Ashley Sims - Marketing Manager

Recent Posts

8 Tips for Penetration Testing

Posted by Ashley Sims - Marketing Manager on Tue, May 24, 2016

You think that you're safe, that your network is secure, that your firewalls are protecting you - but how will you know if you don't test it? 

A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely tring to exploit vulnerabilities. You may have also hear the term "Red Hat" or "White Hat" when it comes to testing because, while they are trying to hack into your system, these "attackers" are doing so in an ethical effort to find the vulnerable parts of your network in order to patch them. 

There are many options for penetration testing - either manual or automated, a pen test systematically compromises servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other points of exposure. 

With so many things to test and so many options for testing, how do you know if you're getting the most out of your test? 

Download 8 tips to help you get the most out of your penetration test. 

 8_tips_for_pen_testing.png

 

Tags: vulnerability management, vulnerability, pen-testing, penetration testing

Core Impact 2016 R1 Now Available

Posted by Ashley Sims - Marketing Manager on Tue, May 17, 2016

We are thrilled to announce the official release of Core Impact 2016 R1. With this release, Core Security continues to provide the most comprehensive software solution that proactively assesses any security posture of an organization.

The new capabilities released in Core Impact Pro 2016 R1 include:

  • Interactive Support for Web Application Record Login
  • Flexible and customizable reporting
  • Network vector enhancements

Interactive support for Web Application Record Login

In addition to the Web Application Record Login introduced in the last release, we have added support for those scenarios where the engine needs help from the user during the authentication process due to a challenge response test. One example of such functionality is CAPTCHA.

With Core Impact Pro 2016 R1 Record Login Assistant, you can now mark some authentication steps as interactive. When these steps are play backed during the WebApps Information Gathering phase, the user is prompted for input on those marked as interactive, and resume the remaining operations once that input is completed. Core_Impact_Pro_2016_R1_Pic.jpg

Flexible and Customizable Reporting

The introduction of Flexible and Customizable Reporting in the last release was one of the biggest requests from customers over the years and has had a lot of success.

With this release, we have re-engineered the structure and contents of our network existing reports (including Wi-Fi, Mobile, and MiTM) creating a set of new reports which provides more comprehensive information of the networks being tested. All these reports allow users to export to Microsoft Excel and customize many things including vulnerability tables, graphics, and company logos according to their needs. Users are able to save changes as a new template to be used as the base for future report generation.

Network vector enhancements

We have added many new features based on extensive customer feedback, including:

  • Kerberos support for network SQL Agent
  • Agent Persistency using WMI enhancements
  • Improved OSX El Capitan Agent support
  • Domain replication functionality
  • SWF Evasion and polymorphic code
  • Python VM upgrade

For more information on the newest release, download our datasheetor request a demo of Core Impact 2016 R1.

 

Tags: core security, core impact, pen-testing, penetration testing

Why Deleting Security Groups Doesn't Have to be Scary

Posted by Ashley Sims - Marketing Manager on Thu, May 12, 2016

 

A few months ago our very own Chris "Sully" Sullivan, GM- Analytics/Intelligence, delivered a speech to the Gartner Identity and Access Management Summit to a group of IAM ninjas in London. Confession - I love hearing Sully speak. I always learn something and I love seeing the crowd as they learn these things along with me. However, at this event I was actually more surprised than usual at the response that he got when he asked the simple question "how many people here delete security groups?"

 

You might as well have asked them if they would be willing to donate a kidney to a stranger or forgot their cell phone at home that morning. Needless to say, most everyone sort of looked at Sully like he was crazy which was exactly what he was going for.

 redo.jpg

The reason, he explained, that no one deletes these groups is because they can't tell what is in them. Can you imagine deleting a group because you thought no one needed it and it turns out that you just shut off your CEO's access to an application that he/she uses daily? Not a good look for the security team.

 

Sully's point for the presentation was that now, with access intelligence, you no longer need to be afraid of deleting these groups and cleaning up your network because you can finally drill down into these security groups and understand exactly what is at stake. The primary reason companies are loath to delete security groups in Active Directory is because they simply don’t understand the complexity of access such as how access is granted, nested entitlements, and direct versus indirect assignment of access.

 

All businesses, regardless of industry, are faced with an exploding universe of identities, devices and data that employees require to do their job. The expanded use of mobile and cloud devices, along with non-employee and transitional employee access means that risk management and compliance is extending far beyond traditional enterprise limits. This can equate to trillions of access relationships that put your company at risk. How are you supposed to see into all of these relationships and understand the risks they pose?

 

With actionable intelligence through Access Insight 9.0 you get a comprehensive and continuous view and analysis of these trillions of relationships between identities, access rights, policies, resources, and activities. Our analytics engine pulls in these large amounts of identity and access data and stores them in its proprietary in-memory access analytics engine. The "engine" correlates relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current and historical perspective in lines of business, governance, operations and applications.

 

For example, our Access Explorer builds every Active Directory Group out in a spider diagram so that you can see AI_Spider.pngwhose access is connected and where your privileged accounts are linked to. 

 

Not only can you drill down into these details but our analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. This gives you the ability to personalize policies for your organization and with any change in these policies you can be immediately notified at any signal of dishonest or malicious behavior. Imagine having a solution that would automatically alert you and require a micro-certification when an account had access to do more than you believe it should?

 

It's time to start using all of this collected data to our advantage. It's time to start looking at our access relationships and prioritizing the risks our organization faces. Weather you have an Identity and AI9_Access_Risk__300x2506.jpgAccess Management solution or are working within your Active Directory, Access Insight can put your data to work for you.

 

Want to see how this looks within your organization? Request a demo of our Access Insight solution and see how actionable intelligence can help prioritize risk and transform your organization's security.

 

Tags: access rights, Access Insight, access risk, intelligent IAM, identity and access governance, Identity & access management, intelligent identity and access governance, intelligent identity and access management

Guest Post- Alex Naveira, Director, ITGA & CISO on Compliance

Posted by Ashley Sims - Marketing Manager on Thu, Apr 21, 2016

To continue this month's conversation on compliance, we have another special guest joining us on the blog today. Alex Naveira is the Director, ITGA & CISO at Miami Children's Hospital and oversees multiple locations. We asked Alex what compliance meant to him and he had a list of different kinds of compliance and said "which one?" Needless to say, a CISO's job is quite complex when it comes to compliance and we are thrilled to have Alex join us to explain what he sees in his day to day life. 

An elderly man falls off of a subway platform and onto the train tracks.  A stranger pulls the man to safety while the train screeches to a stop.  Witnesses called the rescuer a hero, but he said: “No, my intuition made me do it and I just did what was right.”  Now, what does this story have to do with compliance?  What is compliance?

 

compliance.jpg

According to the Oxford English Dictionary, Compliance is defined as “acting in accordance with, and fulfilment of … conditions, or regulations.”, but with Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within.

 

The first thing we need to understand before having a well-established information security governance, risk and “compliance” program is what we are striving to protect (e.g. resources, systems, identities).  Subsequently, we need to act on the processes and tools required to protect the information and technical resources within the environment.  Examples of these processes include access authorizations, continuous monitoring of infrastructure and system access threats, prioritization, and remediation of these threats.  Adaptive tools in today’s protection arsenal include Identity and Access Intelligence (IAI) systems, SIEMs with threat intelligence capabilities, and intelligent Network Access Control (NAC) systems.  Before regulations required it, we were already implementing passwords, role-based security, putting up firewalls, IPSs, and Identity and Access Management systems.  Why?  Because experience and intuition told us that it was the right thing to do.

 

iStock_000023256305_Full.jpgToday, we leverage these processes and tools to provide us a more intelligent path to management and control over our networked devices and most importantly, our identities.  In consequence, this naturally allows us to comply with regulatory requirements and institutes a culture of doing not only what is within the strict parameters of the law, but also what is right.  In less proactive organizations, compliance can certainly be used as a catalyst in approving the necessary funds to optimize security and operations, but it should never be used as the sole factor for doing what is right.

 

When an elderly man falls off a subway platform and is immediately rescued by a stranger, does the stranger wait for others to provide him “the law” of correctness before acting?  Of course not!  He just does what is right, even if difficult or expensive.  In the current world of nefarious movements, we need to establish an inherent culture of doing the right thing, not because a regulation tells us that it is right, but because our experience and intuition has assured us that it is the right thing to do.

Alex Naveira, CISSP, CISA

Director, ITGA & CISO

Information Technology

Miami Children's HospitalImpact_Pro_Demo.png

 

Looking for ways to keep your organization compliant? Check out our Attack Intelligence for Healthcare Organizations data sheet and you can even request a demoto see the solution at work. 

Tags: continuous compliance, hipaa compliance, compliance

What does "Compliance" mean to you?

Posted by Ashley Sims - Marketing Manager on Thu, Apr 07, 2016

Compliance is a word that we hear a lot in our business. Broadly, it is defined as "the action or fact of complying with a wish or command." 

If that seems like a simple definition, it's because it is. It's too simple. In today's world, not only do you have to comply with the wishes of customers, vendors, and board members; you have to make sure that you are compliant with any one of several governing boards in your industry. 

HIPAA. SOX. NIST. PCI-DSS. These are just a few of the most well-known regulations that businesses have to follow, and they all create very unique challenges for organizations. 

In order to get a better handle on what "compliance" means outside of Webster's definition, we asked some of our Brent_quote.jpgfriends around the cyber-security industry to help us out and answer the seemingly simple question: "What does 'Compliance' mean to you? 

"What does compliance mean to me? In short, it’s the bare minimum standard we must meet in order to be able to demonstrate security. Compliance gives us a common language to use between regulators, auditors and security to evaluate the effectiveness of our controls."

Brent Comstock - VP, Identity & Access Management, Elavon 

"Compliance is simply defined as the ability to comply with a set of rules or requests.  As a CFO, we typically think of this as ensuring the organization has the requisite systems of internal control that adequately manage the risks that the corporation faces in multiple areas (such as legal risk, financial risk, regulation risk, IT risk, data risk, etc). Interesting to note that organizations continue to equate compliance with security with an inappropriate reliance on historical system compliance procedures leading them to mistakenly believe that their company is more secure."

Curtis Cain - CFO, Courion Corporation 

"With Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within."

Alex Naveira, CISSP, CISA - Director, ITGA & CISO, Miami Children's Hospital 

"In order to be successful and achieve the appropriate level of compliance, the CIO must advocate for a Compliance Governance within the HCO.  The CIO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy."

William "Buddy" Gillespie, HCISPP, ITILv3 - WJGillespie HIT Consulting  

Do these definitions ring true in your business? If not, tell us what compliance means to you in the comments. 

Looking for more information on how your organization can become or remain compliant? Courion and Core Security have multiple options for maintaining compliance across all industry and government regulations. Find out more here or contact us at info@courion.com

 

Tags: access compliance, hipaa compliance, access risk, compliance

Preventing Cyber Attacks: A Step by Step Guide

Posted by Ashley Sims - Marketing Manager on Thu, Mar 24, 2016
Preventing_Cyber_Attacks.jpeg

Tags: cyber attack, Cyberattack, cyber threat

How to Think Like an Attacker - Part 2

Posted by Ashley Sims - Marketing Manager on Tue, Mar 01, 2016

Today we are live from the RSA showroom as our Director of Product Management, Ray Suarez, gets ready to present "A Vulnerability Maturity Model That Thinks Like an Attacker". We brought you the first part of this series last week, and if you haven't read it yet, I would urge you to go back and read How to Think Like an Attacker - Part 1

For those of you not lucky enough to hear Ray's presentation in person, we have convinced him to share his actual presentation with all of you. Keep reading for the conclusion of "How to Think Like an Attacker." 

 We started last week with a funny look at cyber security with a top 5 "you're in trouble when" list, but let's be honest, there is nothing funny about the risks in your organization. Let's imagine that you are the new CISO of an organization, and you walk in on your first day and sit down with your security team. Your first question is: "how many vulnerabilities are there in our system?" What would be an acceptable number to you? 100? 100K? What if you had 700K+, and you need to know which ones are most important. How many are high risk? How many are relatively low? Where do you even start? 

That number changes every day. With the number of servers in your environment growing at 15% per quarter - along with your business units and IT staff - you need to know what your biggest risks are so that you can target them immediately. 

Let's do some math. Out93_highs.png of your 700K vulnerabilities, let's just look at the "high" threats. If there are: 

  • 93K High Threat Vulnerabilities 
  • 250 Working days in a year 
  • You can fix 372 vulnerabilities per day or 1,860 per week 

The problem here? We are overwhelmed by data. Even if we spent every minute of every day fixing just the high risk, high severity problems, would we really solve almost 2,000 every week? Oh, and that is considering that no new vulnerabilities pop up. The attackers are taking advantage of that limitation and are using it against you. You need a vulnerability managment system that thinks like an attacker. 

Peak data overload is the most common issue for most IT security teams. Take a look at this model:

VM_Model.png

In the first two levels, you are in the wonderful stage we call "blissful ignorance" where your threats are nonexistent, and you just start the scanning process. Then you get the results of your scan which is where you first encounter the magnitude of your issues. We will start here, with your scanner, and give you the five steps to building a vulnerability management model that thinks like an attacker. 

1. Scanning - Get the basics in order 

The first step in setting up your solution is to incorporate your busines goals into your vulnera bility management program. By aligning your business and IT security goals, you will establish a unified team. You need to adopt or acaquire a vulnerability scanning capability that will regularly scan and help you find vulnerabilities. 

2. Assessment and Compliance - Begin actually managing vulnerabilities 

Just like with any other business system, you will need to establish a repeatable process to create metrics that you can measure. Adopting a compliance framework (PCI, FISMA, HIPAA, etc) is the bass for vulnerability scanning and patching and help you to implement a basic prioritization framework to deal with data overload. 

3. Analysis and Prioritization - Formalized Process 

A vulnerability management program that deals with vulnerabilities, prioritization, and patching are part of a complete ecosystem. These tools help security and/or IT operations adopt tools that can add value to the data, enable prioritization, and deal with the problem of too much data. In this stage, vulnerabilities are prioritized to facilitate limited resources and bandwidth and metrics begin to focus on improving security rather than being busy. 

4. Attack Managment - Attacker Focused 

In this stage, processes and metrics are coupled together to understand security posture trends and to improve process and execution. Security and IT departments build continuous processes that manage the lifecycle of a vulnerability and analytics and risk management processes and tools are used to measure risk to critical assets. The focus of the vulnerability management program has shifted from the need to patch and comply to being attacker and threat focused. Penetration testing is conducted by internal red teams and, likely, validated by external professional service teams. 

5. Business-Risk Management - Business-risk and vulnerability context 

A vulnerability managment program incorporates business goals and critical assets as it looks at risk as a business wide issue. Business leaders become engageed at the program level and make decisions routinely about where to apply limited security resources. All potential threat vectors (mobile, web, network, social, identity, wireless) have been integrated into the vulnerability management program and the tools and processes that measure risk and provide prioritization are fully integrated with security, IT, operational and enterprise risk management functions. 

Is your vulnerability management system prepared to think like an attacker? 

For more information on how to prioritize vulnerabilities and secure your business assets, download Ray's presentation here.

Think_like_an_attacker.png

Ready to see what this can look like in your organization? Request a demo of Core Insight, our market-leading vulnerability management solution. 

Core_Insight.png

 

Tags: vulnerability management, vulnerability risk management, vulnerability, Ray suarez, Vulnerability and access risk management, rsa

How to Think Like an Attacker - Part 1

Posted by Ashley Sims - Marketing Manager on Thu, Feb 25, 2016

Confession - I loved David Letterman and I couldn't get enough of his Top 10 lists. So in that theme, I give you the

Top 5: You Know You're in Trouble When... 

 

5. You’re asked to move the Active Directory server to an open part of the network to insure users can easily LOGIN
4. When your boss, who is responsible for security, asks you, “What type of security software do we use?”
3. You remind him, “the freeware version of Malwarebytes Anti-Malware”
2. A press release states, “our IT system and security measures are in full compliance with industry practices.”
1. The second press release states, “we were the victim of a sophisticated cyber attack operation.”

Top 5 list is sort of a funny way to look at it, but if there is one thing that everyone in the security industry can agree on, it is that the hackers are getting smarter.

A firewall isn't enough to keep your network safe. You can have the strongest password in the world, and still have it taken from you in a phishing scam. Healthcare and financial services records are the most valuable in the world, their security systems are top notch, and yet still the hackers are getting in. So the question becomes: how do you think like an attacker? anatomy_of_a_cyber_attack.png

First you have to understand the anatomy of a cyber-attack. Let's use the Target hack as our example for this. Target was breached the same way that many other organizations are - through stolen credentials. One of Target's partners, an HVAC company, had access to its network as a non-employee and fell victim to a phishing campaign. Once the hacker had the contractor's information, he was able to use a web application to get into Target's network. From there, the hacker was able to take any one of many lateral paths to information. 

Once the network was accessed, it was easy for the hackers to make their way to the POS system and start to exfiltrate data from their system. The attack path here seems simple, he was in and out in only six steps. The issue is, how would you have stopped him? 

The firewall held, there was no vulnerability exploited (the hacker had valid credentials), and there were no alarms raised when the network was accessed. However, there were also no alarms raised when a contractor working on their HVAC system started working their way into the POS system. That is the problem. The hacker knew that there were no obstacles in place to alert anyone of his activity so they were free to roam around the network finding the information they wanted and exfiltrating it straight to the black market. 

Would you have caught the hacker when they entered the system? Would you have noticed when he accessed applications that should have been out of his reach? Would you even have caught on when massive amounts of data started disappearing from your network? Dummies_book.png

It's time to stop playing defense and start thinking like an attacker.

Are you ready? Join us next Tuesday for a special #TechTuesday blog where Ray Suarez will be at the RSA Security Conference presenting Grow up: It's time for a vulnerability model that thinks like an attacker

Don't want to wait? Find out what it means to "think like an attacker" with a demo of Core Insight and see how attack path modeling  can help you visualize what an attacker sees. Or download a copy of Intelligent IAM for Dummies and see what you should be looking for in an intelligent IAM system. 

 

 

Tags: Courion, cyber attack, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Multi-Factor Authentication for US Financial Services

Posted by Ashley Sims - Marketing Manager on Thu, Feb 18, 2016

This month we have been focusing on multi-factor authentication and its benefits for your organization. Today we go a little deeper into how MFA is effecting US financial services institutions. We’ve brought back Andy to give us a little more insight into this category. While attending the 2015 Opus Research Voice Biometrics Conference in New York City, Andy got a glimpse of how mobile MFA is changing the industry. Here is a sample of what Andy saw:

USAA

USAA is a Texas-based Fortune 500 diversified financial services group of companies that serve the needs of current US military service members, veterans and their families. Throughout its 92-year history, USAA has distinguished itself by using the latest technologies to provide best in class customer experiences.

Beginning in 2013, USAA embarked upon it’s own MFA development path by integrating voice and facial recognition biometrics into it’s mobile application authentication. The objectives to be pursued in this move to personalized security were as follows:USAA_Stat.png

  • Balance security and convenience
  • Know the member 
  • Provide choices for authentication, and
  • Provide multifactor authentication

With the May 2015 release, the USAA mobile application was available for iOS and Android devices and supported fingerprint, voice biometrics, facial recognition and knowledge authentication methods. It’s notable that when surveyed, four out of five USAA members were interested in using biometrics instead of PINs. Rolled out to the entire US member population, the adoption has been tremendously successful with initial enrollment surpassing 185,000 members.

Looking for more information on how mobile multi-factor authentication can impact your organization? Read more on financial services or download our on-demand webinar for more information. 

 

Mobile Multi-Factor Authentication for Financial             Services                      

SecureReset Demo: How Multi-Factor Authentication can help keep your organization safe 
Mobile_Multi.png Mobile_Password_Reset_download.png

 

Tags: mobile payment security, mobile security, mobile password reset, Multifactor authentication, mobile multifactor authentication

Interview with an Expert: Andy Osburn on Multi-Factor Authentication

Posted by Ashley Sims - Marketing Manager on Thu, Feb 11, 2016

Earlier this week we shared with you all of the reasons that you needed multi-factor authentication for your organization. However, we didn’t realize the number of questions that were still out there about this new technology and were thrilled to have so many comments and conversations around this topic. In an effort to share these conversations with the rest of the world, we have invited our multi-factor andy_osburn.jpgauthentication expert, Mr. Andy Osburn, to sit down with us and answer some of these burning questions.

Courion Corporation: Multi-factor authentication is a mouthful- what does this really mean and why is it so important?

Andy Osburn: Multi-factor authentication is really about moving beyond the simple standard of authentication that is in place today in the form of Passwords and PINS. Each of us in our everyday lives would be familiar with the many resources we access by claiming our identity through a user name and then authenticating by Password or PIN. This basic method of identity claim and authentication has provided the foundation for providing access control over the years, however, our environments have changed, become more complex and risk-critical as a result. The threats and consequences of resource compromise are now much higher and more significant. Hence, the requirement for, and movement towards, stronger and more convenient methods of authentication beyond passwords and PINS.

CC: How is this more secure than a pin number?

AO: A PIN is a single-factor of authentication and, when used alone, is also a single point of failure and compromise. By lengthening a PIN from 4 digits to 6 digits, conceivably they are more difficult to compromise through brute force attacks. However, when someone writes their PIN on a sticky note, or responds to a phishing email, or through some other method unwittingly gives up there PIN then it doesn’t matter how long the PIN is because the probability of compromise is now 100%.  

Through the addition of a second or third factor of authentication (One-time use PIN, biometric etc.) the authentication process is no longer single point of failure and the hill that the identity thief now has to climb is significantly steeper. Now not only is a PIN or Password compromise required, but a biometric sample or out-of-band authentication path needs to be broken and compromised as well. The path to attacking and compromising a knowledge-based credential is now extended across multiple channels and multiple components and is therefore fundamentally much stronger and more difficult to compromise. 

CC: What do you need to set up a multi-factor authentication solution in your business? office-620822_12801.jpg

AO: A multi-factor solution conversation always begins with questions around what the organization is doing today to authenticate users across a number of different channels and where the opportunities lie in identifying additional appropriate authentication factors. The good news is that there are many options available today in terms of adding multi-factor authentication to both existing and new authentication methods. So the step-by-step process is to review what’s being done today, identify the points of greatest risk and remediation, consider the options for additional authentication factors and then develop the solution that matches the security and user convenience needs of the organization. Typically what we will see and do is augment an existing knowledge based authentication process with an additional factor of authentication so that the user experience is not radically changed but rather enhanced.

CC: Are there industries that would benefit more than others from this technology?

AO: I would suggest that there is no single industry vertical that should not be looking at multi-factor authentication. The access control risks span all industries and the consequences of compromise are equally broad. Having said that, due to regulatory, audit and control requirements, I would suggest that Financial Services and Health Care are those most acutely impacted by the need to have strong multi-factor authentication available to their end users.

CC: I can now sign into my iPhone with my thumbprint, are biometrics the new wave and how do they fit into multi-factor authentication?

AO: Biometrics are definitely on a roll within the industry due in large part to the ubiquity of the new generation of smart phone devices. The ease of use and accessibility of the fingerprint scanners on these devices has paved the way for overwhelming adoption and usage of these methods. As a result, biometrics, that have been in the industry for decades but seen relatively modest adoption, are now poised to benefit from a significant uptick in usage and applicability. That is very good news for organizations like Courion that are using these authentication methods as an integrated part of a mobile authentication strategy.

A big thank you to Andy for taking the time to meet with us today. Do you want to see mobile password authentication in action? Check out our demo here. Want to know how Courion's solutions work to deter risks and manage down the threat surface in your organization? Contact us or download our on-demand demo for more information. 

 

Mobile_Password_Reset_download.png

Tags: password management, mobile password reset, Multifactor authentication, mobile multifactor authentication