Mobile data security creates big governance challenges

by
Mary K. Pratt

As devices are used for increasingly complex processes, data becomes more vulnerable to loss. To keep pace, IT and security executives are developing comprehensive mobile data security plans and implementing stronger technology solutions.

Fairview Health Services has a pressing need to give its workers access to information wherever they are: If the right data doesn't get to the right person instantaneously, someone could die, said Barry Caplin, vice president and chief information security official for the Minneapolis-based nonprofit healthcare organization.

To ensure that instant access, Fairview has about 3,500 mobile devices deployed through the organization, including both enterprise-issued and employee-owned devices of various brands and operating systems. The number is growing, as more of its 22,000 employees go mobile.
At the same time, Fairview must contend with the significant security concerns imposed not only by their own data privacy standards but by regulatory privacy requirements such as HIPAA. But as the organization's CISO, Caplin knows that 100% security doesn't exist.
"The perfect solution would be not to be mobile. But that's not practical," he said.
Governance challenges are growing as more employers adopt processes that allow mobile devices to perform work tasks. Workers no longer use devices to just check emails and their calendars. As devices are used for increasingly complex processes, data becomes more vulnerable to loss. To keep pace, IT and security executives must develop comprehensive mobile security postures and implement stronger technology solutions to face the new governance challenges.
Unfortunately, that's easier said than done. That's because organizations must develop high-level ideas that focus on people and processes first, Caplin said.
"There is a lot in security that's conceptually simple, but the operational, the boots-on-the-ground stuff is very complex," Caplin said. "We can't just slap on a solution because if it doesn't mesh with how people work day to day, then it's not going to work."

CEO's: IT-beveiliging hindert bedrijfssucces

18 februari 2016 08:57 Thijs Doorenbosch NIEUWS

Bijna driekwart van de de ondervraagde CEO's in een onderzoek heeft weinig op met IT-beveiligers.
De alarmerende conclusie komt uit een onderzoek dat Cisco liet houden onder 1000 CEO's. 71 procent van hen vindt dat het voldoen aan alle beveiligingseisen een rem zet op hun mogelijkheden om op een goede manier het bedrijf te runnen. Zij zeggen weinig tijd te hebben voor de cybersecuritymensen, rapporteert The Register vanaf het Cisco Live-congres in Berlijn. Het volledige onderzoeksrapport volgt in maart.

Veel IT-beveiligers kunnen verandering niet aan

Een andere waarschuwing komt van Craig Williams, senior technical leader bij Cisco beveiligingsdivisie. Hij zegt dat er een flinke verschuiving gaat plaatsvinden onder het IT-beveiligingspersoneel vanwege grote veranderingen in de werkzaamheden. "Ik denk dat beveiliging steeds minder te maken heeft met het configureren van firewalls. De aandacht verschuift naar iets dat meer gedreven is door data en analytics. Ik denk dat veel in die verandering meegaan maar ook een heleboel niet. Wanneer je niet bent ingesteld op permanent leren, dan zit je vermoedelijk in het verkeerde vak."  

We verwachten te veel van beveiligingsproducten Kleinere losse tools zijn vaak beter dan hele pakketten.

Beveiliging is niet eenvoudig, ook al beloven leveranciers van middelen dat dat wel zo is. Er worden stappen gemaakt met AI in zulke software, maar momenteel is het edele handwerk de beste optie.

We verwachten te veel van beveiligingsproducten

Beveiliging is niet eenvoudig, ook al beloven leveranciers van middelen dat dat wel zo is. Er worden stappen gemaakt met AI in zulke software, maar momenteel is het edele handwerk de beste optie.

David Geer

Achtergrond

16 februari 2016

Bedrijven hebben soms te veel vertrouwen in bepaalde beveiligingsproducten, terwijl ze te weinig investeren in andere. Een categorie die standaard overschat wordt in de zin wat het voor een bedrijf kan betekenen is encryptie. Implementaties hiervan bevatten nogal eens fouten, bijvoorbeeld het beruchte Heartbleed-gat in OpenSSL.

Bedreigingen niet opgemerkt

Organisaties moeten meer kijken naar kwetsbaarheden waarmee aanvallers daadwerkelijk zijn binnengekomen binnen de eigen omgeving of bij andere in de sector. Aanvallers maken gebruik van bedrijven die hun oren te veel laten hangen naar een verkeerd geïmplementeerd beveiligingspakket en het is vaak beter om te kijken naar een goede combinatie van tools.
Sommige zijn heel effectief maar hebben een beperkte bruikbaarheid - negeer deze niet. Producten die een heleboel features hebben maar minder goed bedreigingen weergeven zijn er debet aan dat bedrijven bepaalde dreigingen niet kunnen zien.

Versleuteltunnelvisie

We hebben vaak te hoge verwachtingen van producten die ons in de steek laten dankzij tekortkomingen of zelfs kwetsbaarheden in het product zelf. Neem de kwetsbaarheid in OpenSSL, de backdoor in een encryptieprotocol van Britse geheime dienst GCHQ of de volgens Canadese en Nederlandse autoriteiten te omzeilen BlackBerry-versleuteling.
VPN versleutelt het dataverkeer tussen laptop en netwerk, maar als de laptop al besmet is en in handen is van een aanvaller, is die VPN-tunnel nu een aanvalstool geworden om bedrijfsnetwerken te grazen te nemen, stelt Andrew Ginter, bestuurslid van een werkgroep die een nieuwe cybersecurity ISA-standaard ontwerpt.

Belangrijke aspecten genegeerd

"Mensen hebben een geavanceerde firewall aangeschaft en denken dan dat ze veilig zijn", zegt Walter O'Brien, ook bekend als hacker Scorpion, beveiligingsdeskundige en CEO van Scorpion Computer Services (en ook de persoon waar de tv-serie Scorpion op is gebaseerd). "Dan ontdekken ze dat applicatiebeveiliging, databasebeveiliging en broncodebeveiliging compleet zijn genegeerd."
Het is vaak niet alleen het soort tool, maar de hoeveelheid tools voor monitoring en rapportages waardoor bedrijven een mentaal vinkje zetten bij 'beveiligd'. "Mensen verkeren in de illusie dat ze beveiligd zijn, omdat een tool duizenden SQL-injecties test, waardoor ze zich veilig wanen. Maar dit zijn vaak varianten op tests die er al 10 of 20 jaar zijn", legt O'Brien uit. Gedateerde tests zeggen niets over kwetsbaarheden op nieuwe code.

Geef personeel macht

De informatiebeveiligingstools moeten worden ingezet om de belangrijkste data te beschermen: identificeer de inventory, locaties, mogelijke locaties (cloud, devices), paden (data, verkeer), kwetsbaarheden en punten waarop aanvallers mogelijk binnenkomen of data exfiltreren.
Het beste wapen is maar zo effectief als de strijder die hem hanteert. Maar andersom geldt ook dat de beste strijder weinig kan doen als het wapen niet effectief kan worden gebruikt. "De persoon die meldingen monitort moet ook bij machte zijn om direct te reageren, een afdeling te vergrendelen, rechten van mensen in te trekken of om de autoriteiten te waarschuwen. Als hij alleen maar een melding kan maken, is het nutteloos", aldus O'Brien.

EU Privacy Shield soon to be finalised

Max Metzger

February 12, 2016

EU Privacy Shield soon to be finalised

Privacy Shield's long awaited final draft will be done by the end of this month. SC talked to some of those in the industry who will fall under its dominion

Europe soon to get its own 'privacy shield'

The new data law between the EU and the US, known as Privacy Shield, is set to be finalised by the end of month, according to an EU commissioner. 

Věra Jourová, a commissioner for the Justice Directorate General at the European Commission tweeted on 8 February that the final version of Privacy Shield is coming soon.

Safe Harbour was reborn last week as Privacy Shield, a new set of EU-mandated regulations to mediate the transfer of private data between organisations in the United States and in the EU.
The Safe Harbour agreement allowed European organisations to transfer data to organisations in the US, where data protection legislation varies from state to state and is often not compatible with EU law, provided the US organisation pledged to apply EU standards to the handling of data.
The Safe Harbour agreement, which had stood since 2000, began to crumble when Edward Snowden revealed that US intelligence agencies were scanning data on the servers of big social media companies such as Google and Facebook. This prompted Max Schrems, an Austrian law student, to lodge a complaint with the Irish Data Protection Commissioner that his data was being unlawfully processed by Facebook which ultimately led to the Irish courts referring the case to the European Court of Justice.  
After being struck down by a European court late last year, there has been no such European ‘Safe Harbour' law governing the transfer of private data in Europe.
Privacy Shield aims to patch the gap and make sure there are clear guidelines and procedures for how data is transferred and how organisations on one side of the Atlantic handle data of the citizens on the other side.
The law not only refreshes, but builds on the provisions of Safe Harbour, leaving companies in a new situation regarding data handling.
First, though, they have to be told that Privacy Shield exists, according to Teresa Schoch, associate director  at the Berkeley Research Group who told SCMagazineUK.com: “Surveys have shown that half of the companies certified under Safe Harbor were unaware of its invalidation in October of last year. The same companies are likely to be unaware of the Privacy Shield as well.”
If they don't, they'll know soon enough. While Safe Harbour had few teeth regarding compliance, Privacy Shield will not be so gentle to those who break its provisions. Where data is concerned many US companies keep all the data they collect, said Schoch, something which Privacy Shield will not stand for seeing as it puts very fine points on what data companies are allowed to collect and keep as well as how long they keep it.
Schoch said, “Companies that are attempting to be in full compliance once the new EU regulation is in effect to avoid unprecedented fines, are speeding up efforts to meet both the spirit and the letter of EU privacy law. Privacy Shield means that they could be audited and fined as soon as the US is able to put together a framework to target offenders.”
Meanwhile, “Other companies remain oblivious to the impact of this move and will find themselves scrambling to address audits or EU citizen complaints. The industry most concerned is the insurance industry that currently finds it difficult to assess risk and potential liability in this new landscape.”
Without the full paper for Privacy Shield being released, let alone the proposals being passed through European courts, it's hard to fully expect what Privacy Shield might bring but , Brian Chappell, director of technical services EMEAI and APAC at BeyondTrust, has some guesses.
He told SC, “As it stands now, the new privacy pact has yet to withstand the scrutiny of the various privacy groups out there so it's possibly a little early to start preparing for it. That said, the basic premise seems to rely on companies taking appropriate action to protect data (as Safe Harbour did); however they are now subject to review, and failure potentially has greater ramifications.”
Still, these are things that companies should already be doing, said Chappell: “The underlying technical requirements should already be in place, if you've not got your data secured then you need to be following best practice ASAP, regardless of the April deadline for this pact.”
Ian Wood, senior director of global solutions at Veritas, told SC, “Businesses will need to be much more involved with where their information exists and how it is stored. As a result, enterprise businesses will need to welcome a new age of information transparency to protect their customers' and employees' personal information by gaining visibility, taking action and assuming control of their data.”
Jason Andrew, general manager of BMC software, said that BMC has been working towards becoming the first enterprise IT management company to receive approval for Binding Corporate Rules (BCRs) as both a data controller and data processor, meaning the company can transfer personal data outside the EU safely.
Andrew told SC: “BCRs can help to drive up levels of confidence and compliance and can fundamentally help US businesses navigate their way through the 'patchwork' of differing data privacy laws in countries throughout Europe. With BCRs in place, BMC is in a position where our business will not be disrupted because we are striving to set up the highest level of protection across our organisation.”

This article originally appeared on SC Magazine UK.

Security Think Tank: Classification is the first step to personal data security

How should businesses go about setting up and maintaining a comprehensive and accurate inventory of personal data?

To set up a comprehensive and accurate inventory of personal data, the first step a business has to consider is classifying the information it holds.
Data, in all of its various forms, is a valuable and tangible business asset and, as with any other item of property, its value determines the level of protection it should be assigned. The reality is that a single protection standard uniformly across all of an organisation’s assets is neither practical nor desirable. Organisations need to apply differing levels of security in accordance with value.

Organisations should create processes to classify their data and determine the value of the data. This could be based on sensitivity to loss or disclosure or how heavily the company relies on that particular piece of data. They should also factor in any regulatory or legal compliance around particular formats of data, such as payment card information (PCI) or health information databases.
The individuals responsible for housing the data should, ultimately, be responsible for defining the level of sensitivity of the data. This approach enables proper implementation of the security controls according to their classification scheme.
There are several attributes that can be used to classify a piece of data:

• Value: This is the most commonly used criteria for classifying data in the private sector. If the information is valuable to an organisation or its competitors, it needs to be protected.
• Age: The importance of a particular piece of information may decrease over time. The Department of Defence, for example, automatically declassifies certain information after a pre-determined time period has passed.
• Lifecycle: A company’s data can become obsolete for a multitude of reasons. This could include new information or substantial changes in the company. Information that has become outdated can often be declassified.
• Personal association: If information is personally associated with specific individuals or is addressed by a privacy law, it may need to be classified. For example, investigative information that reveals informant names may need to remain classified.

Read more from the Computer Weekly Think Tank about how to maintain an inventory of personal data

• Find out what personal data your company holds.
• Create a data security culture to keep data safe.
• IAOs key to setting up asset registers.
• Three steps to personal data security.

There are several steps in establishing a classification system.  Below are some recommended stages, in order of priority:

1. Identify the administrator/custodian.
2. Determine how the information will be classified and labelled.
3. Classify the data by its owner, who is subject to review by a supervisor.
4. Specify and document any exceptions against the classification policy.
5. Specify the controls that will be applied at each classification level.
6. Specify the termination procedures for declassifying the information or for transferring custody of the information to another entity.
7. Create an enterprise awareness programme about the classification controls.

2. Specify and document any exceptions against the classification policy.
3. Specify the controls that will be applied at each classification level.
4. Specify the termination procedures for declassifying the information or for transferring custody of the information to another entity.
5. Create an enterprise awareness programme about the classification controls.
6. Once an organisation has classified its data, it can easily keep it up-to-date. Different businesses, depending on size and market, will need to implement different processes. However, the very first step to keeping a database up to date is to first classify the information it holds. 

DHS $6 Billion Firewall May Not Be Effective In Keeping Hackers Out of Government, Audit Says

A view of the National Cybersecurity and Communications Integration Center in Arlington, Va. // Evan Vucci/AP

By Aliya Sternstein January 28, 2016 6 Comments

NEXTGOV

A firewall run by the Department of Homeland Security meant to detect and prevent nation-state hacks against the government functions ineffectively, according to a sanitized version of a secret federal audit.

EINSTEIN relies on patterns of attacks, called signatures, to spot suspicious traffic, but it does not scan for 94 percent of commonly known vulnerabilities or check web traffic for malicious content.
Those are two of the many failings uncovered in a damning public version of a "for official use only" Government Accountability Office report. In addition, the prevention feature of the system is only deployed at five of the 23 major nondefense agencies.
Lawmakers in November 2015 suggested the then-confidential audit of EINSTEIN, formally called the National Cybersecurity Protection System, or NCPS, would prove the hacker surveillance system is not governmentwide.
The newly released audit corroborates their views and points out other misaligned objectives and technologies in a $6 billion project DHS cannot say helps combat hackers, according to auditors.
"Until NCPS’ intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies," GAO director of information security issues, Gregory C. Wilshusen, and Nabajyoti Barkakati, director of the GAO Center for Technology and Engineering, said in the audit, which was released Thursday.
The auditors focused their study on the departments of Energy and Veterans Affairs, as well as the General Services Administration, the National Science Foundation and the Nuclear Regulatory Commission.
Does Not Cover Nation-State ‘Advanced Persistent Threats’
“The overall intent of the system was to protect against nation-state level threat actors," according to the audit, yet EINSTEIN missed so-called advanced persistent threats.
Such attacks are a common tactic among foreign adversaries, in which a well-resourced group obtains a foothold in part of a target's system and lingers invisibly for months at a time until achieving its mission.
EINSTEIN "did not possess intrusion detection signatures that fully addressed all the advanced persistent threats we reviewed," the authors said.
In response to a draft report, DHS officials said EINSTEIN is only one technology of many that each department uses to protect its sensitive data. It is the job of the individual agency to keep its IT and data safe, while Homeland Security’s role is confined to providing baseline protections and a big-picture perspective of security controls governmenwide, they said.
EINSTEIN works by pushing out signatures of known attack patterns to 228 intrusion-detection sensors placed throughout the dot-gov network. The sensors analyze patterns in agency traffic flows to see if they match any of the signatures.
EINSTEIN Doesn’t Know Common Security Vulnerabilities
But the signatures "do not address threats that exploit many common security vulnerabilities and thus may be less effective," the auditors said.
The quality of EINSTEIN hinges on the quality of its vulnerability signatures.
"However, the signatures supporting NCPS’s intrusion detection capability only identify a portion of vulnerabilities associated with common software applications," the authors reported.
Of five client applications reviewed -- Adobe Acrobat, Flash, Internet Explorer, Java and Microsoft Office -- the system was able to flag, to some extent, only 6 percent of all the security bugs tested. That's 29 out of 489 vulnerabilities.
One reason for the blind spots, according to the auditors, is that EINSTEIN does not sync with the standard national database of security flaws maintained by the National Institute of Standards and Technology.
Homeland Security officials said they weren’t required to link up the signatures with the vulnerability database when EINSTEIN was first developed. DHS "has acknowledged this deficiency" and plans to address it in the future, according to the audit.
No Way to Spot Unknown Zero Days until ‘Announced’
The espionage artists behind a background check hack at the Office of Personnel Management busted through EINSTEIN's defenses with malware DHS admits the system cannot handle. The assailants, allegedly backed by China, wielded "zero day" exploits that are not publicly known and certainly not published as signatures.
"Regarding zero day exploits," Homeland Security officials stated "there is no way to identify them until they are announced," the report states. Once they are disclosed, DHS can mold a signature to the attack pattern and feed it into EINSTEIN.
Sometimes, intelligence community partners will notify DHS about zero day exploits before they are publicly revealed, and those exploits are usually malware, according to the audit. DHS officials told the auditors that Homeland Security does not pay for zero days.
EINSTEIN can prevent intrusions in almost-real time within certain data flows. Still, there are key network flows the system can't see. For example, the system can block malicious "domain name system" servers and filter emails, but “there are other types of network traffic (e.g., web content), which are common vectors of attack not currently being analyzed for potentially malicious content," the authors said.
Information Sharing Is Often A Waste
DHS is working to overcome technological and policy issues that have stymied activation of intrusion-prevention features at 5 of the 23 agencies, GAO officials said. The IT infrastructures at each agency differ and EINSTEIN must be tailored to each setup. In addition, not all agencies meet the security specifications for EINSTEIN to perform properly. In general, agencies are concerned about the system disrupting mission-critical applications, like email.
Information sharing is another goal of EINSTEIN in need of attention, according to the review.
"DHS’s sharing of information with agencies has not always been effective, with disagreement among agencies about the number of notifications sent and received and their usefulness," the GAO auditors said.
The agencies reviewed did not receive 24 percent of the notifications Homeland Security said it had sent in fiscal 2014. The ones that did reach IT personnel often served no purpose, according to the audit. Of the 56 alerts communicated successfully, 31 were timely and useful, while the rest were too slow, useless, false alarms or unrelated to intrusion detection.
Meanwhile, DHS has created a variety of metrics related to EINSTEIN. “None provide insight into the value derived from the functions of the system," the auditors said.

http://www.nextgov.com/cybersecurity/2016/01/dhs-6-billion-firewall-may-not-be-effective-keeping-hackers-out-government-audit-says/125525/