[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* 2016: The year of application layer security in public clouds
* Dangerous open-source bugs lurk inside most commercial apps
* The critical first hours of a data breach: What to do when your business has been hacked
* What’s Next For Network Security
* Why Physical Security Professionals Need to Get to Grips with Cyber Security
* Now experts say don’t change your password! Security services say workers may be safer from hackers if they keep the same login
* Online transaction fraud to reach $25 billion by 2020
* Microsoft publishes Security Intelligence Report, including cloud data for the first time
* American Bar Association releases cyber insurance guide for lawyers
* Microsoft: 2015’s Most Popular Exploit Was a Vulnerability Discovered in 2010
2016: The year of application layer security in public clouds
Our State of the Cloud Survey estimates that 93 per cent of respondents are adopting cloud – 88 per cent are using public cloud, 63 per cent using private cloud, and 58 per cent using both.
‘Hybrid Cloud’ will mean cloud computing resources are interoperable with all technologies, hardware, providers, and geographies.
Developers of the world will be free to build applications without any thought to the underlying architecture.
Security focus shifts from the datacentre to just the data
As data platforms modernise, security will evolve as well.
No longer will organisations just build massive walls around a corporate datacentre to keep out all potential attackers.
The limitations of the physical network architectures will be magnified once enterprises see the difference between an underlay for bulk transport and an overlay for application specific use-case tuning.
The glaring security holes in physical networks once obfuscated will reveal themselves.
The collision between the cloud way and the physical datacentre way will be violent.
The concept of an on-premise datacentre will change in 2016 both in how it will be built and how it will be consumed.
Those with groups already working in the cloud will easily transition to a more flexible and efficient environment.
It may be called private cloud or software-defined datacentre, but the name won’t matter.
The question for 2017 is ‘when will the traditional physical datacentre way become extinct?’
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6506de72fb&e=20056c7556
Dangerous open-source bugs lurk inside most commercial apps
The security of open-source components is a blind spot that’s leaving businesses exposed to dozens of very old bugs, security firm Black Duck Software contends in a new report, based on open-source security work it’s conducted.
IBM recently tapped Black Duck Software for its IBM Security AppScan to scan and map out potentially vulnerable open-source components in use.
The report summarizes a review of 200 commercial applications it reviewed for customers in the six months to March.
The firm finds that the average commercial application consists of over 100 open-source components.
However, at the beginning of an audit customers are only aware of about half of these.
Indeed, the report finds that 67 percent of commercial applications contain vulnerable open-source components and that each application, on average, has five vulnerable components that contain multiple individual vulnerabilities.
According to the firm’s numbers, each application has 22.5 individual vulnerabilities across different components.
Black Duck Software product strategy VP Mike Pittenger said the problem isn’t the use of open source but rather the lack of visibility in its use and a lack of awareness of new vulnerabilities.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b69d5cf9bb&e=20056c7556
The critical first hours of a data breach: What to do when your business has been hacked
Firstly, a data breach costs money – £1.2m on average according to the Risk:Value report from NTT Com Security.
Brand reputation also takes a huge hit from a data breach, you only need look at the impact of the TalkTalk data breach – over 100,000 customers and £60m lost.
The name of the data breach response game is protection – protect your assets, brand, reputation, customers and long-term future.
Following a data breach you must lock down your systems.
After having quarantined the vulnerability, it is imperative that you find out if the attackers have any other paths into your systems – the ‘three pronged attack’ is becoming more and more popular among hackers, as Laurance Dine Managing Principal of investigative response at Verizon Enterprise Solutions told CBR:
Russell Kempley, Head of Cyber Technical Services at BAE Systems, advises implementing the following procedure:
1- Assign an incident co-ordinator who can liaise with investigation teams and management
2- Ensure evidence is being captured and preserved – logs should be collected from key devices and extra logging enabled if the attack is ongoing.
Compromised assets should be isolated from the network if appropriate to the type of threat and business impact.
3- Conduct an initial assessment to identify actual or potential business impacts; this informs the response strategy and what the key outstanding questions are
4- Call in specialist investigation support to help get accurate answers quickly and guide the business through the recovery.
The UK Government / CESG has a scheme to certify incident response specialists so that you can choose a firm with confidence.
5- Take action, inform management and other stakeholders and seek advice from legal and communications teams.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=59ce80c491&e=20056c7556
What’s Next For Network Security
LAS VEGAS – Interop 2016 – Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said.
But a software-defined network architecture comes with some security risks of its own.
It leaves organizations open to internal distributed denial-of-service (DDoS) attacks, says Camp, who in a presentation here tomorrow will show how malware can enter virtual environments.
It’s possible to hack a virtual machine and basically “blow up that whole box and the network with it,” he says.
“You can take the first few digits of a MAC address and … know it’s a VM,” he says. “You can take that VM and pop it and do resource-exhaustion” and use that to DDoS the SDN.
That would be an ironic twist, of course, since SDN can be used to mitigate external DDoS attacks.
The best bet for protection would be to incorporate network defenses within those same boxes, Camp and other experts say.
“Security is really just another part of the infrastructure, and a fundamental” part of a software-defined security framework, he said.
But firewall, IDS/IPS, and other hardware-based platforms aren’t going anywhere any time soon.
A virtual firewall would sit on a virtual switch like other network functions, and provide better visibility into network traffic, he says. “And because it’s in a VM, it’s easier to scale, too.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e47236a7ba&e=20056c7556
Why Physical Security Professionals Need to Get to Grips with Cyber Security
‘Stop thinking cyber security is an IT problem, because it’s not; it’s a business problem’, advised industry expert, Mike Gillespie, at a recent NSI Summit.
A couple of examples…
Number one: Last year, news broke that hundreds of CCTV systems were live-streaming content across the internet.
Nearly all of those systems, Mike explained, had been compromised because an installer had not changed the default username and password.
Number two: Mike identified a server on a client’s network, but couldn’t find it using schematics.
The IT manager claimed to know nothing about it and, on paper, it didn’t exist.
Eventually, the Facilities Manager admitted he had added it to the system, without communicating the change or being aware of the threat.
The key advice for attendees at the NSI Installer Summit was ‘stop thinking “I’m not a big corporate, this doesn’t matter to me”’.
This is impacting real, physical environments and it has the potential to cause widespread chaos.
It’s not just the lazy hackers who are after us, but also well-resourced, capable people – sometimes state-sponsored, sometimes terrorists.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fbaf839da4&e=20056c7556
Now experts say don’t change your password! Security services say workers may be safer from hackers if they keep the same login
In a new briefing to Whitehall, power stations, banks and the public sector, cyber experts at CESG – the information security arm of intelligence agency GCHQ – concluded: ‘It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack.’
The advice continues: ‘Most password policies insist that we have to keep changing them.
And when forced to change one, the chances are that the new password will be similar to the old one.
‘Attackers can exploit this…New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out…CESG now recommends organisations do not force regular password expiry.’
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c76b0db6ea&e=20056c7556
Online transaction fraud to reach $25 billion by 2020
Online transaction fraud is expected to reach $25.6 billion by 2020, up from $10.7 billion last year, according to Juniper Research.
This means that by the end of the decade, $4 in every $1,000 of online payments will be fraudulent.
The new study identified 3 hot areas for online fraud:
eRetail (65% of fraud by value in 2020 – $16.6 billion)
Banking (27% – $6.9 billion)
Airline ticketing (6% – $1.5 billion).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1c9e55579d&e=20056c7556
Microsoft publishes Security Intelligence Report, including cloud data for the first time
Microsoft has published its latest biannual Security Intelligence Report (SIR), covering the second half of 2015.
The SIR “analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide.”
This report, its twentieth in the last ten years, includes security data from the Microsoft cloud for the first time, which the company says “reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers.”
rom a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
The number of systems that encountered malware in 2015 increased in the second half of the year.
The worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015.
The Angler exploit kit was the most commonly encountered exploit kit family.
Although ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1c76e4ce5c&e=20056c7556
American Bar Association releases cyber insurance guide for lawyers
The American Bar Association’s Standing Committee on Lawyers’ Professional Liability on Thursday introduced a guide for attorneys on cyber liability risk and insurance.
Topics in the guide, “Protecting Against Cyber Threats: A Lawyer’s Guide to Choosing a Cyber-Liability Insurance Policy,” include why law firms should purchase cyber liability insurance, understanding the coverage, how to prevent coverage gaps and the importance of breach response, among others.
The guide also includes a list of cyber liability insurers that insure law firms and their contact information.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fc1424a516&e=20056c7556 (http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=66ace926d6&e=20056c7556)
Microsoft: 2015’s Most Popular Exploit Was a Vulnerability Discovered in 2010
According to Microsoft’s security team and data from its anti-malware products, during 2015, the most popular security exploit was CVE-2010-2568, a vulnerability discovered in 2010 and also used in the infamous Stuxnet attacks.
CVE-2010-2568 is a security bug found in older versions of the Windows Shell and affects Microsoft’s Windows 7, Vista, XP, Server 2008 and Server 2003 operating systems.
The vulnerability allows an attacker to deploy LNK or PIF files on an affected system and then execute code on the user’s computer, effectively taking over the device.
The report also highlights positive findings, the company revealing that the number of users that employ real-time security software is growing.
According to the company, the needle has moved from 74.3 percent to 77.1 percent during all last year.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b4e9c7996e&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e9dcbe007a)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)