Webinar: How to think about cybersecurity the way executives think about business

It’s time to change the way we think about cybersecurity and risk management. Cybersecurity is no longer an IT problem to solve or a “necessary evil” to cost manage. Rather, cybersecurity has rapidly stormed the boardroom as a result of high-profile and costly data breaches.

webinar think about cybersecurity

Get the following insights from this webinar:

  • Recent events have changed our focus from protecting the perimeter
  • Risk management is a formula based on the cost of an undesirable outcome times the likelihood of its occurrence
  • Embracing cybersecurity as a factor in corporate risk management means firms can adapt quickly

What is confidential computing? How can you use it?

What is confidential computing? Can it strengthen enterprise security? Sam Lugani, Lead Security PMM, Google Workspace & GCP, answers these and other questions in this Help Net Security interview.

what is confidential computing

How does confidential computing enhance the overall security of a complex enterprise architecture?

We’ve all heard about encryption in-transit and at-rest, but as organizations prepare to move their workloads to the cloud, one of the biggest challenges they face is how to process sensitive data while still keeping it private. However, when data is being processed, there hasn’t been an easy solution to keep it encrypted.

Confidential computing is a breakthrough technology which encrypts data in-use – while it is being processed. It creates a future where private and encrypted services become the cloud standard.

At Google Cloud, we believe this transformational technology will help instill confidence that customer data is not being exposed to cloud providers or susceptible to insider risks.

Confidential computing has moved from research projects into worldwide deployed solutions. What are the prerequisites for delivering confidential computing across both on-prem and cloud environments?

Running workloads confidentially will differ based on what services and tools you use, but one thing is given – organizations don’t want to compromise on usability and performance, at the cost of security.

Those running Google Cloud can seamlessly take advantage of the products in our portfolio, Confidential VMs and Confidential GKE Nodes.

All customer workloads that run in VMs or containers today, can run as a confidential without significant performance impact. The best part is that we have worked hard to simplify the complexity. One checkbox—it’s that simple.

what is confidential computing

What type of investments does confidential computing require? What technologies and techniques are involved?

To deliver on the promise of confidential computing, customers need to take advantage of security technology offered by modern, high-performance CPUs, which is why Google Cloud’s Confidential VMs run on N2D series VMs powered by 2nd Gen AMD EPYC processors.

To support these environments, we also had to update our own hypervisor and low-level platform stack while also working closely with the open source Linux community and modern operating system distributors to ensure that they can support the technology.

Networking and storage drivers are also critical to the deployment of secure workloads and we had to ensure we were capable of handling confidential computing traffic.

How is confidential computing helping large organizations with a massive work-from-home movement?

As we entered the first few months of dealing with COVID-19, many organizations expected a slowdown in their digital strategy. Instead, we saw the opposite – most customers accelerated their use of cloud-based services. Today, enterprises have to manage a new normal which includes a distributed workforce and new digital strategies.

With workforces dispersed, confidential computing can help organizations collaborate on sensitive workloads in the cloud across geographies and competitors, all while preserving privacy of confidential datasets. This can lead to the development of transformation technologies – imagine, for example, being able to more quickly build vaccines and cure diseases as a result of this secure collaboration.

How do you see the work of the Confidential Computing Consortium evolving in the near future?

Google was among the founding members of the Confidential Computing Consortium, operating under the umbrella of the Linux Foundation to facilitate adoption of confidential computing.

Cloud providers, hardware manufacturers, and software vendors all need to work together to define standards to advance confidential computing. As the technology garners more interest, sustained industry collaboration such as the Consortium will be key to helping realize the true potential of confidential computing.

Save 40% on CISSP or CCSP training until November 30

Achieving the globally respected (ISC)² CISSP or CCSP certifications can catapult your career, leading to more credibility, better opportunities and increased earning potential.

To help you stay committed to your certification, through November 30, (ISC)² is offering a 40% discount off Official CISSP and CCSP Online Instructor-Led Trainings when you bundle with an exam voucher. Training seats are limited, so secure your spot today!

OPIS

Online instructor-led training and exam bundle

Your bundle includes:

  • Direct access to an (ISC)² Authorized Instructor
  • Exam voucher (valid for 12 months)
  • Official (ISC)² Student Training Guide (electronic, 1-year access)
  • Interactive flash cards
  • Post-course assessment
  • Continued access to course content for 6 months

Official (ISC)² online instructor-led training

Perfect for distance learning, this hands-on training format offers the structure of real-time class in a virtual setting, with the option to access course recordings. And since it’s Official (ISC)² Training you will be learning the most relevant, up-to-date content developed by (ISC)², creator of the CISSP and CCSP Common Body of Knowledge (CBK).

View training schedule and don’t miss iut! Offer ends November 30, 2020.

As attackers evolve their tactics, continuous cybersecurity education is a must

As the Information Age slowly gives way to the Fourth Industrial Revolution, and the rise of IoT and IIoT, on-demand availability of computer system resources, big data and analytics, and cyber attacks aimed at business environments impact on our everyday lives, there’s an increasing need for knowledgeable cybersecurity professionals and, unfortunately, an increasing cybersecurity workforce skills gap.

continuous cybersecurity education

The cybersecurity skills gap is huge

A year ago, (ISC)² estimated that the global cybersecurity workforce numbered 2.8 million professionals, when there’s an actual need for 4.07 million.

According to a recent global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and analyst firm Enterprise Strategy Group (ESG), there has been no significant progress towards a solution to this problem in the last four years.

“What’s needed is a holistic approach of continuous cybersecurity education, where each stakeholder needs to play a role versus operating in silos,” ISSA and ESG stated.

Those starting their career in cybersecurity need many years to develop real cybersecurity proficiency, the respondents agreed. They need cybersecurity certifications and hands-on experience (i.e., jobs) and, ideally, a career plan and guidance.

Continuous cybersecurity training and education are key

Aside from the core cybersecurity talent pool, new job recruits are new graduates from universities, consultants/contractors, employees at other departments within an organization, security/hardware vendors and career changers.

One thing they all have in common is the need for constant additional training, as technology advances and changes and attackers evolve their tactics, techniques and procedures.

Though most IT and security professionals use their own free time to improve their cyber skills, they must learn on the job and get effective support from their employers for their continued career development.

Times are tough – there’s no doubt of that – but organizations must continue to invest in their employee’s career and skills development if they want to retain their current cybersecurity talent, develop it, and attract new, capable employees.

“The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles,” noted Deshini Newman, Managing Director EMEA, (ISC)².

Certifications show employers that cybersecurity professionals have the knowledge and skills required for the job, but also indicate that they are invested in keeping pace with a myriad of evolving issues.

“Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities,” she pointed out.

GitHub envisions a world with fewer software vulnerabilities

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.

The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.

GitHub Actions

Among the third parties that offer automated security scans via GitHub Actions are Checkmarx and DefenseCode.

GitHub code scanning

“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their preferred scanning tools,” explained James Brotsos, Senior Solutions Engineer at Checkmarx.

“GitHub is an immensely popular resource for developers, so having something that ensures the security of code without hindering agility is critical. Our ability to automate SAST and SCA scans directly within GitHub repos simplifies workflows and removes tedious steps for the development cycle that can traditionally stand in the way of achieving DevSecOps.”

Checkmarx’s SCA (software composition analysis) help developers discover and remedy vulnerabilities within open source components that are being included into the application and prioritizing them accordingly based on severity. Checkmarx SAST (static application security testing) scans proprietary code bases – even uncompiled – to detect new and existing vulnerabilities.

“This is all done in an automated fashion, so as soon as a pull request takes place, a scan is triggered, and results are embedded directly into GitHub. Together, these integrations paint a holistic picture of the entire application’s security posture to ensure all potential gaps are accounted for,” Brotsos added.

Leon Juranic, CTO at DefenseCode, said that they are very excited by this initiative, as it provides access to security analysis to over 50+ million Github users.

“Having the security analysis results displayed as code scanning alerts in GitHub provides an convenient way to triage and prioritize fixes, a process that could be cumbersome usually requiring scrolling through many pages of exported reports, going back and forth between your code and the reported results, or reviewing them in dashboards provided by the security tool. The ease of use now means you can initiate scans, view, fix, and close alerts for potential vulnerabilities in your project’s code in an environment that is already familiar and where most of your other workflows are done,” he noted.

A week ago, GitHub also announced additional support for container scanning and standards and configuration scanning for infrastructure as code, with integration by 42Crunch, Accurics, Bridgecrew, Snyk, Aqua Security, and Anchore.

The benefits and future plans

“We expect code scanning to prevent thousands of vulnerabilities from ever existing, by catching them at code review time. We envisage a world with fewer software vulnerabilities because security review is an automated part of the developer workflow,” Baker explained.

“During the code scanning beta, developers fixed 72% of the security errors found by CodeQL and reported in the code scanning pull request experience. Achieving such a high fix rate is the result of years of research, as well as an integration that makes it easy to understand each result.”

Over 12,000 repositories tried code scanning during the beta, and another 7,000 have enabled it since it became generally available, he says, and the reception has been really positive, with many highlighting valuable security finds.

“We’ll continue to iterate and focus on feedback from the community, including around access control and permissions, which are of high priority to our users,” he concluded.

CPRA: More opportunity than threat for employers

Increasingly demanded by consumers, data privacy laws can create onerous burdens on even the most well-meaning businesses. California presents plenty of evidence to back up this statement, as more than half of organizations that do business in California still aren’t compliant with the California Consumer Privacy Act (CCPA), which went into effect earlier this year.

CPRA

As companies struggle with their existing compliance requirements, many fear that a new privacy ballot initiative – the California Privacy Rights Act (CPRA) – could complicate matters further. While it’s true that if passed this November, the CPRA would fundamentally change the way businesses in California handle both customer and employee data, companies shouldn’t panic. In fact, this law presents an opportunity for organizations to change their relationship with employee data to their benefit.

CPRA, the Californian GDPR?

Set to appear on the November 2020 ballot, the CPRA, also known as CCPA 2.0 or Prop 24 (its name on the ballot), builds on what is already the most comprehensive data protection law in the US. In essence, the CPRA will bring data protection in California nearer to the current European legal standard, the General Data Protection Regulation (GDPR).

In the process of “getting closer to GDPR,” the CCPA would gain substantial new components. Besides enhancing consumer rights, the CPRA also creates new provisions for employee data as it relates to their employers, as well as data that businesses collect from B2B business partners.

Although controversial, the CPRA is likely to pass. August polling shows that more than 80% of voters support the measure. However, many businesses do not. This is because, at first glance, the CPRA appears to create all kinds of legal complexities in how employers can and cannot collect information from workers.

Fearful of having to meet the same demanding requirements as their European counterparts, many organizations’ natural reaction towards the prospect of CPRA becoming law is fear. However, this is unfounded. In reality, if the CPRA passes, it might not be as scary as some businesses think.

CPRA and employment data

The CPRA is actually a lot more lenient than the GDPR in regard to how it polices the relationship between employers and employees’ data. Unlike for its EU equivalent, there are already lots of exceptions written into the proposed Californian law acknowledging that worker-employer relations are not like consumer-vendor relations.

Moreover, the CPRA extends the CCPA exemption for employers, set to end on January 1, 2021. This means that if the CPRA passes into law, employers would be released from both their existing and potential new employee data protection obligations for two more years, until January 1, 2023. This exemption would apply to most provisions under the CPRA, including the personal information collected from individuals acting as job applicants, staff members, employees, contractors, officers, directors, and owners.

However, employers would still need to provide notice of data collection and maintain safeguards for personal information. It’s highly likely that during this two-year window, additional reforms would be passed that might further ease employer-employee data privacy requirements.

Nonetheless, employers should act now

While the CPRA won’t change much overnight, impacted organizations shouldn’t wait to take action, but should take this time to consider what employee data they collect, why they do so, and how they store this information.

This is especially pertinent now that businesses are collecting more data than ever on their employees. With companies like the workplace monitoring company Prodoscore reporting that interest from prospective customers rose by 600% since the pandemic began, we are seeing rapid growth in companies looking to monitor how, where, and when their employees work.

This trend emphasizes the fact that the information flow between companies and their employees is mostly one-sided (i.e., from the worker to the employer). Currently, businesses have no legal requirement to be transparent about this information exchange. That will change for California-based companies if the CPRA comes into effect and they will have no choice but to disclose the type of data they’re collecting about their staff.

The only sustainable solution for impacted businesses is to be transparent about their data collection with employees and work towards creating a “culture of privacy” within their organization.

Creating a culture of privacy

Rather than viewing employee data privacy as some perfunctory obligation where the bare minimum is done for the sake of appeasing regulators, companies need to start thinking about worker privacy as a benefit. Presented as part of a benefits package, comprehensive privacy protection is a perk that companies can offer prospective and existing employees.

Privacy benefits can include access to privacy protection services that give employees privacy benefits beyond the workplace. Packaged alongside privacy awareness training and education, these can create privacy plus benefits that can be offered to employees alongside standard perks like health or retirement plans. Doing so will build a culture of privacy which can help companies ensure they’re in regulatory compliance, while also making it easier to attract qualified talent and retain workers.

It’s also worth bearing in mind that creating a culture of privacy doesn’t necessarily mean that companies have to stop monitoring employee activity. In fact, employees are less worried about being watched than they are by the possibility of their employers misusing their data. Their fears are well-founded. Although over 60% of businesses today use workforce data, only 3 in 10 business leaders are confident that this data is treated responsibly.

For this reason, companies that want to keep employee trust and avoid bad PR need to prioritize transparency. This could mean drawing up a “bill of rights” that lets employees know what data is being collected and how it will be used.

Research into employee satisfaction backs up the value of transparency. Studies show that while only 30% of workers are comfortable with their employer monitoring their email, the number of employees open to the use of workforce data goes up to 50% when the employer explains the reasons for doing so. This number further jumps to 92% if employees believe that data collection will improve their performance or well-being or come with other personal benefits, like fairer pay.

On the other hand, most employees would leave an organization if its leaders did not use workplace data responsibly. Moreover, 55% of candidates would not even apply for a job with such an organization in the first place.

Final thoughts

With many exceptions for workplace data management already built-in and more likely to come down the line, most employers should be able to easily navigate the stipulations CPRA entails.

That being said, if it becomes law this November, employers shouldn’t misuse the two-year window they have to prepare for new compliance requirements. Rather than seeing this time as breathing space before a regulatory crackdown, organizations should instead use it to be proactive in their approach to how they manage their employees’ data. As well as just ensuring they comply with the law, businesses should look at how they can turn employee privacy into an asset.

As data privacy stays at the forefront of employees’ minds, businesses that can show they have a genuine privacy culture will be able to gain an edge when it comes to attracting and retaining talent and, ultimately, coming out on top.

Save on CCSP self-paced exam prep when bundled with exam voucher

Now’s your time to become recognized as a globally respected cloud expert and catapult your career with the (ISC)² Certified Cloud Security Certification (CCSP).

Save on CCSP self-paced exam prep

To help you confidently prepare for the exam, (ISC)² is offering a limited time discount on CCSP Self-Paced Training when bundled with your exam. Get both for just $1,094 – a savings of more than $250! Offer ends October 30.

Official (ISC)² Online Self-Paced Training is a great solution if you want complete autonomy to learn on your own schedule, in your own space using official (ISC)² pre-recorded videos and courseware.

Your training and exam bundle will include:

  • 180-day access to course content
  • Official (ISC)² Student Training Guide (electronic, 1-year access)
  • More than 100 prerecorded videos
  • Interactive flash cards
  • Case studies and real-world scenarios
  • Knowledge checks after each domain plus post-course assessment questions
  • Exam voucher (valid for 12 months)

There’s no need to wait for the New Year… Get a head start today!

The CISO’s Guide to Third-Party Security Management

The CISO’s Guide to Third-Party Security Management provides the instructions you need to make your organization’s third-party security program effective and scalable.

The CISO's Guide to Third-Party Security Management

In particular, it covers how to:

  • Implement compensating internal controls when your suppliers don’t have or won’t reveal their own
  • Collaborate with suppliers to ensure success in the remediation process
  • Create KPIs to help manage, improve the process and demonstrate achievements

Finish the year strong with special pricing on CISSP training thru Oct. 30

Go for CISSP certification now to achieve more in 2021 as a globally recognized cybersecurity leader. Whether you’re motivated by career advancement, higher pay or inspiring a safe and secure cyber world, the CISSP is a clear professional game-changer.

Passing the CISSP exam is a huge accomplishment, and (ISC)² can help you prepare with confidence. Now thru October 30, (ISC)² is offering a discount on Official CISSP Self-Paced Training when you bundle with an exam voucher.
Get both for just U.S. $1,260 – a savings of nearly U.S. $300!

special pricing on CISSP training

Official (ISC)² Online Self-Paced Training is a great solution if you want complete autonomy to learn on your own schedule, in your own space using official (ISC)² pre-recorded videos and courseware.

Your training and exam bundle will include:

  • 180-day access to course content
  • Official (ISC)² Student Training Guide (electronic, 1-year access)
  • More than 300 prerecorded videos
  • Interactive flash cards
  • Case studies and real-world scenarios
  • Knowledge checks after each domain plus post-course assessment questions
  • Exam voucher (valid for 12 months)

There’s no need to wait for the New Year… Get a head start today!

Measuring impact beyond a single incident

Determining the true impact of a cyber attack has always and will likely be one of the most challenging aspects of this technological age.

true impact

In an environment where very limited transparency on the root cause and the true impact is afforded we are left with isolated examples to point to the direct cost of a security incident. For example, the 2010 attack on the Natanz nuclear facilities was and in certain cases is still used as the reference case study for why cybersecurity is imperative within an ICS environment (quite possibly substituted with BlackEnergy).

For the impact on ransomware, it was the impact WannaCry had on healthcare and will likely be replaced with the awful story where a patient sadly lost their life because of a ransomware attack.

What these cases clearly provide is a degree of insight into their impact. Albeit this would be limited in certain scenarios, but this approach sadly almost excludes the multitude of attacks that successfully occurred prior and in which the impact was either unavailable or did not make the headline story.

It can of course be argued that the use of such case studies are a useful vehicle to influence change, there is equally the risk that they simply are such outliers that decision makers do not recognise their own vulnerabilities within the broader problem statement.

If we truly need to influence change, then a wider body of work to develop the broader economic, and societal impact, from the multitude of incidents is required. Whilst this is likely to be hugely subjective it is imperative to understand the true impact of cybersecurity. I recall a conversation a friend of mine had with someone who claimed they “are not concerned with malware because all it does is slow down their computer”. This of course is the wider challenge to articulate the impact in a manner which will resonate.

Ask anybody the impact of car theft and this will be understood, ask the same question about any number of digital incidents and the reply will likely be less clear.

It can be argued that studies which measure the macro cost of such incidents do indeed exist, but the problem statement of billions lost is so enormous that we each are unable to relate to this. A small business owner hearing about how another small business had their records locked with ransomware, and the impact to their business is likely to be more influential than an economic model explaining the financial cost of cybercrime (which is still imperative to policy makers for example).

If such case studies are so imperative and there exists a stigma with being open about such breaches what can be done? This of course is the largest challenge, with potential litigation governing every communication. To be entirely honest as I sit here and try and conclude with concrete proposals I am somewhat at a loss as to how to change the status quo.

The question is more an open one, what can be done? Can we leave fault at the door when we comment on security incidents? Perhaps encourage those that are victims to be more open? Of course this is only a start, and an area that deserves a wider discussion.

Whitepapers: Stronger cybersecurity starts with CISSP

Emerging technologies have created amazing new organizational capabilities. But they also bring new complexities, interconnections and vulnerability points. The need for strong cybersecurity is strong. Your defenses need to be stronger.

The Role of (ISC)²

(ISC)² is the world’s largest nonprofit membership association of certified cybersecurity professionals. More than 150,000 members strong, we help train, certify and educate the front lines – the professionals organizations count on to protect their critical assets and mitigate cyber risks.

CISSP – The World’s Premier Cybersecurity Certification

You may know (ISC)² for our CISSP credential – five letters that inspire confidence for businesses around the globe. Like all (ISC)² certifications, the CISSP is accredited and vendor-neutral. It stands out as the premier credential for information security leaders, identifying those who possess the advanced skills required to design, implement and manage a best-in-class cybersecurity program.

Our latest white papers examine the expanding threat landscape and how cybersecurity can drive business growth with the right experts in place. Download the resource that speaks to you as a professional or team leader ready to secure the future.

CISSP CISSP

Views and misconceptions of cybersecurity as a career path

Attitudes toward cybersecurity roles are now overwhelmingly positive, although most people still don’t view the field as a career fit for themselves, even as 29% of respondents say they are considering a career change, an (ISC)² study reveals.

cybersecurity career path

The findings indicate a shift in popular opinion about cybersecurity professionals, who have traditionally been viewed through a negative lens as roadblocks to business efficiency.

In fact, 71% of the survey’s respondents, all of whom do not work in the industry, say they consider cybersecurity professionals to be smart and technically skilled, while 51% also described them as “the good guys fighting cybercrime.” 69% of respondents replied that cybersecurity seems like a good career path, just not one they see themselves pursuing.

Obstacles to attracting additional information security workers

The cybersecurity industry is made up of 2.8 million skilled professionals, but research indicates that there is a global shortage of 4.07 million, which requires a massive recruitment effort of new entrants to the field who may not have considered the career before. The study reveals that the obstacles to attracting these additional workers may be two-fold.

First, 77% of respondents said cybersecurity was never offered as part of their formal educational curriculum at any point, making it difficult for most people to gain a solid understanding of what roles in the industry actually entail and how to pursue the career.

The second factor that may be limiting interest is a pervasive belief that such roles would require very advanced skills development that would require time and resources to achieve.

“What these results show us is that while it’s becoming even more highly-respected, the cybersecurity profession is still misunderstood by many, and that’s counterproductive to encouraging more people to pursue this rewarding career,” said Wesley Simpson, COO of (ISC)².

“The reality of the situation, and what we need to do a better job of publicizing, is that a truly effective cybersecurity workforce requires a broad range of professionals who bring different skillsets to their teams.

“While technical skills are vital for many roles, we also need individuals with varied backgrounds in areas including communications, risk management, legal, regulatory compliance, process development and more, to bring a well-rounded perspective to cyber defense.”

cybersecurity career path

Cybersecurity as a career path: Key findings

  • Conducted during a time of record unemployment amidst the COVID-19 pandemic, the study found that job stability is now the most valued characteristic in a career (61% of respondents), followed by ones that offer a “flexible work environment” (57%) and only then, “earning potential” (56%).
  • In the absence of formal cybersecurity education, perceptions about the industry and the professionals in it are formed primarily through portrayals in TV shows and movies (37% of respondents) or by news coverage of security incidents (31%).
  • 61% of respondents said they believe they would either need to go back to school (26%), earn a certification (22%) or teach themselves new skills (13%) in order to pursue a career in cybersecurity. 32% of respondents said they believe too much technical knowledge or training would be required.
  • Generation Z (Zoomers) were the least likely demographic group to cast cybersecurity professionals in a positive light. Just 58% view cybersecurity professionals as smart and technically skilled, as opposed to 78% of Baby Boomers. And only 34% of Zoomers consider them the “good guys, fighting cybercrime,” as opposed to 60% of Boomers.

Whitepaper: Mobile banking regulations, threats and fraud prevention

The usage of banking services through a mobile app has quickly been embraced by consumers. At the end of 2019, 74% of the UK and 75% of the US people used mobile devices to manage their finances.

whitepaper mobile banking regulations

To stay ahead of the competition, banks have developed mobile applications offering a wide variety of services to their clients. But when handling personal/financial data and conducting transactions, mobile apps are required to satisfy very high security standards.

Currently, researches indicate that mobile banking apps are often not as secure as expected. Furthermore, a recent analysis of data collected by RSA’s Fraud and Risk Intelligence team shows mobile app related fraud doubled in the first quarter of 2020.

In this whitepaper, you’ll find details on mobile banking usages, legal framework, risks, and solutions to secure mobile banking apps, from development to execution.

Download the whitepaper and learn more about:

  • Data protection legal requirements applicable to mobile banking apps
  • Modus operandi of mobile threats targeting financial apps
  • Fraud and data leakage prevention recommendations

Product showcase: AppTrana

DDoS Attacks, bots, targeted attacks based on application vulnerabilities, have created a new wave of security challenges. Attackers are constantly targeting internet-connected endpoints and specifically web servers to steal data, crash sites, and hold the business for ransom. A web application is a lucrative target for the attackers as they are critical for most businesses.

One of the key risk mitigation steps for defending the business from web application attacks is to have a Web Application Firewall (WAF). Many businesses do have traditional WAF solutions deployed. WAF does provide the capability and platform to ensure threat protection against attacks like cross-site scripting, SQL injections, and OWASP Top 10. However, without having the ability to keep the WAF tuned continuously based on the current risk posture, the technology is ineffective. Tuning it requires special expertise and an understanding of application risk.

To shore up yesterday’s defense against today’s and tomorrow’s threats, defend your application by leveraging a new generation of risk-based fully managed cloud WAF.

Why do you need a risk-based cloud WAF?

  • It provides continuous visibility of the risk and vulnerabilities in your application. Attackers are always on the look for doing a targeted attack, so getting visibility before them is the first step in a risk-based approach to security.
  • Many attackers rely on automated tools to discover weaknesses. As a business you must use automated tools to take care of your application. A risk-based approach makes it more effective by ensuring it is done frequently and is free of false positives with security experts validating the automated findings.
  • Hackers do not have the time to do deeper security assessments unless they find weaknesses via automated tools. You can stay one step ahead of the hackers by doing periodic manual penetration testing to get a deeper business logic assessment.
  • Once you get visibility of risks, you can take steps to instantly fix them, not just in your application, but also in the managed cloud WAF service. This not only ensures that the risk is mitigated but also will help track on attempted attack and get more insights about the hacker and dynamically have policies to increase the defense and block rules.
  • Having a cloud WAF also ensures attacks that are targeted to just get the site down can be absorbed and scrubbed off by the cloud WAF infrastructure before it hits your web application. A cloud WAF can auto-scale and have alerts in place that can look at traffic to ensure instant updates are made.

Overall, a risk-based cloud WAF solution is the most effective option to ensure you have accurate, relevant protection with zero false positives and do it continuously in sync with your web application lifecycle.

AppTrana: Risk-based fully managed cloud WAF

Indusface‘s AppTrana is a cloud-based WAF that accumulates and tracks risks to protect your web apps from web exploits, which could compromise security and affect application availability. Its continuous risk analysis offers critical insights into the site behavior. It provides you control over which traffic to block or allow your application with defined acceptable risk based on industry-standard security rules.

AppTrana

You can use AppTrana to make custom rules, which block common cyberattack patterns like cross-site scripting, SQL injection, bots, application vulnerabilities, OWASP top 10 vulnerabilities, and suspicious data-type patterns & URL patterns. You can also deploy new rules within minutes, allowing you to respond instantly to the changing web traffic patterns.

AppTrana

AppTrana key features

1. No false positives and virtual patching

Traditional WAFs have been troubled by false positives. AppTrana brings together application profiling, signatures, active engagement, attacker profiling, tracking across various phases of attack and most importantly includes 24×7 Security experts as part of the service to update rules, write virtual patches.

2. DDoS and bot protection

By combining the most intelligent methodologies and 24/7 monitoring of security experts, block a volumetric DDoS attack before it happens. It also tracks targeted application layer attacks and takes instant steps before they can bring the application down. It ensures that all traffic to your domain is routed through the AppTrana WAF, which acts as a secure reverse proxy. It filters the incoming web traffic, blocks DDoS traffic, and alerts the 24×7 managed security team if there are anomalies to scrub of the bad traffic, and passes only legitimate requests.

AppTrana

AppTrana’s DDoS filtering process is based on a set of security rules, which observes the HTTP footprint, client behavior, and reputation.

3. Accelerate application performance

AppTrana

While intelligently profiling web traffic to block DDoS attacks, AppTrana also accelerates the outgoing traffic. Being optimized with advanced optimization and caching techniques, you no longer required to compromise the website speed for protection. AppTrana comes bundled with a CDN or can work with any existing CDN you may have already subscribed to.

4. Bundled web application scanner and penetration testing

As part of the risk-based managed service promise, AppTrana includes a security assessment of your website with an automated web application scanner as well as on-demand manual penetration testing. Besides providing visibility of vulnerabilities and patching them, AppTrana portal will also show the co-relation between the risks, its protection status and the attacks targeting those risks and where they are coming from.

5. Security expertise for complete detection and remediation

To complement the power-packed features, the AppTrana WAF service is backed by the rapid response capabilities of Indusface’s world-class cybersecurity experts. The resources provide proactive 24/7/365 threat monitoring as well as reporting to defend customers from insidious threats like web fraud, phishing, and malware.

AppTrana offers cloud-based web application security services, which leverages the leading cybersecurity intelligence and cloud WAF rules to resolve issues faced by a traditional WAF like zero-day attacks and advanced risk detection and mitigation.

Web application becomes an easy target for cybercriminals. Don’t let web application threats rain on your business parade. Protect yours by starting a free trial with AppTrana.

Aiming for a career in cybersecurity? Now is the time to pick up new skills

The COVID-19 pandemic took most of us by surprise. Widespread shelter-in-place mandates changed how we work (and whether we can work), play, rest, shop, communicate and learn.

career cybersecurity

It changed things for businesses as well. Some were not ready to meet the challenge and closed up shop, many others were forced to hastily start or speed up their company’s existing digital transformation efforts and prepare for the majority of their workforce to be working from home – something that seemed impossible (or simply very, very unlikely) just months before.

Time for change

In times of upheaval, it becomes easier to imagine and enact change. Unfortunately, the speed at which all these changes happened has meant that cybersecurity has become less important than productivity (meaning: even less important than it was before).

But this downgrade won’t and can’t last long. With cyber attackers increasingly taking advantage of the many new attack surfaces – unsecured devices, databases, cloud assets, remote access and other accounts – organizations are now furiously trying to close as many security holes as soon as possible.

Employed cybersecurity professionals have been having a tough time during the last few months, trying to keep company assets and networks out of the hands of attackers while having to suddenly support more remote workers that ever before.

The required security measures are known and advice for achieving remote work security is easy to get, but implementing it all takes time and effort. Even before the advent of COVID-19, organizations had trouble filling all the cybersecurity positions they opened – and their needs have surely intensified in the last few months.

Gunning for a career in cybersecurity

Cybersecurity professionals and other technology professionals are using eLearning and online trainings to pick up new skills, but as the demand for cybersecurity personnel increases and the availability of paid positions widens (when in many other economic sectors is dwindling), many tech-savvy individuals are wondering: “Do I have what it takes to enter and thrive in the cybersecurity arena?”

A recent Skillsoft report says that networking and operating systems, security and programming training are in the highest demand among technology and developer professionals, and that security certification prep courses are up by 58 percent YoY.

While people already working in IT definitely have a leg up on other aspiring candidates since every role within IT has a cybersecurity aspect, certifications such as the (ISC)² Systems Security Certified Practitioner (SSCP) can help with cybersecurity knowledge acquisition and demonstrate the person’s suitability for entering the cybersecurity field.

But even recent college graduates without a deep technical background and military veterans can have a bright future in cybersecurity – if they know how to go about breaking into the field. The tools are there for those who want to use them.

Review: Web Security for Developers: Real Threats, Practical Defense

Review Web Security

Malcolm McDonald, with his 20 years of experience in programming, poured his knowledge into this book to offer comprehensive information about everything a developer needs to know to do their job properly and thoroughly.

After a short lesson in internet history, the author puts the reader in the shoes of the attacker and explains how simple it is to hack a website, as well as how easy it is to obtain and apply hacking tools.

The author proceeds to offer basic knowledge about how the internet, browsers, web servers and programmers work.

Every following chapter explains major vulnerabilities and how to fix them, but also the various types of attacks, describing the damage they can cause. To help the reader better understand these processes, the author added coding examples.

Luckily, tools needed to help secure a website are also freely accessible and easily implemented.

As he points out, the goal is not only to protect a website but also to make it safe for the users. This means, besides preventing major system compromises, it is crucial to simultaneously protect users’ data by securely storing it, requesting authentication and implementing encryption.

Who is this book for?

Whether you’re just starting out in your career as a web developer or are a seasoned pro, Web Security for Developers: Real Threats, Practical Defense will provide all the necessary information about the possible and imminent threats you will face and how to prepare yourself and your team to avoid them.

Although the content is very technical and covers coding and programming topics, the book reads easily and provides essential knowledge to aspiring web developers.

Plan for change but don’t leave security behind

COVID-19 has upended the way we do all things. In this interview, Mike Bursell, Chief Security Architect at Red Hat, shares his view of which IT security changes are ongoing and which changes enterprises should prepare for in the coming months and years.

plan security

How has the pandemic affected enterprise edge computing strategies? Has the massive shift to remote work created problems when it comes to scaling hybrid cloud environments?

The pandemic has caused major shifts in the ways we live and work, from video calls to increased use of streaming services, forcing businesses to embrace new ways to be flexible, scalable, efficient and cost-saving. It has also exposed weaknesses in the network architectures that underpin many companies, as they struggle to cope with remote working and increased traffic. We’re therefore seeing both an accelerated shift to edge computing, which takes place at or near the physical location of either the end-user or the data source, and further interest in hybrid cloud strategies which don’t require as much on-site staff time.

Changing your processes to make the most of this without damaging your security posture requires thought and, frankly, new policies and procedures. Get your legal and risk teams involved – but don’t forget your HR department. HR has a definite role to play in allowing your key employees to continue to do the job you need them to do, but in ways that are consonant with the new world we’re living in.

However, don’t assume that these will be – or should be! – short-term changes. If you can find more efficient or effective ways of managing your infrastructure, without compromising your risk profile while also satisfying new staff expectations, then everyone wins.

What would you say are the most significant challenges for enterprises that want to build secure and future-proof application infrastructures?

One challenge is that although some of the technology is now quite mature, the processes for managing it aren’t, yet. And by that I don’t just mean technical processes, but how you arrange your teams and culture to suit new ways of managing, deploying, and (critically) automating your infrastructure. Add to this new technologies such as confidential computing (using Trusted Execution Environments to protect data in use), and there is still a lot of change.

The best advice is to plan for change – technical, process and culture – but do not, whatever you do, leave security till last. It has to be front and centre of any plans you make. One concrete change that you can make immediately is taking your security people off just “fire-fighting duty”, where they have to react to crises as they come in: businesses can consider how to use them in a more proactive way.

People don’t scale, and there’s a global shortage of security experts. So, you need to use the ones that you have as effectively as you can, and, crucially, give them interesting work to do, if you plan to retain them. It’s almost guaranteed that there are ways to extend their security expertise into processes and automation which will benefit your broader teams. At the same time, you can allow those experts to start preparing for new issues that will arise, and investigating new technologies and methodologies which they can then reapply to business processes as they mature.

How has cloud-native management evolved in the last few years and what are the current security stumbling blocks?

One of the areas of both maturity and immaturity is in terms of workload isolation. We can think of three types: workload from workload isolation (preventing workloads from interfering with each other – type 1); host from workload isolation (preventing workloads from interfering with the host – type 2); workload from host isolation (preventing hosts from interfering with workloads – type 3).

The technologies for types 1 and 2 are really quite mature now, with containers and virtual machines combining a variety of hardware and software techniques such virtualization, cgroups and SELinux. On the other hand, protecting workloads from malicious or compromised hosts is much more difficult, meaning that regulators – and sensible enterprises! – are unwilling to have some workloads execute in the public cloud.

Technologies like secure and measured boot, combined with TPM capabilities by projects such as Keylime (which is fully open source) are beginning to address this, and we can expect major improvement as confidential computing (and open source projects like Enarx which uses TEEs) matures.

In the past few years, we’ve seen a huge interest in Kubernetes deployments. What common mistakes are organizations making along the way? How can they be addressed?

One of the main mistakes we see businesses make is attempting to deploy Kubernetes without the appropriate level of in house expertise. Kubernetes is an ecosystem, rather than a one-off executable, that relies on other services provided by open source projects. It requires IT teams to fully understand the architecture that is made up of applications and network layers.

Once implemented, businesses must also maintain the ecosystem in parallel to any software running on top. When it comes to implementation, businesses are advised to follow open standards – those decided upon by the open source Kubernetes community as a whole, rather than a specific vendor. This will prevent teams from running into unexpected roadblocks, and helps to ensure a smooth learning curve for new team members.

Another mistake organizations can make is ignoring small but important details, like the backwards compatibility of Kubernetes with older versions is very important. It’s easy to overlook the fact that these may not have important security updates that can transfer, so IT teams must be mindful when merging code across versions, and check regularly for available updates.

Open source remains one of the building blocks of enterprise IT. What’s your take on the future of open source code in large business networks?

Open source is here to stay, and that’s a good thing, not least for security. The more security experts there are to look at code, the more likely that bugs will be found and fixed. Of course, security experts are short on the ground, and busy, so it’s important that large enterprises make a commitment to getting involved with open source and committing resources to it.

Another issue that people also get confused by thinking that just because a project is open source, it’s ready to use. There’s a difference between an open source project and an enterprise product which is based on that project. In the latter case, you get all the benefits of testing, patching, upgrading, vulnerability processes, version management and support. In the former case, you need to manage everything yourself – including ensuring that you have sufficient expertise in house to cope with any issues that come up.

How do I select a remote workforce protection solution for my business?

Recent research shows almost three quarters of large businesses believe remote working policies introduced to help stop the spread of COVID-19 are making their companies more vulnerable to cyberattacks. New attack vectors for opportunistic cyber attackers – and new challenges for network administrators have been introduced.

To select a suitable remote workforce protection solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Vince Berk, VP, Chief Architect Security, Riverbed

select remote workforce protectionA business needs to meet three main realizations or criteria for a remote workforce protection solution to be effective:

Use of SaaS, where access to the traffic in traditional ways becomes challenging: understanding where data lives, and who accesses it, and controlling this access, is the minimum bar to pass in an environment where packets are not available or the connection cannot be intercepted.

Recognition that users use a multitude of devices, from laptops, iPads, phones—many of which are not owned or controlled by the enterprise: can identity be established definitively, can data access be controlled effecitvely, and forensically accurately monitored for compromise at the cloud/datacenter end?

When security becomes ‘too invasive’, workers create out-of-band business processes and “shadow IT,” which are a major blind spot as well as a potential risk surface as company private information ends up outside of the control of the organization: does the solution provide a way to discover and potentially control use of this modern shadow IT.

A comprehensive security solution for remote work must acknowledge the novel problems these new trends bring and succeed on resolving these issues for all three criteria.

Kate Bolseth, CEO, HelpSystems

select remote workforce protectionOne thing must be clear: your entire management team needs to assist in establishing the right infrastructure in order to facilitate a successful remote workforce environment.

Before looking at any solutions, answer the following questions:

  • How are my employees accessing data?
  • How are they working?
  • How can we minimize the risk of data breaches or inadvertent exposure of sensitive data?
  • How do we discern what data is sensitive and needs to be protected?

The answers will inform organizational planning and facilitate employee engagement while removing potential security roadblocks that might thwart workforce productivity. These guidelines must be as fluid as the extraordinary circumstances we are facing without creating unforeseen exposure to risk.

When examining solutions, any option worth considering must be able to identify and classify sensitive personal data and critical corporate information assets. The deployment of enterprise-grade security is essential to protecting the virtual workforce from security breaches via personal computers as well as at-home Wi-Fi networks and routers.

Ultimately, it’s the flow of email that remains the biggest vulnerability for most organizations, so make sure your solution examines emails and files at the point of creation to identify personal data and apply proper protection while providing the link to broader data classification.

Carolyn Crandall, Chief Deception Officer, Attivo Networks

select remote workforce protectionWhen selecting a remote workforce protection solution, CISOs need to consider three key areas: exposed endpoints, security for Active Directory (AD) and preventing malware from spreading.

Exposed endpoints: standard anti-virus software and VPNs are no match for advanced signature-less or file-less attack techniques. EDR tools enhance detection but still leave gaps. Therefore pick an endpoint solution capable of quickly detecting endpoint lateral movement, discovery and privilege escalation.

Security for Active Directory (AD): cloud services and identity access management need protection against credential theft, privilege escalation and AD takeover. In a remote workforce context AD is often over provisioned or misconfigured. A good answer is denial technology which detects discovery behaviors and attempts at privilege escalation.

Preventing spread of malware: it is almost impossible to prevent malware passing from workforce machines reconnecting to the network. It is vital therefore to choose a resolution that uncovers lateral movement, APTs, ransomware and insider threats. Popular options include EPP/EDR, Intrusion Detection/Prevention Systems (IDS/IPS) and deception technology. When selecting, take account of native integrations and automation as well as how well the tools combine to share data and automate incident response.

In short, the answer to remote workforce protection lies in a robust, layered defence. If attackers get through one, there must be additional controls to stop them from progressing.

Daniel Döring, Technical Director Security and Strategic Alliances, Matrix42

select remote workforce protectionEndpoint security requires a bundle of measures, and only companies that take all aspects into account can ensure a high level of security.

Automated malware protection: automated detection in case of anomalies and deviations is a fundamental driver for IT to be able to react quickly in case of an incident. In this way, it is often possible to fend off attacks before they even cause damage.

Device control: all devices that have access to corporate IT must be registered and secured in advance. This includes both corporate devices and private employee devices such as smartphones, tablets, or laptops. If, for example, a smartphone is lost, access to the system can be withdrawn at the click of a mouse.

App control: if, in addition to devices, all applications are centrally controlled by IT, IT risks can be further minimized. The IT department can thus control access at any time.

Encryption: the encryption of all existing data protects against the consequences of data loss.

Data protection at the technological and manual levels: automated and manual measures are combined for greater data protection. Employees must continue to be trained so that they are aware of risks. However, the secure management of data stocks can be simplified with the help of technology in such a way that error tolerance is significantly increased.

Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black

select remote workforce protectionThe most important aspect for any security solution is how this product is going to complement your current environment and compensate for gaps within your existing controls.

Whether you’re looking to upgrade your endpoint protections or add always-on VPN capability for the now predominately remote workforce, there are a few key considerations when it comes to deploying security software for protecting distributed assets:

  • Will the solution require infrastructure to deploy, or will this be a remote cloud hosted solution? Both options come with their unique benefits and drawbacks, with cloud being optimal for disparate systems and offloading the burden of securing internet-facing services to the vendor.
  • What is the footprint of the agent and are multiple agents required for the solution to be effective? Compute is expensive, agents should be as non-impactful to the system as possible.
  • How will this solution improve your security team’s visibility and ability to either prevent or respond to a breach? What key gaps in coverage will this tool help rectify as cost effectively as possible.
  • Will this meet the organization’s future needs, as things begin to shift back to the office?
  • Lastly, ensure that you allow for the team to operationalize and integrate the platform. This takes time. Don’t bring on too many tools at once.

Matt Lock, Technical Director, Varonis

select remote workforce protectionWith more remote working, comes more cyberattacks. When selecting a remote workforce solution, CISO’s must ask the following questions:

Am I able to provide comprehensive visibility of cloud apps? Microsoft Teams usage exploded by 500% during the pandemic, however given its immediate enforcement, deployments were rushed with misconfigured permissions. It’s paramount to pick a solution that allows security teams to see where sensitive data is overexposed and provide visibility into how each user can access Office 365 data.

Can I confidently monitor insider threat activity? The shift to remote working has seen a spike in insider threat activity and highlighted the importance of understanding where sensitive data is, who has access to it, whose leveraging that access, and any unusual access patterns. Best practices such as implementing the principle of least privilege to confine user access to the data should also be considered.

Do I have real-time insight into anomalous behavior? Having real-time awareness of unusual VPN, DNS and web activity mustn’t be overlooked. Gaining visibility of this web activity assists security teams track and trend progress as they mitigate critical security gaps.

Selecting the right workforce protection solution will vary for different organizations depending on their priorities but the top priority of any solution must be to provide clear visibility of data across all cloud and remote environments.

Druce MacFarlane, Head of Products – Security, Threat Intelligence and Analytics, Infoblox

select remote workforce protectionEnterprises investing in remote workforce security tools should consider shoring up their foundational security in a way that:

Secures corporate assets wherever they are located: backhauling traffic to a data center—for example with a VPN—can introduce latency and connectivity issues, especially when accessing cloud-based applications and services that are now essential for business operations. Look for solutions that extend the reach of your existing security stack, and leverage infrastructure you already rely on for connectivity to extend security, visibility, and control to the edge.

Optimizes your existing security stack: find a solution that works with your entire security ecosystem to cross-share threat intelligence, spot and flag suspicious activities, and automate threat response.

Offers flexible deployment: to get the most value for your spend, make sure the solution you choose can be deployed on-premises and in the cloud to offer security that cuts across your hybrid infrastructure, protecting your on-premises assets as well as your remote workforce, while allowing IT to manage the solution from anywhere.

The right solution to secure remote work should ideally enable you to scale quickly to optimize remote connections and secure corporate assets wherever they are located.

Faiz Shuja, CEO, SIRP Labs

select remote workforce protectionIn all the discussion around making remote working safer for employees, relatively little has been said about mechanisms governing distributed security monitoring and incident response teams working from home.

Normally, security analysts work within a SOC complete with advanced defences and tools. New special measures are needed to protect them while monitoring threats and responding to attacks from home.

Such measures include hardened machines with secure connectivity through VPNs, 2FA and jump machines. SOC teams also need to update security monitoring plans remotely.

Our advice to CISOs is to optimize security operations and monitoring platforms so that all essential cybersecurity information needed for accurate decision-making is contextualized and visible at-a-glance to a remote security analyst.

Practical measures include:

  • Unify the view for distributed security analysts to monitor and respond to threats
  • Ensure proper communication and escalation between security teams and across the organization through defined workflows
  • Use security orchestration and automation playbooks for repetitive investigation and incident response tasks for consistency across all distributed security analysts
  • Align risk matrix with evolving threat landscape
  • Enhance security monitoring use cases for remote access services and remotely connected devices

One notable essential is the capacity to constantly tweak risk-levels to quickly realign priorities to optimise the detection and response effectiveness of individual security team members.

Todd Weber, CTO, Americas, Optiv Security

select remote workforce protectionSelecting a remote workforce protection solution is more about scale these days than technology. Companies have been providing work-from-home solutions for several years, but not necessarily for all applications.

How granular can you get on access to applications based on certain conditions?

Simply the credentials themselves (even with multi-factor authentication) aren’t enough any longer to judge on trusted access to critical applications. Things like what device am I on, how trusted is this device, where in the world is this device, and other factors play a role, and remote access solutions need to accommodate granular access to applications based on this criteria.

Can I provide enhanced transport and access to applications with the solution?

The concept of SD-WAN is not new, but it has become more important as SaaS applications and distributed workforce have become more prevalent. Providing optimal network transport as well as a visibility point for user and data controls has become vitally important.

Does the solution provide protections for cloud SaaS applications?

Many applications are no longer hosted by companies and aren’t in the direct path of many controls. Can you deploy very granular controls within the solution that provides both visibility and access restrictions to IaaS and SaaS applications?

(ISC)² Exam Action Plan: Get your certification goals on track for success

Even the best-laid plans can go astray, that’s why we stand ready as ever to help you get your certification goals back on track for success.

(ISC)² Exam Action Plan

Every (ISC)² member started out by committing to and passing one of our certification exams. No matter which certification you choose, you’ll find everything you need to prepare for the big day in the (ISC)² Exam Action Plan, including:

  • Exam registration, policies and testing guidelines
  • Details on what to expect heading into your exam
  • Resources and pro tips to move forward with confidence

Request your Exam Action Plan today.

Mapping the motives of insider threats

Insider threats can take many forms, from the absent-minded employee failing to follow basic security protocols, to the malicious insider, intentionally seeking to harm your organization.

motives insider threats

Some threats may stem from a simple mistake, others from a personal vendetta. Some insiders will work alone, others at the behest of a competitor or nation-state.

Whatever the method and the motives, the results can be devastating. The average cost of a single negligent insider incident exceeds $300k. That figures increases to over $755k for a criminal or malicious attack and up to $871k for one involving credential theft.

Unlike many other common attacks, insider attacks are rarely a smash-and-grab. The longer a threat goes undetected, the more damage it can do to your organization. The better you understand your people – their motivations, and their relationship with your data and networks – the earlier you can detect and contain potential threats.

Insiders’ drivers

Insider threats can be loosely split into two categories – negligent and malicious. Within those categories are a range of potential drivers.

As the mechanics of an attack can differ significantly depending on its motives, gaining a thorough understanding of these drivers can be the difference between a potential threat and a successful breach.

Financial gain

Financial gain is perhaps the most common driver for the malicious insider. Employees across all levels are aware that corporate data and sensitive information has value.

To an employee with access to your data, allowing it to fall into the wrong hands can seem like minimal risk for significant reward.
This is another threat that is likely higher risk in the current environment. The coronavirus pandemic has placed millions of people under financial pressure, with many furloughed or facing job insecurity. What once seemed an unimaginable decision, may now feel like a quick solution.

Negligence

Negligence is the most common cause of insider threats, costing organizations an average of $4.58 million per year.

Such a threat usually results from poor security hygiene – a failure to properly log in/out of corporate systems, writing down or reusing passwords, using unauthorized devices or applications, and a failure to protect company data.

Negligent insiders are often repeat offenders who may skirt round security for greater speed, increased productivity or just convenience.

Distraction

A distracted employee could fall into the “negligent” category. However, it is worth highlighting separately as this type of threat can be harder to spot.

Where negligent employees may raise red flags by regularly ignoring security best practices, the distracted insider may be a model employee until the moment they make a mistake.

The risk of distraction is potentially higher right now, with most employees working remotely, many for the first time, often interchanging between work and personal applications. Outside of the formal office environment and distracted by home life, they may have different work patterns, be more relaxed and inclined to click on malicious links or bypass formal security conventions.

Organizational damage

Some malicious insiders have no interest in personal gain. Their sole driver is harming your organization.

The headlines are full of stories about the devastating impact of data breaches. For anyone wishing to damage an organization’s reputation or revenues, there is no better way in the digital world than by leaking sensitive customer data.

Insiders with this motivation will usually have a grievance against your business. They may have been looked over for a pay rise or promotion, or recently subject to disciplinary action.

Espionage and sabotage

Malicious insiders do not always work alone. In some cases, they may be passing information to a third-party such as a competitor or a nation-state.

Such cases tend to fall under espionage or sabotage. This could mean a competitor recruiting a plant in your organization to syphon out intellectual property, R&D, or customer information to gain an edge, or a nation-state looking for government secrets or classified information to destabilize another.

Cases like these are on the increase in recent years. Hackers and plants from Russia, China, and North Korea are regularly implicated in cases of corporate and state-sponsored insider attacks against Western organizations.

Defending from within

Just as they affect method, motives also dictate the appropriate response. An effective deterrent against negligence is unlikely to deter a committed and sophisticated insider intent on causing harm to your organization.

That said, the foundation for any defense is comprehensive controls. You must have total visibility of your networks – who is using them and what data they are accessing. These controls should be leveraged to limit sensitive information to only the most privileged users and to strictly limit the transfer of data from company systems.

With this broad base in place, you can now add further layers to counter specific threats. To protect against disgruntled employees, for example, additional protections could include filters on company communications to flag high-risk vocabulary, and specific controls applied to high-risk individuals, such as those who have been disciplined or are soon to be leaving the company.

Finally, any successful defense against insider threats should have your people at its heart.

You must create a strong security culture. This means all users must be aware of how their behavior can unintentionally put your organization at risk. All must know how to spot early signs of potential threats, whatever the cause. And all must be aware of the severe consequences of intentionally putting your organization in harm’s way.

Safe domain: How to protect your enterprise from DNS hijacking

In August 2019, cybersecurity researchers revealed that a hacker group known as Sea Turtle targeted 40 telecoms, internet service providers, domain registrars and government organizations in the Middle East and North Africa. The attackers hijacked the domain names of ministries of foreign affairs, intelligence/military agencies and energy-related groups in those regions. As a result, Sea Turtle was able to intercept all internet data – including email and web traffic – sent to the victims. Then, … More

The post Safe domain: How to protect your enterprise from DNS hijacking appeared first on Help Net Security.