0

2011 Gartner Security & Risk Management Summit – According to the Twitterverse

Posted on June 24, 2011 by Josh Arrington

Earlier this week the Cyber-Ark team headed down to Maryland to attend Gartner’s Security & Risk Management Summit and, of course, to eat some crab cakes. With keynote speeches, analyst sessions, roundtable discussions and workshops scheduled, the days were jam packed. While the conference was widely attended by many IT security professionals, those that couldn’t make the trip could still feel like they were there by following along with the #GartnerSecurity hash tag. We decided to take a closer look at the hottest topics that were addressed at the summit through the lens of some of the Tweets that were sent from the show floor. Here are some of our favorites  – that discussed some of the show’s hot topics like mobile security, internal and external cyber security threats as well as the consumerization of IT:

@TamirSigal: Caldwell: Info risk is like a grenade, don’t hold it, throw it 2 exec mgmt<-disagree. Everyone needs 2 be held accountable #gartnersecurity

@Jfbauer: Interesting, blocking web sites does not stop data loss nor exposure to malware anymore per Gartner #GartnerSecurity

@CesareGarlati: #GartnerSecurity Ken Dulaney on #Consumerization “in 2015 less than 50% of companies will have up-to-date mobile security plocies”

@Iglazer: Bellamy raises the point that it’s not that people don’t care about privacy, but that they are unaware of 2nd uses of data #gartnersecurity

@Cgonsalves: #GartnerSecurity Chertoff thinks US should start teaching cybersecurity to pre-schoolers. Says it’s like teaching hygiene. I kid you not.

@JTKeating: Wagner: By 2014, 70% of IT teams will be required to present annually on state of security to the Board of Directors. #GartnerSecurity

@reed_on_the_run: Mobility is #2 top security trend at #GartnerSecurity behind threat environment which is always #1

Thank you @TamirSigal, @Jfbauer, @CesareGarlati, @Iglazer, @Cgonsalves, @JTKeating and @reed_on_the_run for the inside look at 2011’s Gartner Security & Risk Management Summit, looking forward to 2012!

0

IT Security Rewind – Week of June 13

Posted on June 20, 2011 by Josh Arrington

Another week and yet another high-profile data breach with potentially disastrous implications. Already, this attack has forced one of the officials involved with the organization to refer to the exposed data as “political dynamite.” Let’s dig into this breach and the rest of this week’s headlines in our IT Security Rewind:

IMF—Stable but not secure: The biggest news item of the week actually originated over the weekend, when word first broke that the International Monetary Fund—an organization of 187 countries committed to ensuring the stability of the international monetary and financial system – was the target of a sophisticated computer security attack. While details on the culprits and severity of the attack are still only trickling out, Government Computer News reports that the hack may have been carried out by a foreign government. The coordinated attack, which resulted in the loss of a “large quantity of data” relating to “sensitive country financial information,” was likely initiated by an old school spear-phishing attack, but is there more to the story? Typically, spear phishing and similar tactics are simply the door hackers use to enter an organization—once inside, they use and exploit elevated privileges to reach their destination and the troves of sensitive data stored across systems.

Not Summer in the Citi: Last week’s massive Citigroup data breach continued to attract headlines. While the bank divulged that the attack affected 360,000 credit card customers, according to the Financial Times, U.S. officials are demanding more details regarding the extent of the breach and its potential for reoccurrence. The article also suggests that the breach not only calls into question the relative lack of regulation in place to protect consumer data, but also the security of online banking websites. In this instance, attackers may have been able to leverage flaws in the website’s programming language or the way it is administered.

Data Breach Notification—The Law is Taking a Stand: As this eWeek article points out, the United States Congress continues to push for new data breach legislation. This time, Congressmen have filed legislation that would require companies to notify customers when a data breach has occurred within 48 hours following the completion of an incident assessment. However, other Congressmen have expressed skepticism over this pending legislation—will this law just result in stalling tactics? What’s your take—would this law have a positive impact on the industry? Is there a better alternative?

That’s it for this week’s Rewind. As always, your comments are encouraged!

Another week and yet another high-profile data breach with potentially disastrous implications. Already, this attack has forced one of the officials involved with the organization to refer to the exposed data as “political dynamite.” Let’s dig into this breach and the rest of this week’s headlines in our IT Security Rewind:

IMF—Stable but not secure: The biggest news item of the week actually originated over the weekend, when word first broke that the International Monetary Fund—an organization of 187 countries committed to ensuring the stability of the international monetary and financial system – was the target of a sophisticated computer security attack. While details on the culprits and severity of the attack are still only trickling out, Government Computer News reports that the hack may have been carried out by a foreign government. The coordinated attack, which resulted in the loss of a “large quantity of data” relating to “sensitive country financial information,” was likely initiated by an old school spear-phishing attack, but is there more to the story? Typically, spear phishing and similar tactics are simply the door hackers use to enter an organization—once inside, they use and exploit elevated privileges to reach their destination and the troves of sensitive data stored across systems.

Not Summer in the Citi: Last week’s massive Citigroup data breach continued to attract headlines. While the bank divulged that the attack affected 360,000 credit card customers, according to the Financial Times, U.S. officials are demanding more details regarding the extent of the breach and its potential for reoccurrence. The article also suggests that the breach not only calls into question the relative lack of regulation in place to protect consumer data, but also the security of online banking websites. In this instance, attackers may have been able to leverage flaws in the website’s programming language or the way it is administered.

Data Breach Notification—The Law is Taking a Stand: As this eWeek article points out, the United States Congress continues to push for new data breach legislation. This time, Congressmen have filed legislation that would require companies to notify customers when a data breach has occurred within 48 hours following the completion of an incident assessment. However, other Congressmen have expressed skepticism over this pending legislation—will this law just result in stalling tactics? What’s your take—would this law have a positive impact on the industry? Is there a better alternative?

That’s it for this week’s Rewind. As always, your comments are encouraged!

0

Details of another data breach have hit the UK newswires

Posted on June 17, 2011 by Josh Arrington

Details of another data breach have hit the UK newswires today, with reports revealing that the National Health Service (NHS) has lost 20 laptops containing sensitive information from one of its store rooms. Whilst eight laptops have been recovered, it has been disclosed that one of the 12 remaining missing laptops containing some 8.6 million medical records, reportedly unencrypted.

We have quite clearly moved on from the time when data could be effectively safeguarded by placing it under lock and key.  It is therefore all the more concerning that such a large institution is still relying on such archaic methods to defend its data.

Organisations who want to truly safeguard their users and their information need to deploy proven tools which manage and protect sensitive data.  That way, even if a device should go missing, it needn’t make the headlines.

0

Are you a Security Spider-Man?

Posted on June 15, 2011 by Adam Bosnian

Spider-Man

After years in the works and a number of recent twists and turns in the story and production, the Broadway show “Spider-Man: Turn Off the Dark” finally opened in New York City last night to an eagerly-awaiting crowd of Spidey and U2 fans.  The show is amazing, with acrobatics unmatched elsewhere on Broadway and powerful music with Bono’s and The Edge’s unmistakable signature vibe. With countless stories detailing the problems the show has faced with a re-write of major portions, injuries to actors, technical and mechanical difficulties, the show endured plenty of pains before being ready for prime-time.  That said, this blog entry isn’t a review of the show’s performance; you can find plenty of them here, here and here.

Rather, the revival of Spiderman in the form of a Broadway show actually ties into the lives of IT professionals in many ways – whether purely as comic book fans or as an analog to the superheroes in the server rooms responsible for enterprise systems’ performance and security.  This especially holds true in the area of privileged identity management, where Uncle Ben’s proclamation, “with great power there must also come great responsibility” resonates so clearly.  If not managed or monitored properly, the power of privilege and the pervasiveness of embedded credentials and admin accounts pose a significant threat to data security and business performance.

It’s an operational and compliance imperative for companies to “Turn off the Dark” and shine a spotlight on their privileged users, applications and sensitive information.  Understanding where all the accounts and identities are, what they have access to – and what’s done once that access is gained — is a crucial step toward asserting better control of all these accounts and ensuring their appropriate use.  The privilege problem is more widespread than you probably think.  It’s not just about protecting your customer data base or credit card information; it’s about understanding all of the threat vectors and how to stop them.  At a time when the perimeter is disappearing, the workforce is increasingly mobile and a plethora of devices and systems tie into corporate networks, a security superhero’s job is never done.

For instance, consider recent headlines about Cisco’s videoconference products that contain vulnerable credentials hard-coded into the software that open the door for someone to gain access to the system.  Stuxnet gained notoriety by leveraging embedded credentials in programmable logic controllers from Siemens software, and was used to knock out centrifuges in Iran late last year.  As security professionals, it’s time to think beyond the perimeter and the ‘usual targets’ to realize that so many things in our every day lives come equipped with hard-coded passwords or weak admin accounts that afford backdoor access to high-value systems, networks and databases.

The power of these privileged accounts, identity and information needs to be understood and transparently controlled.  Whether your Green Goblin is an embedded credential, your Dr. Octopus is a shared account or your Venom is an admin account, you’ve got to use your web-slinging skills to vanquish these villains and restore order to your business before it’s too late.  Like Spider-Man, you may not be appreciated by the editor of the Daily Bugle for all the work you do to keep your city safe, but it’s still vitally important to doing what’s right for your company and its citizens.

So, are you a security Spider-Man?  What menace do you face each day?

0

IT Security Rewind: Week of June 6

Posted on June 10, 2011 by Derrick Pyle

Security breaches, server attacks, data loss. No matter what headline, as you’ll see in this week’s IT Security Rewind post, it appears that hackers continue to follow similar patterns of infiltration and escalation.

Bank + Data Beach = Bad Combination: Banking organizations continue to be increasingly susceptible to data breaches. This week the latest victim was Citi Bank.  Initial estimates have found that 200,000 customers are already affected. Despite the size of the breach, there is still no confirmation on the actual attack vector that was used to obtain access, but if you are a betting man (or woman) elevated privileges would be a safe bet.

Stuxnet—Plenty of Holes in This Story. The opening line to this ThreatPost article says it all—“The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner.”

In the piece, Langner proceeds to claim that the media paid too much attention to the zero day Windows vulnerabilities that enabled the worm, but overlooked the other security holes that were exposed and utilized. One of those vulnerabilities that still exist is a hard coded password in Siemens WinCC. If uncovered and exploited, as has all too commonly become the case, this vulnerability can provide an attacker with unfettered access to a system’s network.

Insiders as a First Line of Defense: An interesting study out of the Ponemon Institute found that three quarters of UK organizations have suffered data loss in the past year. While these numbers include data that was compromised due to network attacks, or lost due to stolen equipment, the study does shine light on the lack of enterprise-wide employee awareness of data security best practices. According to the report, 53% of UK respondents surveyed believe their employees have little or no awareness about data security, compliance and policies.  This data highlights a greater need for data protection strategies to include an emphasis on user awareness, “as people are often the first line of defense.”

What other security headlines do you think are worth highlighting this week?

0

Top Security Tweets: Week of May 30

Posted on June 6, 2011 by Josh Arrington

twitter

At the close of each week we look back on the major happenings in the security industry and recap the hottest news in our “IT Security Rewind.” This week however, we decided to mix things up a bit (all this summer weather must be getting to our heads) and instead we’ve listed some of the thought-provoking topics that may not be making headlines but still have major implications for the security industry.

Since Twitter has emerged as an outlet for individuals to engage in conversation and share their opinions, this week we scoured the social channel to see what security industry influencers have to say. Below are some of this week’s Top Security Tweets from thoughts leaders like Josh Corman, Bob Rudis, Chris Nerney and Eugene Spafford. Did you see any other interesting Tweets that we missed? Feel free to add them below.

@joshcorman For the EleventyBillionth time. An APT is not a WHAT, but a WHO and a HOW. It is an ADVERSARY. FREE: http://bit.ly/gGxuD9

@hrbrmstr What I would truly give a big chunk of budget $ for are infosec prods w/focused functions * *wicked-awesome* mgmt & reporting capabilities.

@RSAConference: Top five social media security threats (via @ChrisNerney) http://bit.ly/iqtYAP

@RobotSpaf: Why the bad guys are winning – Computerworld Blogs – Great list. I don’t agree with all of it, but 95% of it… http://tumblr.com/xfz2t3zpfg