A new report from Cisco reveals a lack of security confidence among many organizations, though there are some positive trends, such as automatic patching.
Over the course of 2015, the overall level of confidence that organizations had in how secure they were declined marginally from 2014, according to Cisco's 2016 Annual Security Report. The decline in confidence in companies' ability to determine the scope of network compromises and to remediate damage comes as vulnerabilities remain commonplace, though Cisco has found some positive trends, including the increasing use of automatic patching for software.
"The data shows that organizations are not feeling as confident about security as they were even a year ago," John Stewart, Cisco's chief security officer, told eWEEK.
Last year, Cisco's security report found that, for 2014, 64 percent of organizations were confident in their security tools and processes, while in 2015, that level declined to 59 percent.
Cisco's research over the course of 2015 also identified the trend of increasingly sophisticated attack infrastructure.
Attackers are now making use of actively maintained and monitored infrastructure that is able to rapidly scale up and is also failure-tolerant, Jason Brvenik, principal engineer in the Security Business Group at Cisco, explained. "Attacker infrastructure is now being designed and built to be resilient against attacks," Brvenik told eWEEK.
Cisco researchers were active in 2015 in helping take down attacker infrastructure, most notably a large part of the Angler exploit kit. In October, Cisco assisted in the shutdown of Angler exploit kit infrastructure that was generating as much as $30 million in revenue per year for the attackers.
Outdated software remains a major risk, according to the report. Cisco looked at a sample of Internet-connected infrastructure and found that 92 percent of devices had at least one known security vulnerability. That said, Brvenik noted that there is a solution to the challenge of certain classes of outdated software: auto-updating mechanisms. Most modern Web browsers now provide some form of auto-update mechanism that can solve part of the issue of running old software.
Also on the positive front is a continued focus on security training that has grown year-over-year. Cisco found that 97 percent of security professionals in 2015 said they conducted security training at least once a year, an increase from 82 percent in 2014.
The time to detection for Cisco's customers to identify a breach is also improving. In Cisco's 2015 Midyear Security Report, the time to detection was reported at 46 hours, which by October 2015, improved to 17.5 hours as the median.
"The time to detection metric tells you your window of opportunity to respond to an active breach," Brvenik said. "17.5 hours is still not good enough, but it's a vast improvement."
Stewart has a few ideas on how things can or should change in the future to help improve the level of security confidence that organizations have. Stewart commented that awareness of security risks just needs to turn into strategy and execution by enterprises to limit those risks. He also suggests that security organizations need to connect senior management with business metrics on how to improve the status of security. One such metric is continuing to work on and improve the time to detection for a breach.
"We have to put proof into the pudding and say we'll prove to you that, in fact, here's how we're making progress and here is what the effect of that progress is," Stewart said.
Looking forward to 2016, Stewart emphasized that unlike other areas of Cisco's business that produce multi-year forecasts (such as the Visual Networking Index), the company does not make predictions on the future of attacks. With security, the adversaries are active and there are many unknown variables that constantly shift. "I suspect that there is no end in sight to attacks," Stewart said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Companies’ Confidence in Their Security Stance Wanes: Cisco Report
↧
↧
It Asda be a critical security flaw – ignored by supermarket chain for two years
Asda ignored critical account-hijacking security flaw for two years
↧
Malicious insiders the fastest growing threat to cyber security, warns report
Staff - like Edward Snowden, perhaps - an ever-increasing security risk for all organisations, warns consultants EY
↧
F5 Names Dimension Data As Its First Platinum Partner In EMEA
Company recognised for outstanding performance in client solutions in networking and security using F5 technologyFleet, Hants, UK – 20 January 2016 – Dimension Data, the global ICT solutions and services provider, has been named by F5 as its first Platinum Partner in EMEA. The Platinum Partner status, is the highest level of recognition in F5’s Unity Partner Programme https://f5.com/partners.F5 helps organisations to seamlessly scale cloud, data centre and software-defined networking deployment to successfully deliver applications to anyone, anywhere, at any time.Vangelis Tsingos, Dimension Data Europe’s Director of Solutions said, “Becoming F5’s first Platinum Partner for EMEA is another exciting milestone in our seven-year partnership. The F5 technologies are important cornerstones in our portfolio of networking, data centre, and security solutions. Working together with F5, our clients are connected and their applications and services are secure.”Michael Schoenrock, Director, Channel and MSP, EMEA at F5 said, “Our partnership with Dimension Data in EMEA and worldwide is extremely important to the organisation as both companies strive to deliver applications without constraints to our joint customers.”-ENDS-About Dimension DataFounded in 1983, Dimension Data plc is an ICT services and solutions provider that uses its technology expertise, global service delivery capability, and entrepreneurial spirit to accelerate the business ambitions of its clients. Dimension Data is a member of the NTT Group. www.dimensiondata.com.For further informationJonathan Mathias/Stacey NardozziFinn PartnersT: +44 (0)20 3217 7060E: DimensionData@finnpartners.com Source: RealWire
↧
Apple Issues First OS X, iOS Security Updates for 2016
Apple's Mac OS X 10.11.3 and iOS 9.2.1 debut with patches to help improve protection against potentially exploitable vulnerabilities.
Apple released its first security updates of 2016 on Jan. 19, with the debut of OS X 10.11.3 and IOS 9.2.1, which provides patches for multiple classes of vulnerabilities that could potentially enable attackers to exploit users and their devices. Apple last issued security patches for OS X and iOS on Dec. 9.
Among the problems fixed in OS X and iOS is CVE-2016-1722, a vulnerability in the syslog logging function that was discovered by security researchers Joshua Drake and Nikias Bassen of Zimperium zLabs. CVE-2016-1722 is a privilege escalation issue that could have potentially led to remote code execution or a denial-of-service attack.
Drake is well-known in the security research community for his discovery of the Stagefright media library flaws in Google's Android operating system. Though Zimperium has been successful in finding Android flaws, the company wasn't specifically looking for an issue with Apple's syslog.
"We sort of stumbled on it on accident," Drake told eWEEK.
Zimperium researchers had found a crash condition when doing fuzzing—a security research technique in which random characters and code are thrown at a program to see what will happen, Drake explained.
"Our fuzzer was not targeting the syslog code, but some of our fuzzing framework just happened to exercise the vulnerable code leading to a crash," Drake said.
Another high-impact flaw Apple is patching is CVE-2016-1730, an iOS vulnerability in the WebSheet function. WebSheet is an internal iOS app that enables users to connect to public WiFi access points.
"A malicious captive portal may be able to access the user's cookies," Apple warned in its advisory.
The CVE-2016-1730 vulnerability was reported to Apple by Skycure security researchers Adi Sharabani and Yair Amit. In a blog post, Amit explained that the vulnerability is triggered by how iOS handles cookies when it interfaces with a WiFi captive portal.
"When iOS users connect to a captive-enabled network (commonly used in most of the free and paid WiFi networks at hotels, airports, cafes, etc.), a window is shown automatically on users' screens, allowing them to use an embedded browser to log in to the network via an HTTP interface," Amit wrote. "As part of Skycure's continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS."
As has been the case in previous Apple security updates, Ian Beer, a security researcher with Google's Project Zero, is credited with discovering multiple issues. For OS X 10.11.3 and iOS 9.2.1 updates, Apple credits Beer with reporting three memory corruption vulnerabilities—CVE-2016-1719, CVE-2016-1720 and CVE-2016-1721—which affect both OS X and iOS.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
↧
Startup AttackIQ Aims to Replicate Intrusions to Improve Defenses
AttackIQ offers a service that allows companies to conduct automated attacks against their IT infrastructure to detect exploitable flaws and misconfigurations.
San Diego-based startup AttackIQ emerged from ste...
↧
Symantec Finds a RAT Going After U.S., UK and India SMBs
A social engineering-based attack tricks users, resulting in a remote access Trojan, or RAT, infection.
Security firm Symantec issued a warning today about an ongoing attack against small and midsize businesses in the United States, United Kingdom and India that is infecting users with a remote access Trojan (RAT).
A RAT enables an attacker to have remote access to a victim's machine and can lead to information disclosure and financial loses. According to Symantec's research, the campaign makes use of the Backdoor.Breut and Trojan.Nancrat RAT tools and has been active since the beginning of 2015.
"The attack is one among many detected by Symantec daily," Symantec researcher Gavin O'Gorman told eWEEK. "It was brought to our attention by a customer request."
According to O'Gorman, Symantec has observed hundreds of distinct machines compromised by this attack. Fifty-six percent of the victims identified by Symantec are in India, with 23 percent in the U.S. and 21 percent in the UK.
The mechanics of the attack are relatively simple, yet effective. The attackers send phishing emails with some form of financial-related titles, such as payment advice, request for quotation and payment remittance. The phishing emails are sent from either stolen or spoofed email accounts that aim to trick potential victims. The emails contain a simple file attachment that is often compressed in the .ZIP format. Once the victim clicks on the file, the impacted system is compromised by one of the RATs.
"The victim has to open the attachment in the email and execute the file to become infected," O'Gorman said.
Once a system is infected, Symantec's research has found that the attackers can take control of it and transfer money from the victim's account.
The RAT campaign is not being driven by an exploit kit such as Angler, and no zero-day exploit is being used, O'Gorman noted. He added that users with a fully patched system and up-to-date antivirus product should be protected.
"While advanced attack groups attract a lot of attention in the news, we'd like to remind businesses that less skilled attackers can still cause major damages to a targeted company," O'Gorman said.
Symantec is not taking any specific technical or law enforcement actions to try to stop the RAT campaign either.
"Law enforcement was not notified because publication of an attack is often an effective method for stopping the activity," O'Gorman said.
Since the beginning of the Internet era, security professionals have been advising IT users not to click on suspicious links and to keep systems updated with modern antivirus tools. Still, phishing campaigns continue to be successful. O'Gorman noted that based on campaigns run by Symantec's Phishing Readiness technology, on average, employees are susceptible to email-based attacks 18 percent of the time. The Phishing Readiness technology is a service that enables organizations to conduct simulated phishing attacks to test user reactions to potential attacks.
"Businesses need to better educate employees to always exercise caution and to not open attachments or click on links in suspicious email," O'Gorman said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Skyscape Cloud Services Announces Strategic Partnership With Adapt
London – January 21, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company has today announced its strategic partnership with Adapt, a leading provider of IT managed services, to deliver secure, end-to-end managed Infrastructure-as-a-Service options to the UK public sector.The partnership will mean the UK public sector can benefit from a combined portfolio of solutions which bring together Skyscape’s highly-accredited cloud platform with Adapt’s enterprise-grade infrastructure management and service expertise. The united capabilities of the two companies are now available via G-Cloud 7 and give public sector organisations secure, managed access to on-demand and scalable compute, storage and network resources that facilitate transformational projects. As a Skyscape partner, Adapt can offer its customers pre-approved and accredited platforms suitable for all data at OFFICIAL (including OFFICIAL-SENSITIVE) and connected to government networks including the Public Services Network (PSN), the N3 health network and others. With Skyscape, Adapt can also provide a genuine on-demand service and pay-by-the-hour pricing model, enabling customers to realise savings by turning off infrastructure when not in use, such as during evenings and weekends. Skyscape’s agile platform will also enable Adapt to scale services to meet its customers’ changing needs as well as peaks and troughs in demand. “Our partnership with Skyscape Cloud Services is based on combined scale and reach,” said Stewart Smythe, CEO at Adapt. “With Skyscape’s industry-leading platform, unique connectivity and assurance credentials and our own infrastructure management and service expertise, together we provide an unrivalled proposition for the UK public sector.”Skyscape’s public sector customers will now benefit from Adapt’s rich suite of managed services, helping them to design and build virtualised infrastructure which takes advantage of a true cloud utility service ensuring security, flexibility, availability and added value for money. Adapt’s services will complement the many solutions delivered on Skyscape’s assured cloud platform, supporting its ongoing commitment to delivering secure end-to-end managed services to UK public sector organisations.“We’re thrilled to announce our partnership with Adapt, a company that shares our values and objectives to deliver end-to-end solutions that will help support the digital transformation of public services,” said Simon Hansford, CEO at Skyscape Cloud Services. “Adapt’s rich catalogue of offerings and its capacity and experience makes it an invaluable managed service partner for us.”Skyscape is committed to collaborating with partners to offer end-to-end solutions to the UK public sector. Launched in August 2013, Skyscape’s dedicated partner programme now consists of more than 200 organisations. Focused on delivering high quality yet cost-effective cloud services at scale, Skyscape’s solutions provide a building block for many of its partners’ offerings. The company has won a number of high-profile contracts via the G-Cloud Framework in conjunction with partners that, in turn, are able to embed Skyscape’s cloud platform in their own solutions. About AdaptAdapt is a leading UK end-to-end managed cloud specialist and cloud integrator, managing critical production infrastructure for some of the UK’s most tech-dependent, heavily regulated public and private organisations. Adapt helps public sector customers work smarter with highly secure, compliant enterprise-grade IT that delivers real-world advantage, transforming price performance and enabling change.Adapt's integrated offering spans the entire IT infrastructure, from end-to-end management and cloud services to complex colocation and networking solutions, underpinned by flexible commercial models. www.adapt.com About Skyscape Cloud ServicesSkyscape’s assured cloud solutions have been specifically designed to meet the needs of the UK public sector, delivering UK sovereign services that are easy to adopt, easy to use and easy to leave, with genuine pay-by-the-hour consumption models. As a UK SME, Skyscape has won a number of high-profile contracts via the G-Cloud Framework and through its large number of channel partners that embed Skyscape’s cloud platform in their solutions.Skyscape’s full range of services are Pan Government Accredited (PGA) up to IL3, hence suitable for all data at OFFICIAL (including OFFICIAL-SENSITIVE) and connected to government networks including the Public Services Network (PSN), the N3 health network and others. Its services are delivered with leading technologies from the Skyscape Cloud Alliance Partners: QinetiQ, VMware, Cisco, EMC and Ark Data Centres. Skyscape has been named a “Cool Vendor” by analyst firm, Gartner. To learn more about Skyscape, visit www.skyscapecloud.com or follow on twitter @skyscapecloudMedia ContactsCharlotte Martin/Stacey NardozziFinn Partners +44 (0)20 3217 7060SkyscapeTeam@finnpartners.com Source: RealWire
↧
LDeX Group Forms Partnership with Asigra to Add Backup-as-a-Service to its portfolio of services
London, United Kingdom – 21st January 2016: LDeX Group has today announced the launch of its Backup-as-a-Service platform powered by Asigra’s converged data protection platform. Asigra Cloud Backup™ software is the industry’s leading cloud-based data recovery software with over one million installations worldwide. The software is built for reliable, efficient operation and easily integrates with public, private, and hybrid cloud architectures. Asigra’s agentless architecture provides for simple, secure deployment and hands-free management while delivering advanced features, including global de-duplication, automated mass deployment, autonomic healing, and validation restore capabilities. Rob Garbutt, LDeX Group’s CEO, said: “Asigra was a natural choice of BaaS software which complements our data centre and connectivity customer requirements as well as opening up new markets to us. Proliferation of mobile and cloud-based IT makes it increasingly difficult for our customers to protect and ensure the recovery of important data. Asigra overcomes these challenges.”According to research by IDC, the digital universe is expanding at the phenomenal rate of 40 percent a year into the next decade. With data doubling in size globally every two years, IDC expects that by 2020, the data created and copied annually will reach 44 trillion gigabytes (44 zetabytes). In this environment, organizations face growing needs to protect their information across physical, virtual, cloud and mobile computing environments.“With a data protection solution as comprehensive as Asigra Cloud Backup, we can help our partners address the challenges of protecting data whether it resides in the data centre or is born in SaaS-based office productivity suites such as Office 365,“ said Eran Farajun, Executive Vice President, Asigra. “We are pleased to welcome LDeX Group to our global partner ecosystem and look forward to collaborating with their team to support the deployment of their Backup-as-a-Service offering across the UK.”Ends Press contact:Paul Dowles, Group Sales Director, LDeX Group, p.dowles@ldexgroup.co.uk +44 (0)845 370 3510About LDeX GroupLDeX Group is an independent national carrier neutral datacentre and colocation operator providing best in class colocation, network connectivity and satellite services to an array of customers across the globe. The company owns, operates and manages facilities in both London and Manchester, providing colocation, network services and Backup-as-a-Service to a range of industry sectors to protect the availability of data, applications, ecommerce and online presence. For further information, please visit the website: www.ldexgroup.co.uk About AsigraTrusted since 1986, Asigra provides organizations around the world the ability to recover their data now from anywhere through a global network of partners who deliver cloud backup and recovery services as public, private and/or hybrid deployments. As the industry’s first enterprise-class agentless cloud-based recovery software to provide data backup and recovery of servers, virtual machines, endpoint devices, databases and applications, SaaS- and IaaS-based applications, Asigra lowers the total cost of ownership, reduces recovery time objectives, eliminates silos of backup data by providing a single consolidated repository, and provides 100 percent recovery assurance. Asigra’s revolutionary patent-pending Recovery License Model provides organizations with a cost-effective data-recovery business model unlike any other offered in the storage market. Asigra has been recognized as a Gartner Cool Vendor and has been included in the Gartner Magic Quadrant for Enterprise Backup and Recovery Software since 2010. More information on Asigra can be found at www.asigra.com. Source: RealWire
↧
↧
Cyber security pros say boards, CEOs and CFOs don’t ‘get’ cyber security risk
Half of infosec pros believe boards have big gaps in their understanding of cyber risk - or don't understand it at all
↧
Heads will roll – cyber security predictions for 2016 from Glasswall Solutions
UK cyber security innovator Glasswall Solutions sees data security rising to the top of the corporate agenda as organisations fail to cope with new threats and regulationsLondon UK, 21st January 2016: Glasswall Solutions, the acclaimed UK cyber security company, today issued its top five predictions for 2016.The list covers the five key developments that Glasswall’s team of experts believes will have biggest impact on cyber security over the next 12 months.“Businesses around the globe now face unprecedented threats from every kind of hacker and cyber criminal,” said Greg Sim, CEO, Glasswall Solutions. “We believe the next 12 months will see some of the most significant developments in the history of cyber security as powerful new EU regulations loom and enterprises realise their defences are dangerously unprepared and antiquated. 2016 promises to be an extremely interesting year in which many new opportunities will emerge to boost our collective security – the question is whether businesses around the world will grasp them.”The five predictions are: (1) New Threats Cyber security threats will continue to grow throughout the year, with email attachments the most dangerous point of vulnerability for businesses without effective defences in place. In 2015, cyber crime cost £36 billion and 94% of successful attacks were conducted via email attachments. Criminals will continue to steal insights from leaky documents, websites and social media profiles for use in social engineering, targeting employees and turning them into dupes who unwittingly assist in the hacking of their own companies by opening files hiding malicious exploits.As the cost of these attacks grows, we can expect to see a bigger effort within businesses to understand the nature of the threat. For example, it comes as a surprise to many that the vast majority (75%) of threats within files are not in JavaScript, Macros or URLs, but in the manipulated DNA of the commonly used files we use every day. (2) A change in corporate culture2016 is set to be the year when a change in culture sweeps through many organisations in response to the growing sophistication of cyber-attacks. As we have seen in the USA, C-suite jobs are now on the line and the forthcoming EU Data regulations hold the executives culpable for the security of their organisation’s data. The risk of loss of customer data and the knock on effects of supply chain confidence, customer loss and even share price demise is now too great.From top to bottom, organisations must shift attitudes and take back control of document security. This will extend beyond the organisation’s own borders and into the supply chain where cyber-security will become a major factor in the on-going business relationship between organisations and their suppliers.Within most organisations, a trusting culture has been bred, from sharing and collaborating on documents to being accepting of incoming files and URL links. This culture is commonly reflected from C-level executives down to the most junior employee – with everyone at equal risk of becoming a target. Decisions on what is safe will no longer rest with employees but will be a matter of policy, determined in conjunction with experts in corporate cyber security technology. (3) Heads will roll, but the CISO will stand tallSadly, we can expect that continued reliance on outdated security solutions makes it inevitable that a serious data breach will occur in 2016, leading to a minor bloodbath in the C-suite. Chief executives have been warned – they saw what happened to TalkTalk in 2015 – but too few are walking the walk when it comes to boosting security in their own organisations. A major loss of data or breach of old-fashioned perimeter security is going to cost a chief executive his or her head in 2016.By contrast, in organisations where security is taken more seriously, the role of the Chief Information Security Officer (CISO) is going to have greater prominence. More and more CISOs are going to be appointed and increasingly, they will report directly to the CEO and ultimately sit within the board if information security is to be taken seriously. In businesses where they are already at work, over half of them report to the Chief Technical Officer, demonstrating a real lack of urgency about cyber security at board level. This has to change.Steve Katz, a member of Glasswall’s advisory board and the world’s first Chief Information Security Officer (Citigroup and JP Morgan), predicts a further development in 2016. He says the year is likely to see the emergence of the Chief Information Risk Officer, or CIRO.“A single hacker only has to win once for an organisation to find its reputation has been torched,” says Katz. “The havoc wreaked by some of these attacks leaves such a trail of destruction that organisations never recover. Cyber security is now about managing risk, rather than just security and the board-level role of the CIRO should reflect that.”(4) RegulationThe European General Data Protection Regulation comes into force in 2017, imposing increased penalties and fines on companies which fail to protect data adequately, or are subject to a breach. In the first quarter of 2016, businesses will start to wake up to the potentially enormous consequences of this first real overhaul of European data legislation in two decades.Minimum fines are likely to be set at two per cent of global turnover, with the maximum running to five per cent. Had the TalkTalk breach occurred under the EU regulation, the company’s fine could have amounted to £90 million. In addition, the new regulation will impose disclosure of data breaches in the public interest, meaning there is no hiding place for firms caught with their cyber trousers down. As businesses realise what is involved, we can expect to see them struggle to achieve compliance throughout the year, scrambling to hire consultants or investigate outsourcing solutions as 2016 draws to a close. (5) InnovationAmidst the backdrop of increasing threat levels, 2016 is going to be a great year for cyber security innovation, replacing legacy and even relatively modern security technologies which are failing their customers in protecting from the ever increasing wave of sophisticated attacks. The new wave of sandboxing and advanced threat analytics in particular are simply not working and Glasswall is seeing evidence of this every day. The overwhelming feedback from the industry is that they do not trust what they are being sold from the mainstream suppliers.Expect to see innovation in security shift from USA-based companies, currently regarded as the bastion of trusted security, to new innovative companies such as Glasswall, referred to by the UK Chancellor of the Exchequer in his speech at GCHQ in November, when he stated “excellent British companies” breaking new ground in cyber security. This is the year in which the best of those businesses fulfil the chancellor’s vision of “an ecosystem in which great ideas get translated into great companies.”Reaffirming these views, industry analysts Frost & Sullivan stated in their 2016 predictions that “we can see widespread acceptance of a new approach to business risk and cyber security, moving the focus from detection of “known threats” to validation of the “known good.” -end-About Glasswall Solutions: Glasswall Solutions has offices in London, Qatar, San Francisco and New York and provides organisations with unique protection against cyber threats through its innovative, groundbreaking security technology. The forensic data that Glasswall Audits produce provides essential insight into threats already within networks and provides fresh insight into unknown and as yet undetected cyber threats. With Glasswall, key cyber security decision-makers are better equipped with actionable intelligence to immediately act, respond and set compliance standards to meet crucial data security requirements.Source: RealWire
↧
Asacub Trojan Moves From Spyware to Banking Malware
Researchers with Kaspersky Lab identify how the Asacub mobile banking Trojan is making use of the same infrastructure as a Windows spyware Trojan.
Security firm Kaspersky Lab is warning of an evolving threat f...
↧
Security Groups Struggle for Budget, Skilled Workers
A shortage of knowledgeable security pros and a greater variety of information technology have set companies back in their fight to secure their infrastructure, according to an annual study by Hewlett Packard Enterprise.
Companies have lost ground in the fight to secure their infrastructure, as the managers of security operations centers (SOCs) have to deal with a greater variety of information technology and a shortage in knowledgeable security workers, Hewlett Packard Enterprise stated in a report released on Jan. 20.
The State of Security Operations 2016 report found that the average maturity rating of SOCs fell over the past year, with 25 percent of companies failing to even score a level 1 on the 6-point scale of maturity. A lack of knowledgeable security professionals, a greater variety of information technology and budget pressures all contributed to the decline, Kerry Matre, senior product marketing manager of services for HPE Security, told eWEEK.
"When we talk to CISOs [chief information security officers] and do surveys, the lack of skilled resources is the No. 1 issue they are facing," she said. "The organizations that are doing well are finding a workaround for this issue."
With businesses concerned over regular reports of breaches, an increasing number are creating a central group to handle security, Matre said. From two- or three-person groups to large centers with dozens of employees, security operations centers allow companies to focus on creating the infrastructure and processes needed to lock down their networks and data.
"We are seeing a lot more SOCs being created, although it might not be that name that they use," she said. "There is a stigma in that 'SOC' means expensive, so they might call it something else."
The HPE report rated the maturity level of a company's security capability on a scale of 0 to 5, advancing from "Incomplete" (Level 0) to "Initial" (Level 1) up to "Optimizing" (Level 5). Typically, the few companies with a mature security capability score between a 3 ("Defined") and 4 ("Measured") on the scale, but the average company typically scores between a 1 and 2 ("Managed").
While the HPE report described a drop in the maturity level, it did not specify by how much. However, it did note regional differences, with South American SOCs scoring the highest at 1.92 and SOCs in the Middle East and North Africa scoring the lowest at 0.74.
Over the last five years, technology companies have scored the highest at 1.82, while telecommunications firms have scored the lowest at 0.95.
More companies are moving to a hybrid infrastructure model encompassing both on-premises technology and cloud services. In addition, companies are moving away from a focus on just monitoring and instead using hunt teams to sift through collected data for signs of an attack.
The lack of security expertise has forced businesses to adopt a hybrid staffing model, using managed-security services to handle the triaging of incidents and initial monitoring and using in-house security teams for incident response. Organizations are also looking to automation to help ease incident response, so as to free up security resources to conduct hunting and breach investigations.
The companies that succeed in advancing the maturity of their security operations centers are those that focus on establishing processes and training workers year after year, said HPE's Matre.
"A simple thing that leads to better maturity is documenting processes," she said. "That makes incident response repeatable, but also, once they are documented, they are more in control. Just defining your processes will make you more capable and make your people happier."
↧
↧
European Security Technology to Grab Spotlight at CeBIT 2016
NEWS ANALYSIS: Particular European concerns about personal privacy and security will be clearly apparent from companies and products on display at CeBIT 2016 in March.
HANNOVER, Germany—Security is always an important part of the CeBIT technology trade show here, but this year, new concerns are on the rise for businesses in Europe and beyond.
Adding to those concerns are the continuing disclosures of classified documents describing U.S. cyber-surveillance activities by former National Security Agency contractor Edward Snowden.
Also of concern are efforts by the U.S. Justice Department to gain access to data on a Microsoft server based in Europe containing email created by a European Union citizen. A Microsoft spokesperson told media attendees of the CeBIT preview that a new data center being built in Germany will not be accessible from the United States.
These developments and threats from around the world are making EU businesses and citizens more conscious about the need for stronger data security.
In fact, most of the security announcements at the CeBIT 2016 Press Preview address concerns that were only beginning to bubble to the surface a year ago when eWEEK was last here. The press preview highlighted the companies and technologies that will be on display March 14-18 at what is billed as the world's biggest technology trade show.
Three prominent examples of that include support for new, non-BlackBerry mobile platforms from BlackBerry security technology subsidiary Secusmart, several major new security products for the Internet of things from EuroTech and new standards for payments from Six Group, the company that runs the Swiss stock exchange. In fact, companies from Switzerland, long a leader in security because of the nation's critical role in banking, were prominent this year.
BlackBerry is demonstrating that it's moving beyond support for its own legacy mobile devices with an announcement from its Secusmart subsidiary that the highly regarded SecuSuite for Enterprise will bring the encryption capabilities of the Secusmart chip to Android and iOS mobile operating systems in addition to devices running BlackBerry OS.
The Secusmart enterprise software supports secure, encrypted voice calling along with secure text messaging. BlackBerry acquired Secusmart in September 2014 to bolster the security capabilities of the company's BlackBerry mobile handsets.
The Secusmart software is the same as the software on the Secusmart chip, which is approved by NATO for handling classified information. While the software isn't approved for the transmission of classified information (because it's software), it should be as secure as the solution that German Chancellor Angela Merkel used to keep the world's spy agencies out of her phone.
"With SecuSuite for Enterprise, Secusmart has unveiled the very first BlackBerry service that can truly be used worldwide and with absolutely any network operator. At CeBIT, we will be presenting a treasure chest full of security solutions," Dr. Christoph Erdmann, CEO of Secusmart, told eWEEK.
Erdmann demonstrated the iOS version of its secure software to eWEEK at the press preview. He noted that the new software should remain compatible with other secure voice products such as the recently announced Vodafone Secure Call app.
↧
A Look at Linux, Android Zero-Days and the Perils of Patches
NEWS ANALYSIS: A zero-day vulnerability is reported against Linux and Android, but the real risk lies in known issues that users have not yet patched.
Some vulnerabilities have a bigger impact that others, and not every flaw that a researcher claims is critical represents an immediate risk to users.
Case in point: security firm Perception Point's recent disclosure of the CVE-2016-0728 vulnerability. Perception Point alleges that the zero-day flaw exposes tens of millions of Linux devices, including Android phones to the risk of exploitation. As it turns out, the risk is not quite as pronounced as indicated, and there are significantly more pressing security issues that Android users should likely be concerned about.
The CVE-2016-0728 issue is a use-after-free memory corruption vulnerability that could potentially enable a local privilege escalation. Linux vendor Red Hat detailed in a customer note that the vulnerability requires a potential attacker to already have access to a system.
"The attacker must be able to run custom code on the account; in the most common configuration, this requires them to have a login and shell account on the target system," Red Hat wrote.
The same day that Perception Point's disclosure was made a patch to fix the issue was made to the upstream Linux kernel. There are no public reports of any Linux user or system being exploited by the issue.
Now looking at Android, which uses Linux at its core, the risk is small in Google's view, and it has also already patched the mainline of Android's open-source code. Adrian Ludwig, Google's Android Security lead, emphasized in a Google+ post that the impact to Android devices is smaller than what Perception Point reported.
"We believe that no Nexus devices are vulnerable to exploitation by third-party applications," Ludwig wrote. "Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third-party applications from reaching the affected code."
SELinux (Security Enhanced Linux) provides additional access controls on system processes, which can limit the potential risk of privilege-escalation-related attack attempts. Going a step further, the CVE-2016-0728 vulnerability was introduced into the Linux 3.8 kernel, which was first released in February 2013.
"Many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions [are] not common on older Android devices," Ludwig added.
So to recap: A Linux kernel privilege-escalation vulnerability was announced, an attacker would already need access to a system to exploit it and Android isn't at much risk, thanks to SELinux. Oh, and there are patches out now, too.
Although CVE-2016-0728 might not be much of a risk, when it comes to Android, the much larger risk isn't unknown zero-days, but rather known issues that users have not yet patched on their own devices. Somewhat, ironically, on the same day (Jan. 19) that Perception Point disclosed the Linux flaw, Duo Security reported that according to its own analysis, 90 percent of Android devices are running outdated operating systems.
Looking deeper into the numbers, Mike Hanley, program manager, Labs R&D, Duo Security, told eWEEK that 32 percent of the Android devices his firm sees run a version of Android 4 or below, meaning they lack security mechanisms such as address space layout randomization, or ASLR, a key feature that makes the exploitation of Stagefright vulnerabilities more difficult. Stagefright vulnerabilities, first publicly revealed in July 2015, exposed hundreds of millions of Android users to risk.
Since September 2015, Google has patched 93 security vulnerabilities, including multiple Stagefright-related issues. Those patches have been made available to Google Nexus devices users, though other Android devices are not getting updates as fast. Hanley noted that security updates are currently landing faster on supported Nexus devices, and he hopes that it will lead to changes in how quickly security patches are deployed to users who are constrained by carrier and OEM testing requirements.
"Some OEMs have landed one or more rounds of Stagefright patches on their handsets though the time delay was significant," Hanley said.
There are also countless millions of unsupported Android phones in use that won't get any updates from OEMs or carriers that are also at risk from at least the 93 issues that Google has patched since September.
While news of the latest zero-day flaw against Linux is interesting, it is a seemingly trivial footnote in the context of the larger issue of known vulnerabilities for which user devices have not been patched. The truth is that the there are so many known vulnerabilities that an attacker can easily exploit that a zero-day isn't nearly quite as interesting, regardless of how easy or hard it might be to execute.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
The GlaxoSmithKline stolen intellectual property case shows why businesses should be wary of insider threat
Companies can't be too careful when it comes to protecting their data
↧
BlackArch Linux Expands Its Roster of Tools for Security Research
If having more tools is better for security, then the latest release of the BlackArch Linux distribution will be warmly received by security researchers. Version 2016.01.10 of BlackArch Linux, which was released on Jan. 10, boasts more than 30 new secu...
↧
↧
Vocalcom and Aeriandi announce partnership to provide hosted PCI compliant cloud based call centre solutions
25th January 2016: Vocalcom, a global provider of cloud-based call centre software, has announced its intention to partner with Aeriandi, a cloud-based Level 1 PCI DSS service provider. This will be to integrate their Agent Pay and IVR Assist solutions and to provide a solution that eliminates telephone based card data, from both Vocalcom’s and their customer’s infrastructure. Lindsay Brown, Head of Channels at Aeriandi, said “We are delighted to be working with Vocalcom to provide cloud based PCI DSS compliance solutions. Vocalcom are one of the leading global providers of cloud based contact centre solution providers and our products complement each other very well. Both organisations have a strong heritage of delivering high quality, scalable solutions."About VocalcomVocalcom was founded on the principle of a wonderful user experience, providing contact centre software based on an innovative design and useful functionality. More than 3,500 companies such as McDonald’s, Disney, and ITV are using Vocalcom to lower their operational costs, raise productivity, and turn each customer interaction into a positive business outcome. Loved by 550,000+ users for its beautifully crafted interface, Vocalcom is a contact centre software, easy to try, buy, implement, and use. For more information about Vocalcom contact centre software, visit Vocalcom.comAbout AeriandiFounded in 2002, Aeriandi specialises in secure solutions that enable organisations to meet FSA and PCI DSS compliance obligations. It has spent over a decade investing in cloud-based design and architecture and is proud to work with some of the biggest names in banking, telecommunications, utilities, and travel.Aeriandi also delivers PCI DSS Level 1 call recording solutions, which allow organisations to log, monitor and play back calls – including legacy calls – without the worry of breaking data laws or industry certification. Its range of customer intelligence solutions also help to make the most of rich customer data, improve productivity, deliver a better customer experience and boost customer satisfaction. More details can be found at www.aeriandi.com Source: RealWire
↧
Allegis Capital Ramps Up Investment in Cyber-Security Firms
Bob Ackerman, managing director and founder of Allegis Capital, continues to see profit potential in security. He offers his take on the marketplace.
There seems to be no shortage of money flowing into cyber-security firms these days. However, just because cyber-security is hot doesn't mean that every technology will be successful or that every investment will pay off, said Bob Ackerman, managing director and founder of Allegis Capital.
Ackerman believes in taking a strategic, measured approach to investing in security vendors that are creating platforms that solve real problems for organizations, including security legacy architectures and building security for the future.
For the last 20 years, Allegis Capital has been largely focused on early and seed round investing, and for much the last five years, the firm has almost exclusively been looking at cyber-security ventures. Allegis Capital is in the process of closing its latest fund called the Allegis VI Cyber Innovation fund.
"Capital [that is] under management needs to line up with our investment strategy," Ackerman told eWEEK. "You can't be an early-stage investor and manage a whole lot of money, so we tend to like pools of capital that are around $150 million."
Among the companies that Allegis invested in last year are E8 Security, which raised $9.8 million in a Series A round in March; RedOwl Analytics, which raised a $17 million Series B round in July; and fraud protection vendor Signifyd, which raised a $7 million Series A round, also in July.
In addition, Allegis invested in search vendor Lucidworks as part of a $21 million Series D round, announced in November. Lucidworks provides commercial support and tools for the Apache Lucene search technology.
What brought Allegis Capital to Lucidworks is the fact that a lot of the applicability and use-cases for the vendor's technology is related to security, Ackerman said.
With so many companies now in the market trying to solve the cyber-security challenge, Ackerman is confident that's it's still a growing market for him to invest in. "This problem set will be with us for the foreseeable future; there is certainly a tremendous amount of activity in cyber-security, but a lot of the activity is not necessarily unique," Ackerman said.
When Ackerman looks at the cyber-security market, he focuses on two key issues. One is the challenge of securing decades-old legacy architectures that were not built with modern cyber-security in mind. The other is figuring out how to build inherently more secure architectures in the future. In looking to secure new architecture, the move to virtualization and the cloud is a key opportunity, according to Ackerman.
Allegis has invested in Bracket Computing, which provides data center virtualization security technology, and vArmour, which emerged from stealth in September 2014 with its data center security platform. "Both of those companies are looking at where technology is going and ensuring that security is an integral part of the path to that destination," Ackerman said.
Ackerman points out that the modern world is enabled by a digital substrate. As such, even though some people might think of cyber-security as a vertical niche, Ackerman emphasizes that it's not.
Rather, cyber-security is a broadly horizontal domain that covers the entire digital substrate on which the modern global economy is built.
"With the almost daily reports of breaches that pop up in the news media, both entrepreneurs and investors have latched onto cyber-security and concluded that it's a hot area," Ackerman said.
↧
Tech Companies Act to Prevent U.S. Access to Data Stored Overseas
NEWS ANALYSIS: Microsoft, Facebook and other companies take defensive action to keep the U.S. government from seizing data stored in the European Union.
The Microsoft executive attending the CeBIT Press Preview in Hannover, Germany, let the global press representatives there know that his company was taking action to forestall any additional efforts by the U.S. Department of Justice to access information in European data centers.
The company, he said, was in the process of building a new data center in Germany that would be designed so that it would have no connection to networks in the United States. It would be operated by Microsoft's German subsidiary.
Facebook, meanwhile made an even wider announcement that it was doing the same thing by building a new data center in Clonee County, Ireland, near its international headquarters. Other companies, including Tableau and Foxconn, are doing the same thing instead of opening new U.S. data centers.
Meanwhile, negotiators from the United States and the European Union are trying to work out a new Trans-Atlantic Data Transfer Agreement to regulate how data access is managed between the two regions. It would reportedly provide mechanisms for EU citizens and companies to sue in U.S. courts for violations of the agreement.
All of this is necessary because the European Court of Justice struck down the existing data transfer agreement because of revelations by former National Security Agency analyst Edward Snowden that U.S. intelligence agencies were routinely gathering information from the EU that was protected by EU law.
In addition, the efforts by the U.S. Justice Department to gain access to emails contained in a Microsoft server located in Ireland and belonging to an EU citizen without using existing Mutual Legal Assistance Treaties (MLAT) have caused deep concern in the EU.
In that case, the Justice Department served Microsoft with a warrant demanding access to the email and Microsoft refused. Microsoft has repeatedly held that the existing treaties are the law of the land and that the DOJ should follow the provisions spelled out in the treaties for requesting access to data stored in servers overseas.
The Justice department has refused claiming that using the MLAT was inconvenient and too slow. As a result, the DOJ has spent more than two years so far in order to save the six months that an MLAT request usually takes.
The problem that the EU has with all of this is it believes that the existing treaties and agreements have been working just fine for 15 years. Then, two years ago, the Justice Department, pursuing a drug investigation, decided it wanted emails from an EU citizen that were stored on servers in Ireland, an EU member nation. Microsoft has refused to comply.
Since then, the DOJ has been pursuing Microsoft, and the company has been appealing. So far, the emails on the Irish server have remained there undisturbed, assuming they still exist, despite the assertion by the Justice Department that all Microsoft needed to do is go to the server and copy them.
↧
