In this week's #TechTuesday roundup: UConn's website was hacked and used to spread malware, AVG's Chrome Extension experienced a security flaw that left millions at risk, Hyatt Hotels Corporation discovered malware on their payment processors, Major companies including Microsoft, Apple and Adobe are featured on the Top Vulnerabilities List of 2015, and BBC websites were hit with a possible DDoS attack.
It's the most wonderful time of the year! No, not Christmas, not even Halloween, it's National Cyber Security Awareness Month! Here at Courion, we take this month very seriously and will be serving you content all month long to help strengthen your organization's security.
The theme for this week's #CyberAware month is "Creating a Culture of Cybersecurity at Work", and we believe that is the first step to building a truly secure organization. To help your employees become more security-minded, we put together an eBook with a few tips on "Building a Culture of Security".
Our book starts with a very simple truth: You are the target. Hackers aren't knocking down actual doors and walls to get into your system. Instead, they are sneaking in through user credentials and open portals. To build a culture of security in your organization, your employees need to know how hackers are targeting them and what they can do to keep themselves and the organization safe.
"How to Build a Culture of Security" contains information on:
- Avoiding Phishing
- Social Engineering
- BYOD Policies
- Working Remotely
- Data Retention Policies
- And more!
Make your organization safer; download our eBook and start building your culture of security today.
ISACA recently conducted a survey of over 900 security experts around the globe to get their opinions on the risks of mobile payment systems. While most of the data won’t surprise you, the number of security experts using mobile payments, even though they are aware of the risks, might. Is the level of convenience enough to overlook the security risk? Read on and decide for yourself.
This week we are proud to present a spotlight blog from one of our trusted partners, Mr. Andy Osburn at SecureReset. With over 15 years of experience in network password reset, Andy and his team are an integral part of what makes Courion great. Take it away Andy!
Andy Osburn, Secure Reset
You can’t throw a digital rock in the IT security blogspace without hitting an article concerning the risks and consequences related to password compromise. This attention is well-placed given the numerous high profile cases of data theft and reputational losses that can be traced back to either weak or stolen passwords.
The recognition of the inherent risk in any single-factor authentication method is not new. In 2001, the US Federal Financial Institutions Examination Council (FFIEC) issued guidance on authentication in the electronic banking environment, identified the risks and controls, and concluded that, “single factor authentication alone may not be commercially reasonable or adequate for high risk applications and transactions.”This reality has generated a wider call to move beyond authentication, security’s reliance on passwords, and their ever-increasing complexity and rotation. When employed as a single-factor to verify identity and grant access to critical enterprise resources, the overwhelming conclusion is that the password is simply not good enough.
The FFIEC went further to advocate the use of multi-factor authentication (MFA) where two or more of the three basic factors are used in combination.
- Something the user knows (e.g., password, PIN)
- Something the user possesses (e.g., ATM card, smart card)
- Something the user is (e.g., biometric characteristic, such as a fingerprint or retinal pattern).
So it begs the question: if the risks, consequences, and potential solutions have been known for 15+ years, why has there not been wider adoption and usage of MFA?
Well, the answer lies in the fact that the implementationof additional authentication control methods in the IT Security environment must take into account many considerations, not the least of which is user experience, cost, and convenience.
Early MFA solutions that incorporated smart cards, biometric scanners, and hardware tokens, in addition to knowledge authentication, made significant strides in elevating the security of user authentication. However, the relative complexity and inconvenience of these MFA solutions hampered widespread adoption in the enterprise marketplace. This experience, together with the relatively high lifecycle management costs of the solutions, limited the scope of usage to environments requiring higher-end authentication security.
So what has changed in this intervening period through to today’s reality of enterprise environments and authentication challenges? Two things: the first of which is the acceptance of the high risk inherent in single-factor authentication and the corresponding potential for significant data and reputational losses. The second is the ubiquity of the mobile smart device.
Each of us now carry a mobile device that has tremendous capability to behave as a security token. Not only is there exceptional computing capacity, but perhaps even more importantly, we as users are now completely comfortable with employing these devices for a myriad of daily common routines. It is only natural that we now look to use these devices as part of an enterprise MFA strategy.
This new mobile MFA capability is being reflected in the products available to enterprise customers from Courion partners such as QuickFactor and Ping Identity. Both companies are members of the FIDO ("Fast Identity Online") Alliance which is an industry organization created to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords.
These advances in mobile products and standards means that the new reality of enterprise user authentication strikes a better balance between security and convenience. End users have more flexible authentication choices where the enterprise can now leverage the significant capabilities of mobile authentication with three true factors.
Coming full circle then, it is unlikely that the password will completely go away. However, it is equally unlikely that it will continue to exist in the familiar form as we know it today. What we can expect to see is that the password will play a role as a one-time-use or rotating knowledge-based authentication component of the mobile MFA model. When employed wisely in an MFA structure, the password can still prove to be a valuable authentication factor.
For more information on how Courion works with SecureReset to create the most innovative and industry leading technology, read more on our datasheet or click here for information on SecureReset and our other partners.
Four online casinos were asked to pay bitcoin ransoms to avoid cyber attacks
In a move that would make Danny Ocean proud, a new crop of casino robbers has left the Vegas strip and found new success online. According to the article "four New Jersey-based casinos were asked to pay a bitcoin ransom after being hit with distributed denial-of-service attacks." While it lacks the finesse of Ocean's 11, it does sound a lot easier than breaking into the Bellagio. Stan Higgens, Coindesk, Businessinsider.com
Email worries: providers name their top health data security risks
A few weeks ago, we brought you a blog on Healthcare's Unique Security Challenges, and it looks like we aren't the only ones diving into ways to increase security. The Advisory Board Company named email worries, compromised applications, and hackers as three of the top health data security risks. Read more to see if you agree. Advisory.com
It's time we stopped calling Millennials "dumb" about data privacy
Full disclosure: I am a Millennial so it's no surprise that I agree with this article. However – putting my bias aside – I think this is a great look into why security teams shouldn't confuse this generation's sense of self with its sense of security. John Zorabedian, nakedsecurity.com
Hacking Team 0-Day Shows Widespread Dangers of All Offense, No Defense
You've heard the old saying "the best offense is a good defense" and this article agrees. With last week's Hacking Team breach, we saw how the issue of strong password practices once again can help keep you safe. Read more on passwords and how to #DefendfromWithin. Sara Peters, Darkreading.com
The insane ways your phone and computer can be hacked-even if they're not connected to the internet
Do you know what's inside your smartphone? Learn about how these tiny machines can give away even more of your information than you thought possible as well as seven other ways your phone and computer can be hacked. Cale Gutherie Weissman, Businessinsider.com
This week the popular blog "Global Accountant" posted an article titled "The Cyber Threat Within- A Third of British Accountants Breach IT Policies". One third? Sad, but true. The article goes on to state that one of the biggest threats for cyber-attacks comes from inside their network due to employees ignoring their IT policy. Would you believe that over 40% of these accountants knew their IT policy but chose to ignore it?
What are they thinking? Don't they know better? Lifeline IT co-founder and Director, Daniel Mitchell, is quoted saying, "It’s clear that the majority of accountants are security conscious about IT on the home-front but have a different attitude at work."
This got me thinking - if one-third of your staff is breaching your IT policy, then what can you do to defend within? How do you protect your intellectual property when everyone has access and too many people aren't thinking about the consequences of their actions?
There are four ways that you can defend against internal attacks and we share them with you today.
1. Role-Based Access
With hundreds and thousands of users on your network, it can be overwhelming to try and provision everyone with the correct access in a timely fashion. With people moving into your system every day, it quickly becomes a game of numbers and/or unique identifiers all sending in requests for access they think they need resulting in a backlog of requests, a long wait for access, and too often unnecessary access rights being granted leaving you vulnerable to a breach.
Rather than dealing with these headaches, you could handle provisioning by role-based access. This way, if you are a member of the development team, once you go online to request access to network systems, you are led to the development applications rather than having to pick and choose from each and every application in the company. If you apply for an application that is within your role then you would be instantly granted access rather than waiting on approval for something as simple as email. Not only does this save time for the user by helping them choose what to ask for but it helps to eliminate the number of excessive access requests giving only the right people access to your critical applications.
2. Access Management
Every organization, no matter how big or small or what industry you are in, has the same three types of users: Joiners, Movers and Leavers. What do each of these have in common?
They need to have their access immediately changed with their status. Joiners need access to systems such as email, time cards, and internal network files on the day they start. Movers need to have access rights changed as soon as their role changes. While these two users are important to your organization the most important to your security are the Leavers.
In a study by scmagazine.com, 1 in 5 employees still have access to the internal systems of their previous jobs. 1 in 5! When an employee is terminated, regardless of reason, they need to have their access immediately terminated. Is your system set up to handle this?
3. Segregation of Duties
Wouldn’t it be great to be able to set and approve your own budget? What about requesting and approving a purchase order? While this does sound dreamy, it also sounds like nightmare for your finance department. In order for your organization to uphold the checks and balances of their systems, from budgeting to systems access, there needs to be segregation between requestors and approvers.
When you assign Segregation of Duties at the beginning of your project you are essentially saying what each user is allowed to do and not do and put in place barriers to keep these issues from happening.
4. Real-Time Monitoring
Auditing is most likely your least favorite time of the year. However, the fact that you only audit once or twice a year means that you are only giving yourself one or two chances to find errors in your system. With real-time monitoring, like the monitoring with an intelligent IAM system, you can see into your system at any time as well as be alerted when things look wrong. If four new users are granted access to a critical application in one week, would you notice? With real-time monitoring you would be alerted to this event so that you can investigate and mitigate the risk of a breach.
5. Build a Security-Aware Culture
This tip is a freebie. One of the best ways you can protect against a breach in your system is by building a security-aware culture. In Global Accountant’s article, they mentioned that 42% of the accountants knew the IT policy. That means 58% of them didn’t know the policy. Educated users make better decisions. By building a culture that is aware of the risks to themselves and the company, you expand your security team exponentially. When your organization buys in to your security strategy they become more aware of risks, take more precautions against them and become a new line of defense against attacks.
Are you currently monitoring these four internal risk factors? Have you experienced a breach by not following one of these? Do you even know what risks are currently in your system?
With an Identity and Access Management solution, you can keep up with all of these risks and more at the same time. Using our solutions, we can perform a quick scan of your system and tell you where your risks lie and how you can protect against cyber-attacks.
For more information on how to manage risk in your organization or to have a quick scan of your current systems, contact us today at email@example.com.
In possibly the most delicious hack ever, a team of Israeli security researchers at Tel Aviv University have developed a way of stealing encryption keys using a cheap radio sniffer and a piece of pita bread. Truly a sight to see.
Lee Munson, NakedSecurity.com
Flight delays just got a little more advanced. A Polish airline was hit by a cyber-attack grounding around 1400 planes. There was never any danger to passengers because the attacks happened while no planes were in the air. However, the company says that the hack could happen to anyone, at any time making this a worldwide issue.
Wiktor Szary and Eric Auchard, Reuters.com
If you liked last week's blog about the unique challenges facing healthcare today, then you'll love this look into how medical devices are becoming "key pivot points" in the war against hackers and cyberattacks.
Megan Williams, Business Solutions- bsminfo.com
Do you BYOD? As if security wasn't already difficult enough to control within your network and its devices, now security teams have to worry about the exponential threat of “bringing your own device”. This article gives 8 best practices for BYOD security and an insightful look at this new challenge.
Keith Poyster, ITPortal.com