INFO SECURITY PRODUCTS GUIDE IS PUBLISHED FROM SILICON VALLEY IN THE UNITED STATES OF AMERICA
What can CSOs do to implement a secure file transfer strategy?
CSOs have a hard job working to strike the right balance between productivity and security. One popular answer is to provide IT-sanctioned methods and tools that protect data while making it easy for business users to get their jobs done. In many cases, the solution can be found using ad-hoc, person-to-person managed file transfer technologies that allow non-technical users to send files of any size simply and securely to anyone at any time in a well-governed way. Continue Reading»
How CSOs can conquer the security issues created by the Bring Your Own Device trend
Not only are smart devices perceived as essential in daily life and thus worth the (private) investment, a smart device has also become a fashion accessory. End users are not only selecting devices based on their technical features, but also on brand, color, and shape. In today’s digital age, when it comes to social status, smart devices are the new cars. Working with a privately chosen smart device gives the user a higher satisfaction, creating the feeling of goodwill that encourages a flexible working environment. Continue Reading»
A CSOs guide to keeping desktops and servers secured
Besides assigning users an excess of privileges, another common and frequently overlooked mistake is a lack of end user education. A large majority of today's breaches continue to result not from external threats, but from human error. Employees who unknowingly download unauthorized software, or click on a link hosting infected exploits are opening their entire organization up to attack. We saw several high-profile instances of this last year, including the South Carolina Department of Revenue breach, which cost the state $14 million and compromised the financial data of millions of residents. Continue Reading»
Where are the main vulnerabilities in our internet and what are the trends?
What makes the internet by its very nature democratic and open access, also makes it vulnerable to sophisticated and agile cyber threats. Cyberspace touches nearly every part of our daily lives. While we may be dependent on our airline systems, in fact we use the internet far more often than we fly. Increased security measures instituted since 9/11 that help keep our planes flying are continuously probed for weakness. Similarly, it is necessary to add and monitor monitor cybersecurity measures to keep the internet operating. Continue Reading»
Everything a CSO needs to know about Mobile Apps and Enterprise Security
Up until now, the threats we’ve seen have, for the major part, targeted the device user. Case in point, software like Zeus for mobile will steal your bank information and suddenly, you’ll start seeing your money ‘flying’ to Eastern Europe. Theft of personal information has also been rampant. What we haven’t seen, yet (and I speculate we will soon), is an attack of grandiose size on a corporate network, using a mobile device, at least as a bridge, to kickstart the attack. Continue Reading»
A CSO’s quick guide to data security and disaster recovery
Up until now, the threats we’ve seen have, for the major part, targeted the device user. Case in point, software like Zeus for mobile will steal your bank information and suddenly, you’ll start seeing your money ‘flying’ to Eastern Europe. Theft of personal information has also been rampant. What we haven’t seen, yet (and I speculate we will soon), is an attack of grandiose size on a corporate network, using a mobile device, at least as a bridge, to kickstart the attack. Continue Reading»
What keeps CSOs awake these days?
Mobile Applications, and specifically the impact of BYOD in the enterprise, have created an uncontrolled environment that IT professionals can no longer easily manage. In the past, IT managers could control what applications were allowed to run on corporate systems, or at least ensure that those systems had the latest protection methods (AV, etc). They also had good control (usually through VPNs) of securing access to all enterprise data. With mobility and BYOD, they can no longer guarantee either of these protection mechanisms. Continue Reading»
The next steps CSOs should take now when it comes to data breaches and attacks
It’s a moving target because companies should not only invest in new security software, but they should change the way employees work. Most companies think that if they implement traditional technologies and use sophisticated passwords, it will be enough. Our ever-changing environment requires several layers of protection. Only IT personnel should have administrative passwords, and they should be kept in a vault and handled only through identity management techniques. Continue Reading»
A CSO's guide to defending against targeted cyber attacks
The next major threat will come from a nation state taking aim at our critical national infrastructure and knocking out resources essential to life. This will be an easy target since many of the utilities have little interest or appreciation for security. Their systems have been fully characterized by hostile powers external to the United States and will eventually be turned off and/or damaged when the time is right. The intelligence agencies have been warning Congress and the Senate about these problems as well as the utilities themselves. Continue Reading»
Your everyday guide to keeping and staying safe online
Where possible I also use random passwords as answers to “Secret Questions” as password recovery questions that rely on information about the user have been proven many times to be a very weak form of authentication. The other problems with Secret Questions is that often times you end up leaking this personal information to sites that aren’t very secure. Continue Reading»
What’s basically wrong with the approach most security solution providers are taking
We see many security solution providers stressing compliance over security. They tend to see their primary duty as checking all the compliance boxes rather than architecting a highly secure system which is also compliant. As an example, security equipment may be installed for compliance reasons and then heavily customized to reduce false positive alarms. The customization often renders the device nearly useless from a security perspective. The system may still be compliant, but it's far from secure. Continue Reading»
What every CSO must know about preventing online fraud and cybercrime
Not only are the current security solutions complex, but also many users are unaware that they need them, or even more frightening, that they exist at all. Users were more educated in the early 1990s on the need for some of these solutions since they had to use applications like Norton to keep their systems optimized. Many of the original basic features of these utility packs are now built into Windows. Continue Reading»
What everyone must know about online banking and the risks of fraud and ID thefts
Most security measures are adopted by banks and then deployed to other e-commerce companies and many of these are dictated by the large payment brands like Visa or MasterCard. PCI/ DSS regulation is a good example of this and nowadays EMV is also designed to provide a much more secure payments framework, and is meant to be the most secure way to prevent fraud. Continue Reading»
How CSOs are aligning their efforts with the goals and operations of businesses
Without a good risk framework, it is difficult to allocate resources and you end up funding the “latest and loudest” rather than what does the most to reduce risk to the important functions in your business. If you find yourself wanting to move to a risk-based model but not knowing how, there are a lot of choices. Look before you leap - you don’t need to complicate your life - so try to find one that is simple to learn, implement and communicate, and one which has readily available training for your organization. If you don't keep these things in mind, it will be difficult to get things going, and extremely difficult to maintain a program. Continue Reading»
CSOs - are you prepared for the next security breach?
Mobile devices will eventually be a rich target for attackers, as they find further reach into the enterprise. But the adoption of such platforms is slowed by the security questions organizations rightfully have about them, which have as much to do about who is responsible for securing them, as how they might actually be secured. Employee-owned devices are a poor fit for the current landscape of MDM (Mobile Device Management) and MAM (Mobile Application Management) vendors, as employees really don’t want their personal phone to be managed by their employer. Continue Reading»
What CSOs must know about security breaches that come through mobile devices including tablets and smartphone
Mobile risk management (MRM) is an emerging category of technologies that empower organizations to identify, mitigate and manage the risks associated with mobile devices. MRM helps organizations go beyond traditional MDM practices, which have primarily relied on risk avoidance or control tactics, to help them protect corporate data and ensuring regulatory compliance. Achieving the right balance of device management, risk mitigation and compliance assurance while maximizing device utility and user acceptance requires a thoughtful and integrated approach to MRM. Continue Reading»
Shifts in file transfer strategies and advice to CISOs on implementing a secured Data in Motion strategy that avoids disrupting operations
Secure Data in Motion strategies today are often initiated after an organization discovers security limitations or a lack of mobile access in their existing systems. With that in mind, it is essential that today’s file transfer platforms have strong security attributes (including FIPS 140-2 validated cryptography, lockouts and alerts, and multi-factor authentication) and strong mobile support (including support for tablets like Apple’s iPad and Amazon’s Kindle Fire). Continue Reading»
What CISOs, Compliance Officers and IT Operations need from a mobile security offering
Clearly more and more information workers are following the BYOD (“Bring Your Own Device”) trend and accessing critical corporation information from their mobile devices. Given the ease in which a device can be lost or stolen, and the often inconsistent security policies that are applied to mobile devices (if even applied at all), there is a significant demand by IT organizations to lock down and secure mobile devices accessing their corporate networks. These challenges are compounded by the fact that users have their own device preferences - heterogeneity will certainly exist with mobile devices as it does today for systems in the data center. Continue Reading»
What’s the future for cloud security and why enterprises will be willing to outsource their security requirements
We are seeing great investment by cloud providers and security vendors, and the direction is promising. In some ways, because it allows better management and flexible control of resources, cloud computing can be more secure than traditional IT. This was recently recognized by the NSA director and U.S. Cyber Command commander, Gen. Keith Alexander. In other ways, fundamental breakthroughs in technology are still needed. We see these coming from the fields of key-splitting technology and homomorphic encryption. If these are properly implemented, they allow you to be in the cloud without losing control, because sensitive data or keys are encrypted even when in use in the cloud, which means cloud providers cannot know them, and even security vendors never know them. Continue Reading»
What an organization should consider before making the move to next-generation security devices
In today’s environment and with NGFWs, IT must understand what applications are needed by what users and provide access. Without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http, and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk. It is clear that at least for certain parts of the network, next-generation firewalls make a whole lot of sense. However, generally speaking, more granular network security policies equal more complexity. So the big question becomes, how can organizations take advantage of the clear benefits of NGFWs while minimizing the complexity, administrative burden and risk from improper configurations? Continue Reading»
How identity management has evolved over the years and what is cloud-based identity management
Cloud-based identity management offers a lot of promise for global organizations. It can provide them with pay-as-you-go options that reduce capital expense and the ability to scale the solution on demand as the environment grows. Using cloud-based identity management is easier for small companies who have fewer applications and systems to manage, because this minimizes the cost and complexity of integration. For larger organizations (with 100’s-1000’s of resources), cloud-based identity management can present greater challenges. Many organizations consider identity data to be confidential data, so the right security measures must be in place to ensure secure communications. Continue Reading»
A CSOs guide to choosing an appropriate VPN solution
One of the best ways to keep a mobile workplace deployment safe and secure is to get employees fully on board with security policies and to educate them on why it’s essential to keep corporate data, and personal data, secure. CSO’s need to ensure employees are aware of the risks for identity theft, email phishing and mobile phishing scams, plus other personal security issues, and show them how to safeguard data. In addition, in the meantime modern solutions have many security features included, ensuring that data protection and mobile workplaces need not be mutually exclusive. Some solutions, for example, never store any data on the mobile device. Thus, data securely remains in the company network even if the device is stolen or lost. Continue Reading»
Using Account Holder Behavior to Prevent Banking Fraud
Behavioral analytics is a proven anomaly detection methodology based on the fact that every individual behaves uniquely. Rather than look for specific malware or fraud indicators, which are too numerous and changing too rapidly for institutions to keep up, behavioral analytics monitors individual banking sessions and compares activity with known legitimate account holder behavior to determine if this behavior during this session is legitimate behavior or suspicious. During an online fraud attack a criminal will do something unexpected or unusual, something that makes it clear that this is not the legitimate account holder. Continue Reading»
What should a CSO look for when selecting an identity and access management solution
For years, organizations turned to traditional Identity and Access Management (IAM) solutions to secure their access to systems and information. These IAM implementations typically started with user provisioning, a process that put controls in place to ensure users were given only the access rights they needed to do their job. Then, the companies would perform periodic reviews or “certifications” – say, every three, six, nine, 12 months – to validate that those access rights were in line with policy. Continue Reading»
What CSOs need to know about protecting their data, applications, operating systems, and hypervisors
The need to protect consolidated assets has rendered many traditional backup and data recovery solutions ineffective in virtual environments. Additionally, this evolution in backup processes has spawned the emergence of new vendors focused solely on providing data protection solutions for virtual environments. The combination of these factors is forcing many companies to adopt a multi-vendor approach to data protection. Today, many companies are deploying different backup and data recovery solutions in their IT environments as discreet, physical and virtual entities, as opposed to implementing a holistic backup and recovery solution. Continue Reading»
What CSOs should know about implementing and scaling multi-factor authentication solutions in their organizations
Megatrends such as the emergence of cloud computing, server and desktop virtualization, the proliferation of mobile technologies and bring-your-own-device (BYOD), the increase in employees requiring remote access, and the increased use of social networking in the work environment have created new vulnerabilities and risks for companies. Users expect to be able to access information from virtually anywhere via the Internet and mobile devices such as smart phones and tablets. Given the proliferation of employees working remotely and the use of mobile devices, and the potential threat that represents for corporate networks, authentication has become a higher priority for enterprises. Continue Reading»
What software developers need to know about software immune systems
There are so many risks to software, so many possible avenues of attack, that rather than focus on specific attack vectors, we simply ensure that the app continues to be uncompromised. The vast majority of security initiatives are designed to try to ensure that no threats escape into the system, but experience shows us that the threats appear anyway: whether through zero-day exploits, advanced persistent threats that are already there, administration mistakes, or even turncoat employees. Continue Reading»
Factors CSOs need to consider when choosing a secure file transfer solution
The next key area relates to the technology being used to exchange files. Standard FTP may be easy, and it’s still popular, but it is definitely not secure. Staging files in the DMZ, or public-facing area of the network, for pick-up by trading partners is also risky since that is the most vulnerable segment of your network. A third weakness in the security of an organization’s workflow management is relying too heavily on individual programmers to write manual scripts for file transfer projects. Continue Reading»
What every CSO should know about data security challenges
While organizations are used to collaborating internally, the need to collaborate with third parties like business partners, contractors, vendors and customers is increasing. Files are growing – too many and too large for email. We need to introduce processes that ensure the right sensitive information is shared with the right people, securely. We require solutions that will intelligently archive this information, while automating management, retention and protection. Continue Reading»
A CSO’s guide to empowering social media in the workplace
Social media poses many challenges to a company looking to enable it in the workplace. First is the ability for a single individual to disseminate information on a global scale instantly. Once posted, the impact of a tweet lasts forever, whether it was quickly removed or not. Second, social media accounts often cross over between an individual’s personal and professional life, creating additional risk of something intended for a small, personal group to be widely distributed. Continue Reading»
What every CSO needs to know about protecting an organization’s data, effectively managing risk, and providing secured network access
Organizations need to keep data safe within the organization itself. With the advent of mobile and home working, this in itself is a lot more complex than it used to be. They also need to ensure that data shared with trusted third parties continues to remain secure. While the use of encryption and other cyber security products play an important part, the deployment and the policy framework around them are critical to ensure a robustly secure system. Continue Reading»
New security threats that may threaten enterprises and rethinking security strategies from scratch again
Security is too often viewed as the application of the latest doo-dad that the industry produces. Gartner tracks these things through something called a hype-cycle. So we see a recurring theme that someone thinks up a new tool that can protect people from "X" and the industry gets behind it and pushes it as the latest greatest must have, organizations buy the item, attempt to implement it and all too often we hear 9 months later that it's a failure - didn't deliver on its promises. Really successful CSOs are viewed by their organization as enabling the business to achieve higher revenues and lower costs. They are a trusted partner in the business. Selecting solutions or providers that will map to your needs and organization (not the other way around) and that will adapt to your changes over time is where long-term benefits can be realized. Continue Reading»
How to secure online services affordably for Internet Content Providers (ICPs) and end-users, which hardware tokens failed to do
Today Cloud-based services are available, where the ICPs don’t even know whom the user is and where he/she lives. So how can an ICP roll out a token to these users even if the ICP can afford to do so? We believe a new revolutionary thinking, and a paradigm shift, or a new ecosystem within the authentication industry is necessary to meet the demands. Aa majority of ICPs will accept a third party authentication service, similar to the OpenID concept, when the end-users are conscious of the risks online and start to demand a better protection of their privacy and their personal property online. Continue Reading»
How CSOs can balance convenience and security when it comes to implementing a better enterprise mobility strategy
The standard IT answer had been “we don’t support that device” but the avalanche of new devices and the pressure often emanating from the C-suite on supporting smartphones and tablets has been too hard to resist. Actually there is promise of cost savings by not purchasing and maintaining smart phones but letting employees buy their own devices, and still be able to access the corporate data securely. By shifting the responsibility of the device to employees has profound impacts on the company. Continue Reading»
Why most businesses are not truly secured yet in spite of already having invested in security appliances and services
Most antimalware products are well able to address the threat of malware that has been "in the wild" for more than a few weeks or months. However it is the newest pieces of malware that represent the greatest risk. So called "zero day" threats are literally so new that no signatures exist to protect against them. This problem has driven a tremendous amount of innovation and new thinking in the security industry, of which cloud scanning is just one example. Moving the "heavy lifting" of malware detection from the endpoint to the cloud has resulted in three key benefits: firstly, it significantly reduces the tax on the endpoint device by pushing the compute cycles to massively scalable cloud infrastructures. Secondly – leveraging multiple technologies and large amounts of computing power enables vendors to provide their customers with substantially greater coverage than would be possible with endpoint-based approaches alone. Continue Reading»
What makes Wisegate different from other social networks and what popular information security topics are being discussed right now
We in this industry are accustomed to the risk of making decisions without knowledge from experienced peers, which in fact can reduce the decision risk significantly. The risk of sharing our questions to get better information and to be better informed is a good idea. Wisegate is a new breed of information security sharing forum that keeps vendors out to enable senior IT professionals to openly, yet securely, tap the collective wisdom of their peers to quickly solve some of the industry’s most pressing issues. Some of the hot topics being discussed on Wisegate right now include "bring your own device" (BYOD) policies, cyber security collaboration, navigating the global compliance maze, employee access to social media, and lessons learned on security product implementations such as Threat Management, GRC, SIEM, Identity & Access Management, DLP/Data Security and more. Continue Reading»
A different approach to training end-users, justifying the ROI and defending against cyber security attacks
Chief information security officers (CISO’s) quickly abandon their old training methodologies after learning about a new method that is scalable software, engages the user in practicing what they are learning, and takes less than ten minutes for each lesson. They also love the fact that they gather actionable and measureable data about their employee population to be able to address weaknesses instead of the “check the box” training of the past. Wombat’s cyber security training is different because of its application of learning science principles, coupled with cyber security expertise and engaging software techniques. Continue Reading»
Critical mistakes still happening in IT security and the threats most enterprises are least prepared to subvert
Everything is put online and networked, and this is a mistake because it makes everything potentially accessible and vulnerable to attack. Along with this, everything is put on common platforms to make it cheaper and simpler to manage – and often sharing the same vulnerabilities. There is no overall plan for security based on risk and sensitivity. Not everything needs to be protected the same way or at the same level of intensity; defenses should be focused where the need (and potential loss) are greatest. Continue Reading»
A CSO's guide to impact of new technologies and threats on security policy
Both modern networks and modern threats are complex, so it is natural to find complexity in firewall policies. However there are factors that add complexity which can certainly be dealt with. For starters, many firewall policies have been in place for a while, and contain unused rules, redundant rules or rules that can be optimized to reduce complexity. Many organizations have different firewall types, including next-generation firewalls, and vendors in the network - all which require different expertise and additional time to manage. Additionally, most rules on the firewall exist to support connectivity for a business application (E.g. corporate email, online stores etc.) - so having visibility of how the firewall policy relates to applications greatly simplifies its management. Continue Reading»
What is mobile risk management (MRM) and how to implement a BYOD policy
A risk-focused approach to BYOD starts by looking at the inherent security threats, vulnerabilities and compliance risks that may be introduced by allowing personal-liable devices to store confidential corporate data and connect to the corporate network. With BYOD, organizations can no longer dictate which devices and operating systems are permitted on the network, and they don’t have the luxury of forcing users to upgrade their software or deploy security patches when new vulnerabilities are discovered. They are not typically permitted to wipe a personal-liable device in the event that it is lost or stolen, and may have limited controls over data encryption and device-level user authentication. Continue Reading»
A quick guide to personal security threats consumers face when using their own mobile devices at work
Security education is absolutely critical. It does not matter how many firewalls, antivirus systems or other technical security controls that you deploy; the human factor consistently shows up at the heart of most modern data breach attacks. From an attacker’s perspective, the most important foothold he can gain on a network is the one that gets him past the firewall and other network defense systems. This is typically accomplished by enticing a user to open a malicious email attachment or visit web-page capable of installing a rootkit. Security education is the most important element in combating threats such as these. Continue Reading»
What CSOs need to know about cloud security
The traditional approach to security was architected around defending the perimeter where all your users and data to be protected where within the corporate network, which you then defended at the perimeter from external attack. Today with the growth and adoption of cloud computing that results in more and more corporate data living outside the organization as well as the growing mobility of the work force is causing network de-perimeterization where initially the on-premise gateway controls are complimented but eventually replaced by cloud-based solutions that are able to provide every user 100% of the protection no matter their location. Continue Reading»
Eliminating security risks of using remote desktop solutions
The key challenge is around how to securely deliver applications and data to your mobile workforce. iOS, Android, Blackberry, and even WinPhone face many application and data compatibility and security issues. Many traditional apps are all Windows based, and it’s cost prohibitive or sometimes simply impossible to re-write these apps for mobile devices. Companies are looking for ways to bring the long tail of business apps and data securely to mobile devices to empower employees and maximize productivity. Continue Reading»
Global operational challenges and developing cost-effective crisis management and business continuity programs
Risks vary enormously by location. In some locations, physical risks are the greatest concerns. Over my career, I’ve been involved with protecting employees in locations as varied as Angola, Algeria, Yemen, the Congo, and Papua New Guinea, among other locations. In such operations, standard physical security measures are essential, but are only as good as the employees onsite. Employing experienced professionals who understand the precautions and are willing to “stay within the security envelope” is essential. On a few occasions over my career with different employers, we had to send expatriates home because they were unwilling to abide by our security guidelines. That type of behavior poses unacceptable risks not only to the employees themselves, but to the operation as a whole. Continue Reading»
Why security breaches are still happening and what really is a tailored authentication approach
Self-service password reset strategies are static and do not take into consideration the events surrounding the reset request, such as what device the user is on or what their location is. Risk-based authentication provides the framework to be able to adjust the self-service password reset method based on either the user’s real-time events, including time, location, network, device and application, and/or defined by a particular user, group or organization. The Tailored Authentication approach is for those customers who have a unique user base, organizational complexities, specific security and compliance requirements or multiple and diverse applications, our expert professional services and development team will develop a solution adapted to their environment and delivered within the framework of our standard PortalGuard software product. Continue Reading»
Biggest threat in the coming year for enterprises adopting cloud infrastructure
Every conversation about current or impending strategies for information assets almost universally contains some mention of a public, private or hybrid cloud deployment. A more interesting observation of these conversations is that the lure of liberating ourselves from the burden of managing applications and data shouldn’t mean we stop having high expectations about how those applications and data are managed. Unfortunately, moving infrastructure and/or applications into public or private clouds doesn't necessarily make you more secure, compliant or risk-free. Continue Reading»
How prevalent are social engineering attacks and what can be done to combat them
Social Engineering attacks are very prevalent today, however it’s difficult to generate statistics on exactly how widespread they are. This is because when an attack is executed correctly, the victim is unaware that they’ve been taken advantage of. In addition, these attacks are difficult to investigate because we are dealing with human and not hardware interaction. If an attacker bypasses an organization’s physical security via a technique such as “piggy backing”, there will most likely be evidence of that security breech in the form of video surveillance data. However, there are no logs or security reports to review if an attacker scours the Internet searching for information related to the victim organization such as: employee names, phone numbers or the networking equipment that is used. Continue Reading»
What companies can do to ensure success from a security and privacy perspective with cloud-based initiatives
Cloud-based initiatives are more complex from a security and privacy perspective than legacy IT implementations for a myriad of reasons. When evaluating Cloud service models including public, private, hybrid and community Clouds, it is necessary to engage the audit and compliance functions within your organization. From an IT operations perspective, you may be leaning towards a public Cloud model based on efficiencies gained which favorably impact your organizations bottom line. However, once you understand the required risk mitigation controls needed to comply with industry standards and legislation (PCI, HIPAA, GLBA) state and national legislation (breach notification, SOX), organizational sensitive information and customer requirements (SSAE 16 SOC 1, ISO 27001), it may turn out that a hybrid or private Cloud model is most prudent based on your organizations risk appetite. Continue Reading»
Spear Phishing: How Ready is your Organization to Fend off Attacks
Reducing the effectiveness of malicious attacks means securing any and all employee information so that these tactics can be easily identified and thwarted – and using big data analysis to detect behavior that’s outside the pattern of the norm for any given set of actions or communications. Pattern-matching and signatures fall behind the curve of rapid change; real-time analysis of patterns is by definition always current and aware of anomalies, hence the emerging field of Anomalytics. Continue Reading»
Incentives for enterprises to migrate to a cloud-based security solution even if they have already invested heavily in classic products and services
Classic solutions are expensive, difficult to deploy, and require in-house administration and maintenance. In addition, they require scarce security resources that can understand compliance and regulatory requirements and quickly adjust setup and configuration as needed. However, this is not a core competency for most organizations. Cloud-based, by design, is multi-tenant and scalable. This allows the cost of development and administration to be spread across multiple customers and therefore significantly reduce the overall cost for any one customer. Furthermore, CloudAccess’ focus on security means we continuously upgrade and update our systems to meet regulatory and compliance requirements. We are constantly improving our databases with the latest threat and risks knowledge so that we can prevent and mitigate any challenge and serve as our client’s best line of defense. Continue Reading»
A CSO’s guide to key security risks that impact online business-critical applications
Many felt this heralded the death of the firewall, but quite the contrary – firewalls were instead leveraged extensively (and quite strategically within the network) to create “mini perimeters” (network segments or zones) around clusters of network resources. Firewalls now manage secure access to resources within these zones as well as manage the flow of traffic across them. This is what set the stage for firewalls playing such a key role in managing application connectivity. Continue Reading»
A CSO’s guide to cloud security and moving to public cloud
Since private cloud architectures most closely mimic traditional on-premises datacenters and virtualization infrastructures, people often think that they can deploy the same technical controls to protect them. For the most part, they’re correct. The problem, however, is that the benefits of cloud computing, namely elastic operation and dynamic state of the cloud servers, have the potential to break traditional security tools. Static firewall configurations work well in a static environment, but if the IP address is constantly changing, the organization will forever be updating firewall rules to adapt – something that may cause an unacceptable amount of downtime in a production environment. Also, if a server is only spun up to handle dynamic workloads, how likely is it that the server will comply with the organizational baseline for server deployment? Continue Reading»
How social networks, online communities and multiple devices are increasing the possibilities of uncharted security threats to enterprises
What many business executives are overlooking who are encouraging the “BYOD” model is the fact that personal devices like smart-phones, iPods, iPads and even digital cameras are easily concealable, mass-storage devices capable of copying and taking many gigabytes of private company data outside of the company’s premises. When an employee walks through security and upstairs to their workstation, they’re free to connect these devices and download whatever they have the credentials to see on their screen. These incidents happen all the time and aren’t just limited to malicious, disgruntled employees, but can be innocent inadvertent mistakes made by well-meaning employees who are using their own devices for personal Facebook postings as well as work-related projects. This creates a very dangerous risk of data leakage from the company to the outside world. Continue Reading»
CSOs have a hard job working to strike the right balance between productivity and security. One popular answer is to provide IT-sanctioned methods and tools that protect data while making it easy for business users to get their jobs done. In many cases, the solution can be found using ad-hoc, person-to-person managed file transfer technologies that allow non-technical users to send files of any size simply and securely to anyone at any time in a well-governed way. 
Not only are smart devices perceived as essential in daily life and thus worth the (private) investment, a smart device has also become a fashion accessory. End users are not only selecting devices based on their technical features, but also on brand, color, and shape. In today’s digital age, when it comes to social status, smart devices are the new cars. Working with a privately chosen smart device gives the user a higher satisfaction, creating the feeling of goodwill that encourages a flexible working environment. 
Besides assigning users an excess of privileges, another common and frequently overlooked mistake is a lack of end user education. A large majority of today's breaches continue to result not from external threats, but from human error. Employees who unknowingly download unauthorized software, or click on a link hosting infected exploits are opening their entire organization up to attack. We saw several high-profile instances of this last year, including the South Carolina Department of Revenue breach, which cost the state $14 million and compromised the financial data of millions of residents. 
What makes the internet by its very nature democratic and open access, also makes it vulnerable to sophisticated and agile cyber threats. Cyberspace touches nearly every part of our daily lives. While we may be dependent on our airline systems, in fact we use the internet far more often than we fly. Increased security measures instituted since 9/11 that help keep our planes flying are continuously probed for weakness. Similarly, it is necessary to add and monitor monitor cybersecurity measures to keep the internet operating. 
Up until now, the threats we’ve seen have, for the major part, targeted the device user. Case in point, software like Zeus for mobile will steal your bank information and suddenly, you’ll start seeing your money ‘flying’ to Eastern Europe. Theft of personal information has also been rampant. What we haven’t seen, yet (and I speculate we will soon), is an attack of grandiose size on a corporate network, using a mobile device, at least as a bridge, to kickstart the attack. 
Up until now, the threats we’ve seen have, for the major part, targeted the device user. Case in point, software like Zeus for mobile will steal your bank information and suddenly, you’ll start seeing your money ‘flying’ to Eastern Europe. Theft of personal information has also been rampant. What we haven’t seen, yet (and I speculate we will soon), is an attack of grandiose size on a corporate network, using a mobile device, at least as a bridge, to kickstart the attack. 
Mobile Applications, and specifically the impact of BYOD in the enterprise, have created an uncontrolled environment that IT professionals can no longer easily manage. In the past, IT managers could control what applications were allowed to run on corporate systems, or at least ensure that those systems had the latest protection methods (AV, etc). They also had good control (usually through VPNs) of securing access to all enterprise data. With mobility and BYOD, they can no longer guarantee either of these protection mechanisms. 
It’s a moving target because companies should not only invest in new security software, but they should change the way employees work. Most companies think that if they implement traditional technologies and use sophisticated passwords, it will be enough. Our ever-changing environment requires several layers of protection. Only IT personnel should have administrative passwords, and they should be kept in a vault and handled only through identity management techniques. 
The next major threat will come from a nation state taking aim at our critical national infrastructure and knocking out resources essential to life. This will be an easy target since many of the utilities have little interest or appreciation for security. Their systems have been fully characterized by hostile powers external to the United States and will eventually be turned off and/or damaged when the time is right. The intelligence agencies have been warning Congress and the Senate about these problems as well as the utilities themselves. 
Where possible I also use random passwords as answers to “Secret Questions” as password recovery questions that rely on information about the user have been proven many times to be a very weak form of authentication. The other problems with Secret Questions is that often times you end up leaking this personal information to sites that aren’t very secure. 
We see many security solution providers stressing compliance over security. They tend to see their primary duty as checking all the compliance boxes rather than architecting a highly secure system which is also compliant. As an example, security equipment may be installed for compliance reasons and then heavily customized to reduce false positive alarms. The customization often renders the device nearly useless from a security perspective. The system may still be compliant, but it's far from secure. 
Not only are the current security solutions complex, but also many users are unaware that they need them, or even more frightening, that they exist at all. Users were more educated in the early 1990s on the need for some of these solutions since they had to use applications like Norton to keep their systems optimized. Many of the original basic features of these utility packs are now built into Windows. 
Most security measures are adopted by banks and then deployed to other e-commerce companies and many of these are dictated by the large payment brands like Visa or MasterCard. PCI/ DSS regulation is a good example of this and nowadays EMV is also designed to provide a much more secure payments framework, and is meant to be the most secure way to prevent fraud. 
Without a good risk framework, it is difficult to allocate resources and you end up funding the “latest and loudest” rather than what does the most to reduce risk to the important functions in your business. If you find yourself wanting to move to a risk-based model but not knowing how, there are a lot of choices. Look before you leap - you don’t need to complicate your life - so try to find one that is simple to learn, implement and communicate, and one which has readily available training for your organization. If you don't keep these things in mind, it will be difficult to get things going, and extremely difficult to maintain a program. 
Mobile devices will eventually be a rich target for attackers, as they find further reach into the enterprise. But the adoption of such platforms is slowed by the security questions organizations rightfully have about them, which have as much to do about who is responsible for securing them, as how they might actually be secured. Employee-owned devices are a poor fit for the current landscape of MDM (Mobile Device Management) and MAM (Mobile Application Management) vendors, as employees really don’t want their personal phone to be managed by their employer. 
Mobile risk management (MRM) is an emerging category of technologies that empower organizations to identify, mitigate and manage the risks associated with mobile devices. MRM helps organizations go beyond traditional MDM practices, which have primarily relied on risk avoidance or control tactics, to help them protect corporate data and ensuring regulatory compliance. Achieving the right balance of device management, risk mitigation and compliance assurance while maximizing device utility and user acceptance requires a thoughtful and integrated approach to MRM. 
Secure Data in Motion strategies today are often initiated after an organization discovers security limitations or a lack of mobile access in their existing systems. With that in mind, it is essential that today’s file transfer platforms have strong security attributes (including FIPS 140-2 validated cryptography, lockouts and alerts, and multi-factor authentication) and strong mobile support (including support for tablets like Apple’s iPad and Amazon’s Kindle Fire). 
Clearly more and more information workers are following the BYOD (“Bring Your Own Device”) trend and accessing critical corporation information from their mobile devices. Given the ease in which a device can be lost or stolen, and the often inconsistent security policies that are applied to mobile devices (if even applied at all), there is a significant demand by IT organizations to lock down and secure mobile devices accessing their corporate networks. These challenges are compounded by the fact that users have their own device preferences - heterogeneity will certainly exist with mobile devices as it does today for systems in the data center. 
We are seeing great investment by cloud providers and security vendors, and the direction is promising. In some ways, because it allows better management and flexible control of resources, cloud computing can be more secure than traditional IT. This was recently recognized by the NSA director and U.S. Cyber Command commander, Gen. Keith Alexander. In other ways, fundamental breakthroughs in technology are still needed. We see these coming from the fields of key-splitting technology and homomorphic encryption. If these are properly implemented, they allow you to be in the cloud without losing control, because sensitive data or keys are encrypted even when in use in the cloud, which means cloud providers cannot know them, and even security vendors never know them. 
In today’s environment and with NGFWs, IT must understand what applications are needed by what users and provide access. Without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http, and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk. It is clear that at least for certain parts of the network, next-generation firewalls make a whole lot of sense. However, generally speaking, more granular network security policies equal more complexity. So the big question becomes, how can organizations take advantage of the clear benefits of NGFWs while minimizing the complexity, administrative burden and risk from improper configurations? 
Cloud-based identity management offers a lot of promise for global organizations. It can provide them with pay-as-you-go options that reduce capital expense and the ability to scale the solution on demand as the environment grows. Using cloud-based identity management is easier for small companies who have fewer applications and systems to manage, because this minimizes the cost and complexity of integration. For larger organizations (with 100’s-1000’s of resources), cloud-based identity management can present greater challenges. Many organizations consider identity data to be confidential data, so the right security measures must be in place to ensure secure communications. 
One of the best ways to keep a mobile workplace deployment safe and secure is to get employees fully on board with security policies and to educate them on why it’s essential to keep corporate data, and personal data, secure. CSO’s need to ensure employees are aware of the risks for identity theft, email phishing and mobile phishing scams, plus other personal security issues, and show them how to safeguard data. In addition, in the meantime modern solutions have many security features included, ensuring that data protection and mobile workplaces need not be mutually exclusive. Some solutions, for example, never store any data on the mobile device. Thus, data securely remains in the company network even if the device is stolen or lost. 
Behavioral analytics is a proven anomaly detection methodology based on the fact that every individual behaves uniquely. Rather than look for specific malware or fraud indicators, which are too numerous and changing too rapidly for institutions to keep up, behavioral analytics monitors individual banking sessions and compares activity with known legitimate account holder behavior to determine if this behavior during this session is legitimate behavior or suspicious. During an online fraud attack a criminal will do something unexpected or unusual, something that makes it clear that this is not the legitimate account holder. 
For years, organizations turned to traditional Identity and Access Management (IAM) solutions to secure their access to systems and information. These IAM implementations typically started with user provisioning, a process that put controls in place to ensure users were given only the access rights they needed to do their job. Then, the companies would perform periodic reviews or “certifications” – say, every three, six, nine, 12 months – to validate that those access rights were in line with policy. 
The need to protect consolidated assets has rendered many traditional backup and data recovery solutions ineffective in virtual environments. Additionally, this evolution in backup processes has spawned the emergence of new vendors focused solely on providing data protection solutions for virtual environments. The combination of these factors is forcing many companies to adopt a multi-vendor approach to data protection. Today, many companies are deploying different backup and data recovery solutions in their IT environments as discreet, physical and virtual entities, as opposed to implementing a holistic backup and recovery solution. 
Megatrends such as the emergence of cloud computing, server and desktop virtualization, the proliferation of mobile technologies and bring-your-own-device (BYOD), the increase in employees requiring remote access, and the increased use of social networking in the work environment have created new vulnerabilities and risks for companies. Users expect to be able to access information from virtually anywhere via the Internet and mobile devices such as smart phones and tablets. Given the proliferation of employees working remotely and the use of mobile devices, and the potential threat that represents for corporate networks, authentication has become a higher priority for enterprises. 
There are so many risks to software, so many possible avenues of attack, that rather than focus on specific attack vectors, we simply ensure that the app continues to be uncompromised. The vast majority of security initiatives are designed to try to ensure that no threats escape into the system, but experience shows us that the threats appear anyway: whether through zero-day exploits, advanced persistent threats that are already there, administration mistakes, or even turncoat employees. 
The next key area relates to the technology being used to exchange files. Standard FTP may be easy, and it’s still popular, but it is definitely not secure. Staging files in the DMZ, or public-facing area of the network, for pick-up by trading partners is also risky since that is the most vulnerable segment of your network. A third weakness in the security of an organization’s workflow management is relying too heavily on individual programmers to write manual scripts for file transfer projects. 
While organizations are used to collaborating internally, the need to collaborate with third parties like business partners, contractors, vendors and customers is increasing. Files are growing – too many and too large for email. We need to introduce processes that ensure the right sensitive information is shared with the right people, securely. We require solutions that will intelligently archive this information, while automating management, retention and protection. 
Social media poses many challenges to a company looking to enable it in the workplace. First is the ability for a single individual to disseminate information on a global scale instantly. Once posted, the impact of a tweet lasts forever, whether it was quickly removed or not. Second, social media accounts often cross over between an individual’s personal and professional life, creating additional risk of something intended for a small, personal group to be widely distributed. 
Organizations need to keep data safe within the organization itself. With the advent of mobile and home working, this in itself is a lot more complex than it used to be. They also need to ensure that data shared with trusted third parties continues to remain secure. While the use of encryption and other cyber security products play an important part, the deployment and the policy framework around them are critical to ensure a robustly secure system. 
Security is too often viewed as the application of the latest doo-dad that the industry produces. Gartner tracks these things through something called a hype-cycle. So we see a recurring theme that someone thinks up a new tool that can protect people from "X" and the industry gets behind it and pushes it as the latest greatest must have, organizations buy the item, attempt to implement it and all too often we hear 9 months later that it's a failure - didn't deliver on its promises. Really successful CSOs are viewed by their organization as enabling the business to achieve higher revenues and lower costs. They are a trusted partner in the business. Selecting solutions or providers that will map to your needs and organization (not the other way around) and that will adapt to your changes over time is where long-term benefits can be realized. 
Today Cloud-based services are available, where the ICPs don’t even know whom the user is and where he/she lives. So how can an ICP roll out a token to these users even if the ICP can afford to do so? We believe a new revolutionary thinking, and a paradigm shift, or a new ecosystem within the authentication industry is necessary to meet the demands. Aa majority of ICPs will accept a third party authentication service, similar to the OpenID concept, when the end-users are conscious of the risks online and start to demand a better protection of their privacy and their personal property online. 
The standard IT answer had been “we don’t support that device” but the avalanche of new devices and the pressure often emanating from the C-suite on supporting smartphones and tablets has been too hard to resist. Actually there is promise of cost savings by not purchasing and maintaining smart phones but letting employees buy their own devices, and still be able to access the corporate data securely. By shifting the responsibility of the device to employees has profound impacts on the company. 
Most antimalware products are well able to address the threat of malware that has been "in the wild" for more than a few weeks or months. However it is the newest pieces of malware that represent the greatest risk. So called "zero day" threats are literally so new that no signatures exist to protect against them. This problem has driven a tremendous amount of innovation and new thinking in the security industry, of which cloud scanning is just one example. Moving the "heavy lifting" of malware detection from the endpoint to the cloud has resulted in three key benefits: firstly, it significantly reduces the tax on the endpoint device by pushing the compute cycles to massively scalable cloud infrastructures. Secondly – leveraging multiple technologies and large amounts of computing power enables vendors to provide their customers with substantially greater coverage than would be possible with endpoint-based approaches alone. 
We in this industry are accustomed to the risk of making decisions without knowledge from experienced peers, which in fact can reduce the decision risk significantly. The risk of sharing our questions to get better information and to be better informed is a good idea. Wisegate is a new breed of information security sharing forum that keeps vendors out to enable senior IT professionals to openly, yet securely, tap the collective wisdom of their peers to quickly solve some of the industry’s most pressing issues. Some of the hot topics being discussed on Wisegate right now include "bring your own device" (BYOD) policies, cyber security collaboration, navigating the global compliance maze, employee access to social media, and lessons learned on security product implementations such as Threat Management, GRC, SIEM, Identity & Access Management, DLP/Data Security and more. 
Chief information security officers (CISO’s) quickly abandon their old training methodologies after learning about a new method that is scalable software, engages the user in practicing what they are learning, and takes less than ten minutes for each lesson. They also love the fact that they gather actionable and measureable data about their employee population to be able to address weaknesses instead of the “check the box” training of the past. Wombat’s cyber security training is different because of its application of learning science principles, coupled with cyber security expertise and engaging software techniques. 
Everything is put online and networked, and this is a mistake because it makes everything potentially accessible and vulnerable to attack. Along with this, everything is put on common platforms to make it cheaper and simpler to manage – and often sharing the same vulnerabilities. There is no overall plan for security based on risk and sensitivity. Not everything needs to be protected the same way or at the same level of intensity; defenses should be focused where the need (and potential loss) are greatest. 
Both modern networks and modern threats are complex, so it is natural to find complexity in firewall policies. However there are factors that add complexity which can certainly be dealt with. For starters, many firewall policies have been in place for a while, and contain unused rules, redundant rules or rules that can be optimized to reduce complexity. Many organizations have different firewall types, including next-generation firewalls, and vendors in the network - all which require different expertise and additional time to manage. Additionally, most rules on the firewall exist to support connectivity for a business application (E.g. corporate email, online stores etc.) - so having visibility of how the firewall policy relates to applications greatly simplifies its management. 
A risk-focused approach to BYOD starts by looking at the inherent security threats, vulnerabilities and compliance risks that may be introduced by allowing personal-liable devices to store confidential corporate data and connect to the corporate network. With BYOD, organizations can no longer dictate which devices and operating systems are permitted on the network, and they don’t have the luxury of forcing users to upgrade their software or deploy security patches when new vulnerabilities are discovered. They are not typically permitted to wipe a personal-liable device in the event that it is lost or stolen, and may have limited controls over data encryption and device-level user authentication. 
Security education is absolutely critical. It does not matter how many firewalls, antivirus systems or other technical security controls that you deploy; the human factor consistently shows up at the heart of most modern data breach attacks. From an attacker’s perspective, the most important foothold he can gain on a network is the one that gets him past the firewall and other network defense systems. This is typically accomplished by enticing a user to open a malicious email attachment or visit web-page capable of installing a rootkit. Security education is the most important element in combating threats such as these. 
The traditional approach to security was architected around defending the perimeter where all your users and data to be protected where within the corporate network, which you then defended at the perimeter from external attack. Today with the growth and adoption of cloud computing that results in more and more corporate data living outside the organization as well as the growing mobility of the work force is causing network de-perimeterization where initially the on-premise gateway controls are complimented but eventually replaced by cloud-based solutions that are able to provide every user 100% of the protection no matter their location. 
The key challenge is around how to securely deliver applications and data to your mobile workforce. iOS, Android, Blackberry, and even WinPhone face many application and data compatibility and security issues. Many traditional apps are all Windows based, and it’s cost prohibitive or sometimes simply impossible to re-write these apps for mobile devices. Companies are looking for ways to bring the long tail of business apps and data securely to mobile devices to empower employees and maximize productivity. 
Risks vary enormously by location. In some locations, physical risks are the greatest concerns. Over my career, I’ve been involved with protecting employees in locations as varied as Angola, Algeria, Yemen, the Congo, and Papua New Guinea, among other locations. In such operations, standard physical security measures are essential, but are only as good as the employees onsite. Employing experienced professionals who understand the precautions and are willing to “stay within the security envelope” is essential. On a few occasions over my career with different employers, we had to send expatriates home because they were unwilling to abide by our security guidelines. That type of behavior poses unacceptable risks not only to the employees themselves, but to the operation as a whole. 
Self-service password reset strategies are static and do not take into consideration the events surrounding the reset request, such as what device the user is on or what their location is. Risk-based authentication provides the framework to be able to adjust the self-service password reset method based on either the user’s real-time events, including time, location, network, device and application, and/or defined by a particular user, group or organization. The Tailored Authentication approach is for those customers who have a unique user base, organizational complexities, specific security and compliance requirements or multiple and diverse applications, our expert professional services and development team will develop a solution adapted to their environment and delivered within the framework of our standard PortalGuard software product. 
Every conversation about current or impending strategies for information assets almost universally contains some mention of a public, private or hybrid cloud deployment. A more interesting observation of these conversations is that the lure of liberating ourselves from the burden of managing applications and data shouldn’t mean we stop having high expectations about how those applications and data are managed. Unfortunately, moving infrastructure and/or applications into public or private clouds doesn't necessarily make you more secure, compliant or risk-free. 
Social Engineering attacks are very prevalent today, however it’s difficult to generate statistics on exactly how widespread they are. This is because when an attack is executed correctly, the victim is unaware that they’ve been taken advantage of. In addition, these attacks are difficult to investigate because we are dealing with human and not hardware interaction. If an attacker bypasses an organization’s physical security via a technique such as “piggy backing”, there will most likely be evidence of that security breech in the form of video surveillance data. However, there are no logs or security reports to review if an attacker scours the Internet searching for information related to the victim organization such as: employee names, phone numbers or the networking equipment that is used. 
Cloud-based initiatives are more complex from a security and privacy perspective than legacy IT implementations for a myriad of reasons. When evaluating Cloud service models including public, private, hybrid and community Clouds, it is necessary to engage the audit and compliance functions within your organization. From an IT operations perspective, you may be leaning towards a public Cloud model based on efficiencies gained which favorably impact your organizations bottom line. However, once you understand the required risk mitigation controls needed to comply with industry standards and legislation (PCI, HIPAA, GLBA) state and national legislation (breach notification, SOX), organizational sensitive information and customer requirements (SSAE 16 SOC 1, ISO 27001), it may turn out that a hybrid or private Cloud model is most prudent based on your organizations risk appetite. 
Reducing the effectiveness of malicious attacks means securing any and all employee information so that these tactics can be easily identified and thwarted – and using big data analysis to detect behavior that’s outside the pattern of the norm for any given set of actions or communications. Pattern-matching and signatures fall behind the curve of rapid change; real-time analysis of patterns is by definition always current and aware of anomalies, hence the emerging field of Anomalytics. 
Classic solutions are expensive, difficult to deploy, and require in-house administration and maintenance. In addition, they require scarce security resources that can understand compliance and regulatory requirements and quickly adjust setup and configuration as needed. However, this is not a core competency for most organizations. Cloud-based, by design, is multi-tenant and scalable. This allows the cost of development and administration to be spread across multiple customers and therefore significantly reduce the overall cost for any one customer. Furthermore, CloudAccess’ focus on security means we continuously upgrade and update our systems to meet regulatory and compliance requirements. We are constantly improving our databases with the latest threat and risks knowledge so that we can prevent and mitigate any challenge and serve as our client’s best line of defense. 
Many felt this heralded the death of the firewall, but quite the contrary – firewalls were instead leveraged extensively (and quite strategically within the network) to create “mini perimeters” (network segments or zones) around clusters of network resources. Firewalls now manage secure access to resources within these zones as well as manage the flow of traffic across them. This is what set the stage for firewalls playing such a key role in managing application connectivity. 
Since private cloud architectures most closely mimic traditional on-premises datacenters and virtualization infrastructures, people often think that they can deploy the same technical controls to protect them. For the most part, they’re correct. The problem, however, is that the benefits of cloud computing, namely elastic operation and dynamic state of the cloud servers, have the potential to break traditional security tools. Static firewall configurations work well in a static environment, but if the IP address is constantly changing, the organization will forever be updating firewall rules to adapt – something that may cause an unacceptable amount of downtime in a production environment. Also, if a server is only spun up to handle dynamic workloads, how likely is it that the server will comply with the organizational baseline for server deployment? 
What many business executives are overlooking who are encouraging the “BYOD” model is the fact that personal devices like smart-phones, iPods, iPads and even digital cameras are easily concealable, mass-storage devices capable of copying and taking many gigabytes of private company data outside of the company’s premises. When an employee walks through security and upstairs to their workstation, they’re free to connect these devices and download whatever they have the credentials to see on their screen. These incidents happen all the time and aren’t just limited to malicious, disgruntled employees, but can be innocent inadvertent mistakes made by well-meaning employees who are using their own devices for personal Facebook postings as well as work-related projects. This creates a very dangerous risk of data leakage from the company to the outside world. 