Entrust acquires HyTrust to offer identity, encryption and security policy control for cloud environments

Entrust announced that it has acquired HyTrust. Terms of the deal will not be disclosed. By acquiring HyTrust, Entrust adds a critical management layer for encryption, cryptographic keys, and cloud security policy to its digital security solutions, serving the data protection and compliance needs of organizations accelerating their digital transformations. “Enterprises are rapidly transforming to take advantage of the efficiencies and scale of cloud computing. In doing so, data protection and compliance are top of … More

The post Entrust acquires HyTrust to offer identity, encryption and security policy control for cloud environments appeared first on Help Net Security.

How security pros can prepare for a tsunami of new financial industry regs in 2021

Financial sector companies can expect to see a wave of new regulations and the restoration of Obama-era regs as the Biden administration takes office next week. Today’s columnist, Michael Magrath of OneSpan, pinpoints which regs security pros should focus on in the months ahead. GageSkidmore CreativeCommons (Credit: CC BY-SA 2.0)

Banks and financial services organizations have accelerated their adoption of biometrics, facial recognition and artificial intelligence (AI) to enable the use of digital identities and continue operations during the pandemic. However, these technologies are in need of strict regulations to protect users.

Biometrics can add an extra layer of security when unlocking a smartphone using a person’s face or fingerprint. But other technologies have raised privacy concerns among consumers, such as law enforcement leveraging facial recognition to identify wanted criminals via security cameras in a public space. This has led to outright bans of facial recognition technology in several cities, including Boston, San Francisco, Oakland, Portland, Oregon and Portland, Maine, to name a few. As these technologies become mainstream, we’ll need regulations to retain (or in some cases, regain) the trust of consumers and policymakers.

As a step forward, we see international organizations push for global standards around the use of biometrics, for example, the FIDO Alliance and the Financial Action Task Force (FATF), which recently issued guidance on how to apply a risk-based approach to using digital identity systems for customer identification and verification. However, the U.S. lags behind other regions, which have been more progressive in their adoption of regulations, such as the General Data Protection Regulation (GDPR) in Europe.

In lieu of federal standards, states such as California have implemented their own regulations, such as the California Consumer Protection Act (CCPA) and its upgrade, the California Privacy Rights Act (CPRA). Recently approved by voters, CPRA addresses privacy and puts forth minimum technical requirements that business must implement to protect consumer data. But consumer privacy and security must get properly addressed at the federal level to drive growth in the digital economy.

Significant federal regs on the horizon 

Under the upcoming Biden administration, we can expect to see a tsunami of new regulations as well as the restoration of many regulations that were in place during the Obama administration. Let’s take a closer look at the most significant regulations coming into focus and how they will impact banks and consumers alike:

  • The Consumer Financial Protection Bureau (CFPB) issued advance notice of a proposed rule-making that would implement Section 1033 of the Dodd-Frank Act, considered the first step in setting standards in the U.S. around Open Banking. If passed, this would create a standardized approach for banks and financial institutions to work from.
  • Issued in 2019 and still evolving, the Federal Trade Commission announced proposed amendments to the Safeguards and Privacy Rules under the Graham-Leach-Bliley Act. The proposal includes several changes. Among them, financial institutions and applicable businesses are required to encrypt customer data, implement access controls to prevent unauthorized users from accessing customer information, and use multi-factor authentication to access customer data. The rule would apply to banks and businesses providing financial services.
  • Banks are also focused on fraud prevention and the Federal Financial Institutions Examination Council (FFIEC) will probably update its guidance on Internet Banking Authentication. The guidance was last updated in 2011 and will take into account a decade of technology innovation across authentication solutions. We consider this important given the Financial Crimes Enforcement Network (FinCen) recently presented that more than $1 billion per month is lost to identity-related cybercrimes, including $350 million per month lost to Account Takeover Fraud.

Here are four steps banks can take right now to comply with the regulations impacting the financial services industry in 2021:

  • Follow closely the Advance Notice of Proposed Rulemaking (ANPRM) from the Consumer Financial Protection Bureau on Open Banking in the coming months. If Open Banking becomes the norm in the U.S., we’ll see banks and payment service providers also leverage biometrics for various authentication approaches.
  • Implement API’s to share customer data, as its unlikely a U.S. Open Banking policy will permit screen scraping, which provides credential-based access to bank customers.
  • Modernize authentication approaches to combine multi-factor authentication with biometric modalities such as face, fingerprint, voice and iris scan to protect customer data and provide a frictionless, secure user experience for customers under the pending new regulations.
  • Combine AI with machine learning (ML) to detect the likelihood of an action being anomalous, or the likelihood of fraud, in real-time. Banks should also leverage ML to adapt biometric authentication types to the level of risk through continuous risk monitoring.

The cost of fraud has escalated with synthetic identity fraud expected to reach $4.1 billion by 2023 according to Aite Group. This past fall the Federal Reserve convened a focus group to develop an industry-recommended definition of synthetic identity fraud. The Federal Reserve says this type of fraud has flown under the radar for years at many financial institutions because of misclassifications or simply a lack of understanding. The Fed anticipates a more specific definition will help improve measurement, reporting and detection of synthetic identity fraud within organizations and across the payments industry.

 The focus group plans to publish a recommended definition in early 2021 which could lead to new regulations to guide the banking industry’s use of technology in the coming year.

Moving forward, expect banks and financial institutions to balance the usability of their platforms with security tools for identity verification and authentication, leveraging biometrics along with AI and ML to combat the rising wave of fraud targeting digital channels.

Michael Magrath, director, global regulations and standards, OneSpan

The post How security pros can prepare for a tsunami of new financial industry regs in 2021 appeared first on SC Media.

Oracle Database 21c introduces 200+ innovations

Oracle announced that Oracle Database 21c, the latest version of the world’s leading converged database, is available on Oracle Cloud, including the Always Free tier of Oracle Autonomous Database. Oracle Database 21c contains more than 200 new innovations, including immutable blockchain tables, In-Database JavaScript, native JSON binary data type, AutoML for in-database machine learning (ML), and persistent memory store, as well as enhancements for in-memory, graph processing performance, sharding, multitenant, and security. Unlike other vendors’ … More

The post Oracle Database 21c introduces 200+ innovations appeared first on Help Net Security.

Fujitsu opens door, invites ‘200 to 250’ staff from UK Delivery team to walk out

Juicier payoff for those who do, but employees fear process will become compulsory if numbers aren’t met

Fujitsu is looking for hundreds of volunteers in its UK Delivery organisation to leave with an enhanced payoff, though only employees with at least five years’ service can currently apply. At the same time it is running a small redundancy process in other areas of the business where contracts are running off.…

Most containers are running as root, which increases runtime security risk

While container usage reveals organizations are shifting left by scanning images during the build phase, DevOps teams are still leaving their environments open to attack, according to Sysdig. The report also looks at trends, finding a 310 percent growth in container density since 2017, and reveals how organizations of all sizes and across industries are using and securing container environments. Among its findings, the report states that while 74 percent of customers are scanning before … More

The post Most containers are running as root, which increases runtime security risk appeared first on Help Net Security.

Minimizing cyberattacks by managing the lifecycle of non-human workers

The number of non-human workers is growing, particularly as global organizations increasingly prioritize cloud computing, DevOps, IoT devices, and other digital transformation initiatives. Yet, organizations frequently only apply access controls to humans (employees, contractors, etc.), despite the risks associated with cyberattacks and data breaches linked to non-human workers and their privileged access to sensitive information. Further, when a human worker leaves an organization, the organization generally has set processes to revoke that employee’s access to … More

The post Minimizing cyberattacks by managing the lifecycle of non-human workers appeared first on Help Net Security.

Healthcare IT teams battle with technical challenges to ensure network resilience and security

IDG surveyed IT leaders from hospitals, primary and urgent care facilities, pharmaceutical companies, and other healthcare entities. The goal was to shed light on how pandemic-driven changes, including increases in telemedicine and remote workers, have accelerated demands for network resiliency and cloud security, as well as the need for an integrated approach to solving these challenges. “Healthcare IT teams have daunting technical challenges to ensure network bandwidth, resilience, and security in the face of surging … More

The post Healthcare IT teams battle with technical challenges to ensure network resilience and security appeared first on Help Net Security.

Capital projects delayed or put on hold due to pandemic

61% of owner-operators of factories, mines, refineries and public, telecommunications and utility infrastructure organizations expect new projects to be delayed or put indefinitely on hold because of the COVID-19 pandemic, Accenture reveals. Pandemic impact: Capital projects delayed Additionally, 35% of engineering, procurement and construction service providers (EPCs) surveyed indicated that the scope of ongoing projects will likely be adjusted. The report features a survey of more than 700 senior executives globally and found that the … More

The post Capital projects delayed or put on hold due to pandemic appeared first on Help Net Security.

43% of financial services orgs plan to increase private cloud investments

Nutanix announced the financial services industry findings of its report, measuring organizations’ plans for adopting private, hybrid and public clouds. The findings point to a digital transformation within the industry, with 50% of respondents reporting that COVID-19 caused them to increase their investment in hybrid cloud. In the industry’s five-year outlook, hybrid cloud is the only IT model showing positive growth among financial company respondents, and it is expected to increase by 39% in that … More

The post 43% of financial services orgs plan to increase private cloud investments appeared first on Help Net Security.

PrivaceraCloud: A SaaS-based data security and governance platform

Privacera announced the general availability of PrivaceraCloud, a new SaaS-based data security and governance platform that enables faster cloud onboarding and data access governance for hybrid and multi-cloud data services. Specifically architected for the cloud, the SaaS offering provides immediate value by lowering the cost and management burden of the underlying on-premises infrastructure and by empowering IT teams to focus on value-added tasks. Organizations can deploy PrivaceraCloud in minutes without leveraging container technology, configuring the … More

The post PrivaceraCloud: A SaaS-based data security and governance platform appeared first on Help Net Security.

LaSalle Solutions LAMP 5.0: Enhanced security features, processes, automation, and search

LaSalle Solutions is launching LAMP 5.0, the latest version of the industry benchmark technology information management platform. LAMP will be more scalable, agile, resilient and secure than ever before. By leveraging public cloud technologies including containers and Kubernetes orchestration, LAMP 5.0 delivers more accurate information directly from the cloud, with superior process and deeper automation, more scalable search and security optimized for an evolving world of mobile workforces and new privacy laws. LAMP 5.0 is … More

The post LaSalle Solutions LAMP 5.0: Enhanced security features, processes, automation, and search appeared first on Help Net Security.

QuoLab releases reporting capability allowing users to generate reports that deliver actionable intelligence

QuoLab Technologies is introducing a new reporting capability. The feature allows users to generate meaningful, tailored reports that deliver actionable intelligence related to incidents, attacks, threat actors and more to customers and clients. These reports provide target audiences with the complete tactical and strategic information they need to contextualize, respond, and defend themselves in a holistic manner. This update is welcomed by operational and technical teams that need to convey complex, critical information to leadership … More

The post QuoLab releases reporting capability allowing users to generate reports that deliver actionable intelligence appeared first on Help Net Security.

Confluera expands XDR capabilities with VMware Carbon Black

Confluera announced interoperability with VMware Carbon Black that will further expand Confluera XDR’s security ecosystem coverage to include VMware Carbon Black Cloud Workload Protection. Together, the industry-leading solutions will be able to deliver faster incident analysis and holistic threat detection that are much needed in the industry. “For security and IT teams, now is the time to refocus defenses as the threat landscape evolves and attacks become more frequent and increasingly sophisticated,” said Tom Corn, … More

The post Confluera expands XDR capabilities with VMware Carbon Black appeared first on Help Net Security.

Google: Attacker ‘likely’ had access to Android zero-day vulnerabilities

Google’s Project Zero on Tuesday introduced a six-part series that offers an analysis of four zero-day vulnerabilities on Windows and Chrome, and known-day Android exploits it found during the team’s extensive research last year.

In a blog post the team said it uncovered the vulnerabilities after they found a watering hole attack in Q1 2020 performed by a highly sophisticated threat actor. The researchers said they discovered two servers that delivered different exploit chains. One server targeted Windows users, the other targeted Android. From the exploit servers, the Project Zero team extracted the following:

  • Renderer exploits for four bugs in Chrome, one of which was still a zero- day at the time of the discovery.
  • Two sandbox escape exploits abusing three zero day vulnerabilities in Windows.
  • A “privilege escalation kit” composed of publicly-known N-day (known-day) exploits for older versions of Android. Based on the actor’s sophistication, the researchers think it’s likely that they had access to Android zero-days, but they didn’t discover any in their analysis.

Throughout the six-part series, the researchers aim to share the technical details of different portions of the exploit chain, largely focused on what the team found most interesting. They include a detailed analysis of the vulnerabilities exploited and each of the different exploit techniques; a deep look into the bug class of one of the Chrome exploits, and an in-depth teardown of the Android post-exploitation code.

The four zero-days discovered by Project Zero have been fixed by the appropriate vendors and include the following:

  • CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed February 2020)
  • CVE-2020-0938 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1020 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1027 – Windows CSRSS Vulnerability (fixed April 2020)

Hackers look to exploit mobility trend

Hank Schless, senior manager, security solutions at Lookout, said the discovery by Project Zero illustrates that threat actors see computers and mobile devices as equally valuable targets. Schless added that as society becomes more reliant on Android and iOS devices, mobile devices have access to just as much valuable data as laptops and desktops. 

“The Android component exploits older versions of the mobile operating system, which is a common tactic,” Schless said. “I think there will be an increase in zero-day attacks on mobile operating systems over the next year or two as reliance on mobile devices increases. Attackers constantly adapt their tactics to be effective on the platforms their targets use most. As individuals and enterprises become more reliant on mobile, attackers are following suit and prioritizing mobile devices, users, and apps as their primary targets. Attackers also know that, even if users have automatic updates turned on, they tend to be slow to update their apps and operating systems. “

Schless said watering holes are used frequently to lure targets to malicious websites. From there, the attacker can phish the victim for login credentials. Once the target visits the malicious site, the attacker can phish the victim for login credentials, deliver a malicious app, or exploit a vulnerability in the web browser to gain access to the administrative privileges on the device itself. 

“This attack chain is viable for targeting both mobile and desktop users, but has a greater chance of success on mobile devices because of their smaller screen and simplified user experience,” Schless explained.

Chad Anderson, senior security researcher at DomainTools, added that the vulnerabilities uncovered by Project Zero are significant for a number of reasons, but mainly because while they have been patched, the Android landscape remains very diverse with a large number of devices that rarely and often never get updated.

“That means we have a class of interesting vulnerabilities in the Chrome V8 JavaScript rendering engine that are reliable exploitation vectors going forward that allow for privilege escalation on both Android and Windows devices,” Anderson said.

Anderson said the Google findings are also significant because they found a very sophisticated actor writing Android zero-days and evidence would indicate that post-exploitation they have more device-specific exploits to employ. He said while these exploits have been burned, they do reveal the hand of a confident and capable attacker.

“Finally, Project Zero says that there is clear evidence that the attacker is developing exploits against older Android devices long past their manufacturers support date,” Anderson said. “These devices linger for a long time and are rarely updated. The attacker sees this and knows there is value in continuing to exploit those devices going forward long past their support date.”

Chris Morales, head of security analytics at Vectra, said usually when an attack gets termed “advanced” it’s because some prevention vendor was bypassed and had to explain to its customers why they didn’t detect the intrusion.

Morales said the attack described by Project Zero does look thorough and actually advanced – so much so that while the attack has not been attributed to anyone, the number of people with the skill and means to do this is very small.

“The SolarWinds breach exposed the entire attack surface of thousands of companies,” Morales said. “This is a universal method of infection with a broad attack surface. Combine the two and there’s a serious need for behavior-based lateral movement detection in every industry.”

The post Google: Attacker ‘likely’ had access to Android zero-day vulnerabilities appeared first on SC Media.