Monthly Archives: August 2018

Will Google’s Titan security keys revolutionize account security?

Google wants its Titan security keys to be the new standard in two-factor authentication. Find out how to get and use Titan security keys.

Google’s Titan security keys are now available in the Google Store for businesses and individuals. If Google gets its way, the Titan keys will be the new standard in two-factor account protection.

The tiny Titan keys, which come in USB and Bluetooth form factors, were designed by Google to give users “a complete solution option from Google itself,” said Google’s Sam Srinivas.

Authentication keys are nothing new, nor is the FIDO authentication framework that Google has built Titan around. What is new is a company as big as Google marketing and selling its own hardware key. With as large a market as Google has, the Titan could be the hardware key that finally replaces vulnerable two-factor authentication (2FA) methods.

Second factors: Still vulnerable

Phishing attacks are growing in sophistication, and that growth comes with new methods for subverting two-factor authentication methods. One-time passwords are increasingly phished, websites that masquerade as legitimate login portals can steal 2FA keys, and some methods simply avoid triggering second login factors altogether.

With 41.6% of all account breaches attributable to phishing, password theft, and pretexting, Google thought it was evident that typical second authentication factors weren’t doing their jobs.

Hardware security keys, on the other hand, require a user to physically have a device linked to their account that is present at the time of login; this eliminates the need to transmit data at all, significantly improving security. In fact, Google Cloud product manager Christiaan Brand said that Google hasn’t had any “reported or confirmed account takeovers due to password phishing since we began requiring security keys.”

How Titan security keys work, and why the keys are a good solution for businesses

Titan security keys use the FIDO Universal Second Factor (U2F) protocol, which relies on public key cryptography. Adding a Titan device to an account ties a public encryption key to that account, which is verified against a private key using a cryptographic signature supplied by the Titan device during login.

Titan keys also protect against phishing attacks from fake login portals—even with a compromised password a Titan-enabled account is still protected. When a user logs in to a fake portal, Google said, the key will know that it isn’t a legitimate website and will stop the login process immediately.

Don’t assume that Titan keys are only usable with Google accounts—the FIDO protocol is a popular one that works with a multitude of websites and applications. Any website that supports U2F will work with a Titan key.

Titan hardware is also built to be secure—Google designed the devices around a secure element hardware chip that contains all the necessary firmware for it to function, and all of that information is sealed in during the manufacturing process, as opposed to being installed afterward. Thus, Google said, “the trust in the security key hardware is anchored in the sealed chip as opposed to any other later step which takes place during manufacturing.”

Additionally, Titan keys contain no personally identifying information, and Brand said “don’t know who their owner is.” If a key is found, it’s useless to the person who picked it up, unless they know the owner’s account names and passwords.

How to get and use a Titan security key

The retail kits available to the public, which are now on sale in the Google Store, are priced at $50 and contain two keys: A USB key for plugging in to a computer, and a low-energy Bluetooth key designed to be used with mobile devices or Bluetooth-capable computers. When testing the Titan key, I found both incredibly easy to use—all you need to do to add them (and be sure you register both) is to browse to g.co/securitykey and follow the instructions. You’ll log in to your Google account’s 2FA page, select the option to add a security key, and follow the onscreen prompts.

Android users can log in to an existing or new device by opening the Settings app, logging in on the Account page, and then following the options to use the Bluetooth-enabled key to sign in wirelessly.

iOS users will need to download the Google Smart Lock app to enable the Titan Bluetooth key on their devices. After the app is installed, follow the prompts to log in using your Titan key.

Once you’ve verified your identity on a particular device, you won’t have to log in with your Titan key again—it’s only necessary on new devices or browsers.

Enterprises interested in deploying Titan keys in their organization can contact their Google Cloud representative for pricing and ordering information, or purchase the keys through Google partner Insight.

 

Will Google’s Titan security keys revolutionize 2FA?

Whether Titan security keys will truly change the 2FA game remains to be seen. Google said that 2FA users consider most methods inconvenient, but the addition of a piece of hardware may not be perceived as simpler than waiting for a text or tapping a button on a smartphone.

Most of us already have an iOS or Android device in our pockets, and adding another fob to our keychains might not be the solution. With account security as poor as it currently is, something needs to give, and Titan keys may be the start.

The big takeaways for tech leaders:

  • Google’s Titan security keys are now available for businesses and consumers. Titan keys use the FIDO U2F protocol, which makes them able to secure Google accounts and other services that use U2F.
  • Titan keys don’t contain any personal information, so businesses shouldn’t worry about them being a security risk.

 

via:  techrepublic

T-Mobile suffers data breach affecting 2.2 million customers

The third most popular mobile network in the US, T-Mobile, has suffered a data breach that affected more than two million of its customers.

According to the company’s website, on 20 August 2018, T-Mobile’s inhouse security team noticed unusual activity that was immediately “shut down.”

Data potentially compromised before the shutdown included subscribers’ names, billing zip codes, phone numbers, email addresses, account numbers and account types (e.g. pre-paid or billed).

Apparently, no social security numbers (SSNs), financial data or account passwords were accessed during the attack.

The alert doesn’t mention the number of subscribers involved but this is being reported by Motherboard as just shy of 3%, or around 2.26 million accounts.

Users caught up in the breach would be contacted with further instructions, T-Mobile said, though the company didn’t say how or when that would happen. (Motherboard quoted a spokesperson as saying that affected customers would be told by text message.)

If there’s good news in this incident, it’s that the breach seems to have been noticed quickly by T-Mobile’s inhouse security team, and the company has told its customers within a matter of days.

In plenty of other breach incidents, companies have realized what happened only after they were contacted by a third-party researcher, by the attackers themselves, or, in the worst-case scenario, by customers reporting fraud attempts.

This is often weeks or months – sometimes even years – after the event, by which time a lot of damage has been done.

According to the Privacy Rights Clearinghouse, so far in 2018 (to early August) 513 disclosed data breaches covering 819 million records have been recorded. For comparison, the whole of 2017 saw 831 breaches covering just over two billion records.

 

via:  sophos

How to set up a rule in Microsoft Exchange to send an alert of a phishing attack

Empowering your employees to easily notify IT security personnel of a phishing attack requires an Exchange rule. This tutorial explains how to set one up.

In general, IT cybersecurity experts agree that when it comes to enterprise phishing emails, the most effective defense, and the only one that will inevitably stop such attacks, is a well-trained and educated workforce. While technologies like artificial intelligence and machine learning may stop many phishing emails from getting through to user inboxes, those tech solutions cannot overcome the careless click of a malicious link by one of your employees when the technology fails.

As we have mentioned before, a 2018 report shows that about 50% of an enterprise’s computer using employees will click on a link sent via email from an unknown user without first thinking of the potential consequences. To overcome this lack of urgency so prevalent amongst users, IT professionals should task the entire workforce with the responsibility of immediately reporting phishing emails when they are uncovered.

The Office 365 add-in, Report Message, allows Outlook users to report a phishing or other suspicious email with the click of a single icon on the standard Office Ribbon interface. However, by adding a new rule to Microsoft Exchange, admins can also receive a copy of the report—with no additional effort on the employee’s part.

This how-to article explains how to set up a rule in Exchange that will piggyback on Report Message to notify the proper IT security team in your organization that a phishing email has been reported.

Set up the Rule

Creating or modifying rules using the following technique requires Exchange Online Administrator authentication status. This tutorial also assumes you have installed and enabled the Report Message add-in for Outlook. (Check out the previous article for details.)

Open the online portal to Office 365 and logon with administrator credentials. Navigate to the Admin Center and then open the Exchange Admin Center submenu. Click the Mail Flow link in the left navigation bar. You should see something similar to Figure A. (Note, the example has no rules yet.)

areportmessageexchangerule.png

Figure A

Click on the Plus button to create a new rule. Name your new rule (Phishing Submission) and then open the Apply this rule if dropdown box. Choose the entry: The recipient address includes. Add these two email addresses to the list as shown in Figure B.

  • junk@office365.microsoft.com
  • phish@office365.microsoft.com

breportmessageexchangerule.png

Figure B

 

In the Do the following box, choose the Bcc the message to entry and add the appropriate security administrator or team as designated by your intrusion detection policy. Set the Audit this rule with severity level to medium, as shown in Figure C and click Save.

creportmessageexchangerule.png

Figure C

Once this rule is established, whenever an employee reports an email using the Report Message add-in, the appropriate security personnel will receive a copy of the message automatically. This will allow your security teams to act swiftly and decisively to mitigate and counteract phishing attacks in accordance with your enterprise’s policies.

 

via:   techrepublic

Do Something, Know Something, Learn Something – A 3-Step Guide to Keeping Your InfoSec Career Exciting

If you are like most infosec professionals, each day brings new and interesting challenges.

However, like most jobs, there are valleys that we fall into along the course of our professional development. How long can you stare at your SIEM tool before you start to experience some mild tunnel vision, or worse, severe burnout? Neither of these are productive paths for you or your employer.

When I find myself heading down that path of waning motivation, I exercise a 3-step plan to get back on track. I call it the Do Something, Know Something, Learn Something plan.

Here is how it works:

Set three recurring calendar events, each lasting an hour with a 30-minute break in between each task. For the first task, assign some of your daily activities that need your attention.

This may be writing up a report, updating your monitoring logs, or performing triage on the security events under your responsibility. This is the “Do Something” phase. This one is most important, as it is probably the bulk of what is required of your job duties. This task will not only recur daily but should be set to recur multiple times throughout the day.

The next task that should be on your calendar is the “Know Something” task. This is the task where knowledge is the goal.

If you maintain any certifications, this is where a continuing professional education (CPE) credit-eligible webcast can fill the task requirement. This task time-slot can also be used to familiarize yourself with a new regulation or perhaps to just catch up on some of the infosec news of the day.

The purpose here is to increase your knowledge about infosec topics that may come up during a lunch conversation, or perhaps an impromptu conversation with a senior executive in your office. This type of knowledge adds credibility to your role, which is a valuable asset both personally and professionally.

The third task is the “Learn Something” task. This is different from simply knowing, as it is where you use the time to actively research a new skill or learn a new tool.

If your employer is receptive and flexible, the learning can be tangentially related to infosec. For example, knowing the pin-out patterns of various cables may not be directly related to your particular job, yet it is valuable information that can improve your infosec skills in immeasurable ways.

I find that running this three-step pattern over the course of a month does wonders for breathing new life into my job routine. It also brings more value to your employer. Above all, be sure not to let your daily responsibilities slip. This is why the “Do Something” task needs to recur throughout the day.

I understand that you may not have a job that allows the daily attention to each task that I have described here; however, I am certain that there is a way to spread this plan out so that you can implement it to keep you from becoming numbed by the same tasks every day.

After all, we are working in one of the most exciting fields that doesn’t require any physical danger. I hope my three-step approach helps you to keep excitement alive while improving your skills and your value.

 

via:  tripwire

Guide to Securing Your Mobile App against Cyber Attacks

Thanks to the advent of technology, the number of mobile phone users are increasing day by day. You’ll be shocked to hear that by 2019, this number will cross the 5 billion mark! While mobile phones may have made our life easier, they have also opened up domains for many cybercriminals who are adapting and using new methods to profit from this rapidly growing number of potential victims.

What’s more, apps are used for nearly 90% of usage on mobile phones and tablets making it the number one source for cyber-attacks. People are using apps to access everything from online banking to shopping and even controlling home devices.

User data is like a goldmine for cybercriminals, as they can access anything from credit card details to email passwords and user contact lists. Users have also been scammed into downloading malicious adware, and at times, they unknowingly subscribe to fraud paid services.

This is why a lapse in any mobile app’s security is a daunting scenario for app owners and developers. According to a study, more than 60% of companies reported that an insecure mobile app caused a data breach, and 44% out of them did not take any immediate action to secure their app against further potential cyber attacks.

So, if you are an app owner or developer, start working towards certain frameworks and tools that provide ease and security to your users. Think about the ways you can avoid the mentioned security challenges and protect your app from cybercriminals.

To make your tasks easier, I have listed some of the mobile app security best practices that will benefit you as an owner and also provide your users with a safe and secure online experience.

1. Security by design

The first step towards securing any mobile app is to start by designing a threat model from the very beginning. Think like a hacker and identify every shortfall of your app’s design. Only then will it be possible to implement effective security strategies. You can also hire a professional security team to play the fake bad guys. It is a great way to test the security of your app as they throw different vulnerabilities at you.

Furthermore, if you are a growing eCommerce business and want to develop an online shopping app that can process sensitive information such as financial transactions and credit card credentials, consider the consequences that will occur if a security breach occurs. Ask yourself: in what ways can user privacy be compromised, and how you can prevent it from happening?

Keeping safety as a number one concern from the very beginning will give you ample motivation regarding security measures for your app.

2. Mobile device management

Online security starts with the device that the consumer is using to access your app. Each mobile operating system requires a different approach for its security, whether it is an iOS or an Android system. Developers must understand that the data stored on any device can drive potential security threats.

This is why you should consider encryption methods like 256-bit Advanced Encryption Standard to keep data safe in the form of files, databases, and other data sources. Also, when you are formulating the mobile app security strategy, keep the encryption key management in mind.

In the case of Apple, it has strict policy enforcement practices. Being an app owner, you can restrict any user from installing your app if you feel that the security of the user device seems compromised.

One of the most effective ways to manage iOS devices is to take help of mobile device management (MDM) or enterprise mobile management (EMM) product. There are many vendors such as MobileIron, MaaS360, and Good Technology that offer their services in this regard. Apart from this, you can use the Microsoft Exchange ActiveSync protocol as a policy management tool if you are looking for a cheaper and easier to use option.

Android phones, on the other hand, are a bit trickier to manage. Since they are relatively cheaper as compared to iOS devices, they often become a source of a security breach. You should only be using Android for Work (A4W) in the enterprise. This version of Android encrypts the device and separates personal and professional apps into two categories.

With the combination of the right devices, updated mobile operating systems and MDM, you can provide first level security for your mobile app.

3. App wrapping

App wrapping is a term that is used to define a methodology that segments your app from the rest of the device by capturing it in a secure environment. You will automatically get this option if you are taking help from an MDM provider. Just set a few parameters, and you can segment your apps without any coding required.

4. Strong user authentication

One of the most crucial components of mobile app security is to implement strong user authentication and authorization. You never know who is accessing your app. A seemingly simple question, “Who are you?,” can help secure your device against malware and hackers.

User authentication must include all aspects of user privacy, identity and session management and device security features. Try to enforce 2FA (two-factor authentication) or an MFA (multi-factor authentication). You can get technologies like OpenID Connect protocol or OAuth 2.0 authorization framework on board.

5. Hardening the OS

Another way to secure mobile apps is by hardening the operating system. There is a wide variety of methods in which you can do it. From day one, Apple has done a great job in enforcing security within its operating system. You can use these tools for iOS security:

6. Apply security to APIs

Make sure that you use APIs to manage all app data and business logic. API is a very useful tool for the mobile world, as they are the crown jewels for any enterprise. All data, whether it is in transit or at rest, should be secured.

For data in transit, you can use SSL with 256-bit encryption. For data at rest, you should secure the origin of the data as well as the device itself.

Remember, each API should have an app-level authentication. Make sure you validate who is using the service and limit sensitive data to memory as it can easily be wiped off.

Conclusion

When it comes to addressing your mobile application’s security, think that all mobile devices accessing the app are insecure and hackers can easily capture the data flowing to and fro from your app. It doesn’t mean that you’re overly paranoid.

These assumptions will help you stay on top of your security game, and you will always look out for new ways to harden the security of your mobile app against the most common security failures.

There are many other practices with which you can toughen up the security of your app, but these 6 tips will give you a basic framework that can be applied to any business, irrespective of its size. Which strategies do you use to protect your mobile app against cyber attacks?

 

via:  tripwire

The Value of Two-Factor Authentication – Save the Embarrassment

These days, it’s not a matter of if your password will be breached but when.

Major websites experience massive data breaches at an alarming rate. Have I Been Pwned currently has records from 295 sites comprising 5.3 billion accounts. This includes well-known names like LinkedIn, Adobe, and MySpace.

Password breaches are a cause for embarrassment; they are talked about in hushed tones just like finding mice in your home or having your credit card declined. They don’t need to be, though; they are part of the online experience associated with a modern cyber life.

Instead of being embarrassed, take steps to minimize the impact that a data breach has on your life.

One of the best ways to do this is to enable two-factor (or multi-factor) authentication on the accounts that you use on a regular basis. Adding a second form of authentication (typically in the fashion of a code generated by or sent to a device you own) can ensure that no one accesses your accounts even if they have your passwords.

Here you will find step-by-step instructions on how to configure two-factor authentication on some of Internet’s most popular websites.

Facebook

  • Log into Facebook and visit Settings.

Save the Embarrassment: The Value of Two-Factor Authentication - Facebook

  • On the left hand side, select Security and Login and click Edit next to Use two-factor authentication.

Save the Embarrassment: The Value of Two-Factor Authentication - Facebook

  • Set up the 2FA methods of your choice. I recommend Text Message and Authentication App, at a minimum.

Google

  • Visit your Google Account page and follow the Signing in to Google link.

Save the Embarrassment: The Value of Two-Factor Authentication - Google 3

  • Select 2-Step Verification and follow the steps to enable Authenticator, SMS, or Google Prompt 2FA. Note that some applications may stop authenticating and require application specific “App Passwords.” You can read more about those here.

PayPal

  • Log into PayPal and visit Settings.

Save the Embarrassment: The Value of Two-Factor Authentication - PayPal 4

  • Click Security and look for the Edit link under Security key.

Save the Embarrassment: The Value of Two-Factor Authentication - PayPal

  • Add your mobile number under Register a new mobile number.

Save the Embarrassment: The Value of Two-Factor Authentication - PayPal

Microsoft

Save the Embarrassment: The Value of Two-Factor Authentication - Microsoft 7

  • Follow the more security options

Save the Embarrassment: The Value of Two-Factor Authentication - Microsoft

  • At this point, you can turn on 2FA by clicking Set up two-step verification under Two-step verification. You can also set up an authenticator app like Google Authenticator or Microsoft Authenticator by clicking Set up identity verification app under Identity verification apps.

Save the Embarrassment: The Value of Two-Factor Authentication - Microsoft

Apple

  • Log into Apple ID and click Edit under Security.

Save the Embarrassment: The Value of Two-Factor Authentication - Apple

  • Follow the steps under TWO-FACTOR AUTHENTICATION to enable 2FA on your Apple Account.

LinkedIn

  • Log into LinkedIn and click Me and Settings & Privacy.

Save the Embarrassment: The Value of Two-Factor Authentication - Linkedin

  • Turn on two-step verification in order to enable SMS verification codes for future LinkedIn logins.

Save the Embarrassment: The Value of Two-Factor Authentication - Linkedin

Twitter

  • Log in to Twitter and click on your avatar and Settings and privacy.

Save the Embarrassment: The Value of Two-Factor Authentication - Twitter 13

  • Under Security, click to Set up login verification. Follow the prompts to enable 2FA on your Twitter account.

Save the Embarrassment: The Value of Two-Factor Authentication - Twitter

Enabling two-factor authentication is quick and painless in most cases, although it is recommended that you print out back-up codes from sites that support it. These codes can be a life saver when it comes to websites that use authenticator applications should you lose or damage your phone.

Are there any websites that you’d like to enable two-factor authentication on that weren’t in the list above?

 

via:  tripwire

Fortnite Says It Will Reward Users Who Enable 2FA With Free Emote

The Fortnite team announced it will reward users who enable two-factor authentication (2FA) on their accounts with a free emote.

On 23 August, the makers of the popular online video game revealed an incentive to help users boost their account security: in exchange for enabling 2FA on their accounts, gamers would receive the Boogiedown emote for free in Fortnite Battle Royale.

image

On a page linked to in its tweet, Fortnite explains that users can enable two-factor authentication to receive verification codes either via email or via an authenticator app installed on their mobile device. The latter option is the more secure of the two, as an app like Google Authenticator can help protect users’ Fortnite profiles in case their email accounts are ever hacked. In many cases, users can also employ that same authenticator app to protect their emails against an account compromise.

Team members recommend that Fortnite users click here to get started. They also make clear that they’ll never ask users for the account passwords. If they receive such a request from someone posing as a Fortnite employee, they should alert the real Fortnite team using the “Contact Us” feature.

Fortnite isn’t the only game that’s used an in-game reward to encourage users who might not otherwise be concerned about their web account security to enable 2FA. Video game developer ArenaNet awarded players of Guild Wars 2 who enabled SMS-based login codes, a 2FA deployment which doesn’t always guarantee account security, with the Mini Mystical Dragon as a free pet. Even so, ArenaNet and Fortnite are in the minority when it comes to video game developers, or tech companies in general, who put a premium on users taking their account security seriously.

In the prevailing absence of such incentives, it’s up to users to take the lead on protecting their accounts with login verification codes. Here’s a resource that explains how you can enable this additional login step on many of the web’s most popular services.

 

via:  tripwire

The True Cost of an Industrial Cyber Security Incident

Industrial control systems are essential to the smooth operation of various national critical infrastructure. While once segmented from the web, these systems are now becoming increasingly more networked and remotely accessible as organizations transform to meet the digital age. This development potentially exposes industrial control systems to digital threats.

One of the most serious threats confronting industrial control systems today is the Internet of Things (IoT). Organizations and users are becoming more and more dependent on Internet-connected devices, so much so that there’s not enough time to secure them. Such hype has enabled the creation of threats like VPNFilter, a type of botnet which targets routers, network access storage (NAS) devices and other IoT products.

In May 2018, researchers observed that VPNFilter had infected half a million IoT products in what Ukrainian officials believed were Russia’s preparations for a digital attack. Less than two months later, Ukrainian law enforcement thwarted an attempted VPNFiler attack by Russian agents against a chlorine station.

The IoT threat facing industrial control systems is expected to get worse. In late 2016, Gartner estimated that there would be 8.4 billion connected things worldwide in 2017. The global research company said there could be approximately 20.5 billion web-enabled devices by 2020. An increase of this magnitude would give attackers plenty of new opportunities to leverage vulnerable IoT devices against industrial control systems.

Concern over flawed IoT devices is justified. Attackers can misuse those assets to target industrial environments, disrupt critical infrastructure and jeopardize public safety. Those threats notwithstanding, many professionals don’t feel that the digital threats confronting industrial control systems are significant. Others are overconfident in their abilities to spot a threat.

For instance, Tripwire found in its 2016 Breach Detection Study that 60 percent of energy professionals were unsure how long it would take automated tools to discover configuration changes in their organizations’ endpoints or for vulnerability scanning systems to generate an alert. Even so, 70 percent of participants affirmed it should take only minutes for those same solutions to detect an alteration.

Industrial professionals would be wise to not underestimate threats against industrial control systems. That’s because the costs of disruption can be significant to the business. In response to a 2016 ransomware attack, Michigan’s Board of Water & Light ended up paying approximately $2 million dollars for digital security experts and a law firm to assist it in its recovery and prevent similar attacks from occurring in the future.

Even worse, a 2012 malware attack cost Saudi Aramco – the world’s biggest oil company – approximately $1 billion, as the company needed to replace 35,000 computers damaged by the attack. It also hired at least six firms and dozens of experts to help with the recovery, reported Reuters.

Tim Erlin, VP of Product Management & Strategy at Tripwire, feel these incidents demonstrate the importance of organizations protecting their industrial environments now rather than later:

If your business has an industrial control system footprint now is the time to evaluate how you’re securing that environment. Industrial companies have accepted the reality that digital threats can have tangible consequences. This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so. It is vital that organizations properly secure their critical infrastructure by investing in robust cybersecurity strategies that involve proper foundations of critical security controls and layers of defense. Failure to do so will result in a major breach that will cause catastrophic failure, which is a significant concern among security professionals as a critical disaster could result in significant loss of life.

 

via:  tripwire

5 Key Areas Security Professionals Should Consider – Healthcare Industry

The Healthcare industry by its very nature is populated with some amazing people who are devoted to those in need of physical and mental care. Given this noble cause, it was perfectly understandable for them to ask “Why would someone attack us?” when WannaCry hit their sector.

In my opinion, the WannaCry compromise was the crescendo of almost a decade’s worth of neglect. Unpatched servers, legacy applications, forgotten risk registers and discarded business cases for investment all played their part. However, it did answer the million-dollar-question asked of all security teams: “What is the real risk of us being attacked?”

At the time of the attack, security teams across the country were rallying to resolve the issue, with many (I’m sure) searching for evidence that they had once warned their organization of the dangers of poor cyber-response arrangements and poor patch management.

Dare we ask how many servers compromised by WannaCry only required a reboot to enable the patch – denied only because no agreement could be reached to arrange a maintenance window?

As sad and as controversial it sounds, sometimes it takes an incident of this magnitude and publicity for organizations to remember the basics. Despite the irresistible urge for some to shout “I told you so,” we must understand how we can improve now that we have the attention of executive management who wish to avoid the implications of another WannaCry.

In recent years, I spent less time on policy and more on advising on change – mostly trying to mediate between innovation and security. In adapting my thinking to include transformation and change, I have identified five key areas I believe all security (and IT) professionals should be considering:

1. THE ‘GIG ECONOMY’

Organizations want to try new things and do not want to be bogged down with procedures and policy. However, we must be mindful of integration and support. Get the right contracts in place; secure robust support agreements and software assurance. Do not become dependent on a third-party application. We all know solutions with security flaws with vendors having no appetite to fix them.

Finally, be prepared to forgo the usual third-party assessments for these smaller firms. Streamline it, and document exceptions!

2. DIGITAL TRANSFORMATION

The right digital plan must be established. It must be designed with a care plan/business strategy at its heart and underpinned by robust architectural designs and operational basics. Base your security strategy around this, and you will not go far wrong. (It also makes asking for investment far easier!)

3. DATA, DATA, DATA

If you cannot extract data from a solution to demonstrate value and outcomes, why bother with it?

And critically, look for a common integration and data extraction tool rather than a swathe of bespoke interfaces known only to the developer who left the organization two years ago.

4. A RETIREMENT PLAN

Support functions cannot be expected to support operating systems that are no longer supported by the vendor. Like the financial sector, it will only be a matter of time that the healthcare sector will be required to provide decommissioning plans and timelines.

Be proactive with your hardware; refresh and ensure your third-party vendors are contracted to ensure their applications are supported by the latest technology and operating systems.

5. COURAGE

Finally, we must have the courage to stand up for what we know is the right thing to do: do not be swayed by pressure to adopt bad practice or technology.

Whilst saying “No” is never really an option, the transferal of risk certainly is.

How Tripwire Can Help

All healthcare organizations need to take steps to strengthen the security of their systems so that they can ensure the availability of critical medical services and protect their patients’ data. Such measures are especially important in the case of defending against vulnerabilities like EternalBlue, the Microsoft SMB flaw which WannaCry exploited in 2017.

CVSS risk scoring is a good start. But in these types of instances, such low-medium-high scoring is not of any use because the vulnerability will show up as “high” in every part of the business where critical systems/assets that provide the “business as usual” state are in the same category as non-critical systems.

This is where Tripwire IP360 can assist. Tripwire not only provides the CVSS risk scoring but also adds a unique way the assets are weighted depending on criticality to the business, amongst other criteria. This creates a way for limited resources to apply patches quickly to the critical systems, thereby providing the secure “business as usual” state for the business.

In the meantime, Tripwire Enterprise can be utilized to monitor the network for any changes or drifts of compliance and policies, providing real-time notification to the resources on anything that is detrimental to the estate so they can address them immediately.

 

via:  tripwire

A How To for Asset Tagging using Tripwire

The systems in your environment are extremely important assets. Storing intellectual property, customer information, financial information, business automation, etc. If any of these systems are breached or become unavailable, there is a business and financial impact.

You’ve installed Tripwire Enterprise agents on these systems to ensure that you know what changed, that the changes were authorized and that these systems remain hardened.

But when you have thousands and thousands of assets, how can you view and report on them in a meaningful way? Not all assets are created equally. Often, not all assets are managed by the same group. Different assets run different applications. It’s a jungle in there!

Into the fray steps the Tripwire Enterprise (TE) Asset Tagging feature. Asset Tagging makes the automation of managing these assets possible as well as makes reports more meaningful for the business.

Now, having an asset tagging system is nice and all… but now we have to apply these informational tags to the assets. There are several ways to do this that we will be touching on in this article. But we need to do these things in order. Before we can apply tags to the assets, we have to create tags that are meaningful to the business. Yes, Tripwire Enterprise comes with a set of common Asset Tags for Operating Systems, Device Types and such. But we don’t know what applications, locations, owners and other types of tags you might have in your environment.

So, if you want to start with full details check out the full article at:

A ‘How To’ for Asset Tagging

 

To learn more about Tripwire Enterprise and asset tagging, click here.

 

via:  tripwire