Friday, July 21, 2017

Innovatie & Strategie
Security
Beveiliging

Tijd voor nieuwe strategie

De Chief Information Security Officers moeten hun strategie herzien
17 juli 2017
De Chief Information Security Officer (CISO) staat onder grote druk. Cyberaanvallen nemen in aantal toe en worden bovendien steeds geavanceerder. Denk bijvoorbeeld aan de recente ransomware-variant PetyaWrap. De gevolgen hiervan zijn immens en zorgen naast financiële schade ook voor reputatieschade. CISO’s doen er goed aan om hun securitystrategie onder de loep te nemen en waar nodig te herzien. Alleen op die manier kunnen ze hun organisatie optimaal beveiligen tegen cyberaanvallen.

Dat een serieus datalek voor grote problemen zorgt, blijkt uit allerlei onderzoeken. Zo berekende het Ponemon Institute dat de gemiddelde schadepost bij een serieus lek vier miljoen dollar bedraagt. En het aantal pogingen om data te stelen neemt toe: Symantec signaleerde vorig jaar een stijging van ransomware-aanvallen en phishing-pogingen met respectievelijk 35 en 55 procent.
Onder deze omstandigheden wordt het werk van de CISO steeds belangrijker, maar ook complexer. Zij moeten hun organisaties beschermen tegen een breed scala aan bedreigingen, terwijl de C-suite en de board hen nauwlettend in de gaten houden. Onder deze hoge druk wordt de security-strategie herzien, maar CISO’s kunnen bedreigingen nooit helemaal voorkomen. Samen met hun teams en peers moeten zij zich richten op het optimaliseren van hun vermogen adequaat te reageren op securityrisico’s.
Deze optimalisatie bestaat uit drie stappen: investeren in automatisering, de nadruk leggen op het prioriteren van dreigingen en werknemers efficiënt inzetten.

Stap 1: Automatiseren

Veel organisaties vertrouwen op een handmatig, decentraal systeem om security-incidenten te volgen. Volgens ruim een kwart van de CISO’s zijn binnen hun organisatie dergelijke handmatige processen een drempel voor het implementeren van een effectieve security. Er valt dus veel winst te behalen door de processen rondom respons en herstel bij een cyberaanval te automatiseren. Belangrijk is dat hierbij rekening wordt gehouden met de workflow van security over verschillende afdelingen heen, daar ontbreekt het op dit moment namelijk nog vaak aan. Door gezamenlijk met IT en andere afdelingen op één platform te werken, kunnen securitywerkzaamheden sneller en slimmer geautomatiseerd worden. Dit heeft weer voordelen voor het proces van prioritering in de tweede stap.

Stap 2: Prioritering als onderdeel van automatisering

Het merendeel van de organisaties vindt het lastig om security-alerts te prioriteren op basis van dreigingsgrootte. Dit kan verlammend werken voor een organisatie omdat alle dreigingen en aanvallen even serieus worden genomen. Helemaal als je bedenkt dat bedrijven dagelijks door duizenden cyberattacks geraakt kunnen worden. Het goed kunnen prioriteren van bedreigingen is een essentieel onderdeel van een effectieve securitystrategie. En daarmee een essentiële voorwaarde voor CISO’s om hun werk goed te kunnen doen.

Stap 3: Laat werknemers focussen op complexe taken

De derde en laatste stap is om de tijd en het talent van security-medewerkers zo effectief mogelijk in te zetten. Door processen te automatiseren en dreigingen te prioriteren, heeft securitypersoneel de handen vrij om sneller te kunnen reageren op lekken en aanvallen en zelfs te kunnen anticiperen op aankomende gevaren. Dat is immers de kern van hun werk, niet het catalogiseren van verdachte e-mails. Bovendien is het in deze tijden van schaarste aan IT-talent belangrijk om het aanwezige talent zo optimaal mogelijk in te zetten. Dat hier nog veel werk aan de winkel is, blijkt uit het feit dat maar 7 procent van de CISO’s van mening is dat hun organisatie voldoende securitymedewerkers in dienst heeft die goed kunnen inschatten welke cyberbedreigingen het meest schadelijk zijn voor de bedrijfsstrategie.
Routinewerk neemt af
Door deze drie stappen te volgen en te focussen op de beste aanpak van cyberdreigingen, zijn CISO’s beter in staat om de meest kritieke onderdelen van hun organisatie te beschermen. Bovendien zorgt deze strategie voor een hogere werknemerstevredenheid doordat routinewerk afneemt. En uiteindelijk zijn CISO’s met deze strategie beter in staat om sneller en efficiënter dan ooit tevoren op bedreigingen te reageren.

'Spyware,' Ransomware Top Threats but Defenders Slowly Improve

'Spyware,' Ransomware Top Threats but Defenders Slowly Improve

Nearly half of firms have encountered spyware, according to Cisco’s semi-annual cyber-security report.
malware
Business email compromise, ransom-seeking criminals and questionable programs that collect information are three of the major threats facing companies in 2017, according to Cisco's Midyear Cybersecurity Report, published on July 20.
Malware and denial-of-service attacks aimed at forcing victims to pay a ransom—known as ransomware and ransom denial-of-service (RDoS), respectively—affect 49 percent of companies, according to the report, citing a study by Cisco research partner Radware. Part of the increase is due to attacks as a service—such as distributed DoS (DDoS)-as-a-service and ransomware-as-a-service—becoming the de facto approach for many cyber-criminals.
“We are seeing tools going away, and instead we are seeing a lot of as-a-service models,” Francisco Artes, security business group architect at Cisco, told eWEEK.
The report forecasts that attacks will become more destructive and focus more on easy-to-hack internet of things (IoT) devices. Combining both trends, destruction-as-a-service will become more popular, with permanent DoS attacks, such as BrickerBot, attempting to erase data and then flash the motherboard of targeted devices.


The 90-page report brings together data from a variety of sources: Cisco internal research, government data and research from nearly a dozen partners, including RSA, Radware and Qualys.
One major trend highlighted by the report is the danger of borderline spyware. Programs that seem legitimate but contain extensive spyware capabilities are becoming a larger problem, Cisco stated in the report. In a study of the network traffic of approximately 300 companies, Cisco found that more than 20 percent had at least one spyware infection. The most prevalent spyware were seemingly legitimate programs that exceed their expected behavior—a description that could apply to many of the tracking services used by advertisers.
“Although operators may market spyware as services designed to protect or otherwise help users, the true purpose of the malware is to track and gather information about users and their organizations—often without users’ direct consent or knowledge,” Artes said. “Spyware companies are known to sell or provide access to the data they collect, allowing third parties to harvest information with relative anonymity.”
Six out of every 10 firms showing signs of spyware, for example, had a client compromised by the Hola service, which is advertised as a peer-to-peer virtual private network but allows remote code execution and the ability to download files while bypassing antivirus checking. Another prevalent spyware program is RelevantKnowledge, a browser plugin that collects information on the user’s browsing habits and is often installed through software bundling without the user’s knowledge.
The developers behind malware are continuously modifying their programs and techniques to attempt to avoid detection. A new vector was introduced for each of the top four programs—Kryptik, Ramnit, Nemucod and Fereit—approximately every day. While the number of vectors focused on the Web gradually declined over the study period, the number of vectors through email increased.
Overall, companies seem to be improving their defensive efforts. Firms focused on quickly fixing vulnerabilities have made great strides in reducing their attack surface area, according to the report. In 2017, companies took an average of 62 days to eliminate 80 percent of the known Adobe Flash vulnerabilities in their organizations, according to Cisco partner Qualys, a vulnerability management firm. While there seems to be little to celebrate in that response time, it used to take 308 days to reach the same benchmark in 2014.
In addition, companies are getting better at detecting incidents in their networks. The average incident took 3.5 hours to be detected in May 2017, down from 39 hours in November 2015. The median time to detection (TTD) is the period between when a compromise happens and when the company’s security detects the incident.
Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...

Sunday, July 16, 2017

Pervasive encryption: Just say yes

Data Centre


Pervasive encryption: Just say yes

Never mind the performance penalty

SGI logo hardware close-up
Cloud In my day job as a sysadmin for a small business, and in my moonlighting as a freelance tech consultant, I get to do a lot of thinking about security.
Ignorance of information security among small businesses is hardly news but in my experience many small businesses are only now getting the hang of securing their local PCs - just in time to become infatuated by cloud computing tools they barely understand.
Picture the scene at a typical small retailer. After finding the consternation-inducing 69p that someone dropped on the floor, the bored till-jockey goes into the back room and fires up the ten-year-old MacBook. Several minutes later, the browser loads. The opportunity has at last arisen to punch in the sacred credentials written down on the battered yellow Post-it.
A couple of links are clicked; the till-jockey is now editing a cloud-hosted spreadsheet. Numbers from the till are entered absent-mindedly while texting friends and grabbing personal items in preparation for leaving. A box pops up; an annoyed stab is made in the general direction of “yes, okay” or whatever it seems will make said unwanted and irrelevant intrusion into consciousness go away. The document is saved immediately before the till jockey dashes out the door to catch the bus.

Compromising position

Behind the scenes, what has happened is much more interesting. Someone using a suite of applications bought online has begun to attack the network. The Wi-Fi – using WEP – is for all intents and purposes unsecured; the WEP secret to the network is easily cracked. A well-known vulnerability is exploited to breach and then root the Wi-Fi router. Our attacker has just given himself the ability to perform man-in-the-middle attacks. A security alert pops up on the browser of our bored till-jockey, but he has bypassed it in his hurry to go home.
The password for the cloud service is scraped from the HTTP session, and some very minor code injection allows a complete download of the browser history. The code injection also allows the exploitation of the un-patched, leading to the local system being rooted. Rampant password re-use allows access to the company’s complete stack of cloud services. Email, banking, accounting, CRM/ERP/BIS – including a great deal of customer personally identifiable information – have just been compromised in a matter of minutes.
With this sort of scenario in mind I want to make the case for pervasive encryption. Encryption is by no means free; it exacts a performance penalty that at cloud scale can mean millions or even billions of dollars. Traditionally, every three cores in use doing actual work has meant one core dedicated to encryption.
From a pure hardware standpoint, this is not the end of the world. Chips are cheap and getting cheaper. More and faster cores are continuously available running in the same or lower thermal envelopes.
Increasingly, modern systems are shipping standard with NICs, HBAs and other devices peripherals that offer more options than running encryption on the CPU. Hardware virtualization tech continually lessens the penalties of that technology; and new management tools integrate with our data centres to move loads around the room in order to deal with “hot spots.”
There are other costs; the increased electrical and cooling loads generated by encryption can’t simply be wished away. With dedicated and specialized crypto-processors however, the toll exacted for encrypting everything everywhere should be significantly less than the 25 per cent paid by doing it all in software.
As well as hardware considerations, pervasive encryption brings up some weighty software licensing issues. Anyone using Oracle-anything will go more than a little pale at the thought of suddenly having 25 per cent of their processing capacity vanish into encryption. Dedicated FPGAs and ASICs are available for cloud-scale deployments where licensing is a serious consideration. These allow serious crypto to be done - often without any licensing impact.
Except for dedicated communications channels between diligently maintained back-end systems, pervasive encryption is unquestionably worth it. Various flavours of encryption are one part of properly securing our own networks and ensuring its widespread use boosts security the networks of our customers as well as our own.
Nobody wants their credit card compromised the next time they go out to buy fish food. Especially if the entire incident could have been avoided by a little bit of encryption at any of several different points along the way. ®