low job satisfaction, contributing to lower performance and higher attrition. The key is to automate much of the routine workflow, so that you keep analysts focused on investigating real problems.

Cognitive Biases
The third weakness is micro in nature: the cognitive biases that all humans struggle with in making diagnoses and prescribing solutions. Cognitive bias is an area of study that often arises in the context of financial trading and medical diagnosing. It is relevant in the area of cybersecurity because it has implications in terms of not only how many evaluations can be made per time, but also of the quality of those evaluations. Security analysts face the following cognitive biases:

  1. Anchoring is the tendency to rely too heavily, or “anchor,” on one trait or piece of information when making decisions (usually the first piece of information acquired on a subject). It’s not uncommon for SecOps teams to inadvertently have a narrow focus on daily activities. Hence, they may miss intrusions because they anchored on the likely source of a given pattern in the data and didn’t consider every alternative.
  2. Availability heuristics refers to the tendency to overestimate the likelihood of events with greater “availability” in memory, which can be influenced by how recent the memories are or how unusual or emotionally charged they may be. One of the issues we return to often is that there is so much data to evaluate that a holistic view of the threat landscape is impossible for a single person to hold in his or her head. Another issue is that analysts will make inferences about the entirety of the data set based only on the events they’ve reviewed.
  3. Confirmation bias is the tendency to search for, interpret, focus on, and remember information in a way that confirms one’s preconceptions. An example of this is in the most boring data set anyone could imagine: VPC Flow logs. I recently challenged one of our teams to find intrusion patterns in a data set of VPC logs and immediately got the response, “Of course there won’t be anything in there — there never is.” When we looked, we found some servers that were wide open to public scanning, as well as some other problems. It’s critical to always check and check again.
  4. Clustering illusion is the tendency to overestimate the importance of small runs, streaks, or clusters in large samples of random data (that is, seeing phantom patterns). It’s hard to get people to think in terms of statistical significance, even with the aid of powerful tools. So it’s not surprising when SecOps teams become convinced there is something there when there isn’t. Other biases lead to false negatives, while the clustering illusion leads to false positives.
  5. Inattentional blindness is the failure to notice something in plain sight because of cognitive overload. For security analysts, the excessive stimulus is the volume of data to sift through. During the alert triage process, there is a tendency to rely on mental shortcuts that effectively cause analysts to miss obvious critical signals.

Overcoming Boredom, Bandwidth, & Biases
Here are some items every SecOps leader should consider to mitigate the tendencies above:

  • Make jobs more interesting by assigning meaningful projects that go beyond the routine — for example, researching and implementing a new solution. Empower analysts with greater decision-making authority.
  • Assign each analyst an area of expertise, such as the Web, networking, etc., with collaboration across analysts during investigations. This mitigates the “availability heuristic” because no one analyst feels the need to be an expert across all systems.
  • Free up bandwidth by automating every process that can be automated. This doesn’t mean replacing analysts but, rather, empowering them to do more of what they do best while automating areas in need of support.
  • Create regular open forums with internal and external teams, as well as peer reviews, to discuss actions and results, what worked, and what didn’t. This helps avoid several biases, including confirmation bias and inattentional blindness.
  • Have junior analysts shadow senior analysts for a few hours a week to grow expertise and contextual awareness, as well as to avoid the clustering illusion.

via:  darkreading

6 Ways CISOs Can Play a Role in Selling Security

When customers ask tough questions about data security, business service resilience, privacy, regulatory, and reputational risk it’s best to remain upbeat and positive. Here’s how.

Security issues are so prominent in most customers’ minds that CISOs are being pulled into the sales cycle more and more often. In the face of increasing cyber attacks, customers understandably question the resilience of products and services. Even businesses outside of the tech industry face scrutiny from customers and major suppliers since all organizations now collect, store, and process sensitive information such as industrial secrets, financial information, and personally identifiable information.

Some customers also question the resilience and availability of critical business services and rightly probe to discover privacy, regulatory, and reputational risk associated with IT offerings. CISOs need to be able to respond to concerns with confidence, clarity, and candor. This means not being defensive about tough questions, but rather remaining upbeat and positive. Remember, this is sales not an audit. Here are six ways the security team can support sales:

1. Prepare a Frequently Asked Questions (and Answers) list
Include things like the breakdown of your security team, a list of policies, overview of the security controls and architecture. If you’ve been asked a question by a customer more than twice, it should go on the FAQ. In my stints as a CISO, my FAQ was nearly a dozen pages long. A well-written FAQ can also help your sales team answer customer questions and complete requests for proposals (RFPs) without having to consult you. The bonus of having such a document is that you get to pose the right kinds of questions in the proper manner, reducing irrelevant and confusing lines of inquiry.

2. Make your audit reports available
If you’ve completed an audit then, by all means, show it off to your customers. The key is to provide the material before you’re asked, because you’re that confident in your security program. Have copies of the report printed and bound so you can hand them out to customers. If it wasn’t a perfect audit, then accompany the report with your written response to the findings. Some audit reports may require non-disclosure agreements (NDAs) for you to release them, so be sure to bring printed copies and have the customer sign them. If you don’t have an audit report to share, then consider sharing other types of reports like vulnerability scan, pen test, audit, and code scans. Whatever information you feel comfortable sharing will be relevant and credible to your customers.

3. Write a summary of the regulatory requirements you comply with and why
If your organization is covered by security compliance requirements (and it probably is) then show each requirement and the corresponding controls. This may be covered in your audit report (See #2) but if it isn’t, write it up.

4. Prepare a security sales presentation deck
Tailor your deck specifically for a customer audience and include a dozen or so sides describing your security program. This should include things like your security principles, major controls, and architecture with diagrams, audits history, and an organizational chart of the security team. If you can, add a slide or two about plans for any cool new controls that are in the works for the future. Customers love to see that. Create different version or variations of the deck, one for engineers, one for conferences, and one for executives,
because each audience is interested in different things.

5. Be prepared to share scrubbed security response plans
Lots of customers wonder how their vendors will handle various crises. Be ready with a proactive answer. Share with them your response plans for incidents, security vulnerabilities in your software, outages, pandemic, and breach. If you can’t share details, summarize scenarios that are covered and give an outline on your plans. Don’t forget to include a summary report on the last test of the response plan you completed.

6. Write a few security white papers
White papers are great tools for the sales team to start conversations with customers. You can dash off half a dozen pages on how you protect the company or its products. You could delve into how you’ve expressed some best practice around authentication, authorization, and accounting (AAA), change control, secure development, or business continuity. Make it informative and authoritative; a few easy-to-read diagrams and graphs are a nice addition, as well.

If these ideas aren’t enough, look to the giant companies to see what they do. I’m sure there’s an idea or two you could glean from them. Just pick a major tech vendor and search on their name plus security or compliance. Lastly, don’t forget to stamp “restricted” on every one of these documents. You don’t want to share them with the bad guys.


via:  darkreading