Business security in the age of malicious bots

As most technologies, bots can be used for good and bad purposes, and the information security industry is doing its best to minimize the adverse effects of the latter activities.

Bots everywhere

“At its core, automation enables a bad actor to scale their business model, which significantly enhances the economics of their attacks,” says Sam Crowther, founder and CEO of Kasada, a global cybersecurity company that has been fighting against bots since 2015.

“As more and more people transact online, the number and potency of bot attacks has escalated. Malicious automated bots exploit legitimate application functionality, and they’re delivered at a scale to make them economically viable. Account takeover attacks, for example, perform automated logins with the goal of compromising user accounts. They do this by stuffing millions of cheaply-sourced stolen credentials into bots.”

The company has seen bots impact large organizations’ security infrastructure in multiple ways and these attack often result in negative financial implications, both concrete and less tangible ones.

“Bots are at the heart of large credit card washing and gift card fraud campaigns, and steal inventory worth millions of dollars. At the same time, they also typically generate large volumes of alerts to a SOC, which a highly-skilled and well-paid engineer will have to sift through. Repeat that multiple times a day, and the time and effort impact SOC engineers mounts quickly,” Crowther explains.

Then there’s also the bots that scrape content from different websites in order for it to be reproduced on others, i.e. effectively stealing intellectual property en masse and bringing attackers undeserved financial gains.

Finally, there’s the bots who DoS, allowing attackers (including competitors) to disrupt or take down a business’s website.

“When it comes to DDoS, unfortunately, L7 DDoS attacks can only be stopped by analyzing the connecting client. This means that legacy CDN solutions that perform analysis on the HTTP request are ineffective at preventing these attacks. This lends itself to creating an anti-automation strategy, in order to make your organization an uneconomical target,” he notes.

Changing defenders’ mindset

Automation is the nucleus of the bad bot business model, and it’s going to remain so because automation drives down the cost of attacks and increases potency, Crowther says. This means security professionals must understand how attackers can abuse legitimate, online functionality for financial gains.

“Our business is determined to shift the balance in favor of defenders. We know the key to winning is making attacks uneconomical. Disrupt the time, effort, cost and reward of attacks, and you’ll defeat assailants,” he explains.

He also believes that defenders must change their mindset.

“Baseball coaches are known to say: ‘Play the ball before it plays you!’ That’s sage advice for those on the security pitch,” he opines. “The key reason many are caught in a ‘cat and mouse’ cycle is defenders are stuck believing adversaries attack and defenders respond.”

At the same time, getting ahead of the curve on security threats doesn’t happen by chance – especially for infosec businesses.

“If you’re not fostering an environment of creativity and thinking differently, then you’re giving attackers and competitors an edge,” he notes.

Finally, he points out another thing these companies should be aware of: most buyers of security products and services are overwhelmed, as they are often left staring at a sushi train of choice, not knowing what exactly they are looking at.

“If you want people to listen, you must speak their language. That’s a language grounded in their needs and concerns. You must also demonstrate that you and your team are solving real world problems,” he advises.

from Help Net Security https://ift.tt/2JlREPQ

How the healthcare industry can improve online trust

Privacy on the internet is important in all industries, but none more so than the healthcare sector, which handles mass amounts of online health data daily. While any data loss (financial, identification, passwords, etc.) is significant, it can be particularly wrenching to think of one’s personal medical details floating in the cloud, accessible to anyone with the right capabilities.

Whether in adherence to regulations or corporate ethics, healthcare companies have a duty to remain vigilant when it comes to safekeeping personal health records, a task that requires an ongoing commitment.

The issues with the healthcare industry and their data security recently came into sharp focus when flagged by the Internet Society’s Online Trust Alliance (OTA), a non-profit organization that identifies and promotes security and privacy best practices on the web. Annually, the OTA conducts its Online Trust Audit, which analyzes the security and privacy practices of more than 1,200 organizations in a variety of verticals.

The healthcare vertical, a new sector added this year, included pharmacies, testing labs, insurance companies and hospital chains. And surprisingly, the group had the lowest overall data protection rankings, with only 57% of the sites receiving a high grade.

The low ranking of healthcare paints a concerning image for customers who are used to transmitting health information online. While the sector did rank high in the privacy category, it showed sparse adoption of email authentication, had the second lowest site security score and came in last in use of always-encrypted sessions. These basic protections are crucial to ensure that consumers are less likely to receive phishing messages purported to be from healthcare providers and that data is safeguarded.

In addition to lower rankings overall, the healthcare industry experienced the second-highest level of data breaches, just behind the consumer sector. The number of records lost ranged from a handful to more than 150 million. OTA’s analysis also revealed that 15% of the audited organizations across all verticals experienced one or more incidents, up from 13% in 2017 and 5% in 2016. The threat of breaches is clearly on the rise.

In light of these shortcomings, here are some steps the healthcare industry can take to provide the best possible data protection.

1. Employ email authentication on all communications

This is the area where healthcare organizations had the biggest shortfall. By utilizing email authentication (SPF and DKIM), organizations can help protect their brands and prevent consumers from receiving spoofed and forged email.

Email authentication allows senders to specify who is authorized to send email on their behalf. Building on email authentication protocols, DMARC adds a policy assertion providing receivers direction on how to handle messages that fail authentication. Healthcare websites should utilize all available email authentication tools to ensure safe correspondence.

2. Improve site security

Organizations should implement “Always on SSL” (AOSSL) also known as “HTTPS everywhere”, on all web pages to maximize data security and online privacy. One way to do this is via HTTP Strict Transport Security (HSTS), which helps ensure that all data exchanged between the site and device is encrypted.

Organizations should also implement a Web Application Firewall to monitor HTTP conversations and block common attacks such as cross-site scripting (XSS) and SQL injections (only 30% of healthcare sites do this, which is well under the overall average of 71%).

3. Implement a vulnerability disclosure mechanism

This is also known as “responsible disclosure” or “coordinated disclosure,” and allows security researchers to report discovered vulnerabilities in a responsible manner. Only 3% of healthcare sites use such a mechanism, either via a form or email address on the website, or through third-party bug bounty programs. By providing this mechanism (and the back-end process to respond to it), companies can address vulnerabilities before they are public.

Healthcare websites need to stay up-to-date on the latest security protocols available to them when safeguarding customer’s medical data, and the protection of this information needs to be an ongoing area of focus for companies that seek to transmit personal information online.

from Help Net Security https://ift.tt/2XDba3t

Bringing more talented individuals into the security industry

In this interview, Tony Vizza, Director of Cybersecurity Advocacy, Asia-Pacific, (ISC)2, talks about the growing information security skills shortage, the importance of education, and the upcoming gathering of industry leaders at (ISC)2 Security Congress in Orlando, Florida.

Why do you think (ISC)2 membership and advocating for the cybersecurity profession is so important in your region of Asia-Pacific?

As we learned in our 2018 Cybersecurity Workforce Study, the overwhelming majority (2.14 million out of 2.93 million needed professionals) of the global skills shortage exists in the Asia-Pacific region, so we have significantly more work to do in terms of filling cybersecurity roles in our region than in any other part of the world.

Achieving (ISC)2 certifications is certainly one way to demonstrate and validate broad-based skills and knowledge of the fundamentals of cybersecurity, as well as serving as a marker that hiring managers can look for in order to feel confident in the individuals they are bringing into their teams. Certification demonstrates the applicant’s commitment in continually improving their skills to stay up-to-date on the latest threats and technologies, and that’s essential in an environment where change is constant.

The reason that I consider advocating for the profession to be such a massive responsibility is that we’re at an inflection point where the need to find and cultivate the next generation of talent is fundamental to our global security, across many and all economies. What we do now to nurture and grow a diverse workforce will have repercussions for years to come.

As a part-time instructor, what impact do you believe education can have on bringing more talented individuals into the security industry?

There are two major prongs to education that can impact cybersecurity staffing. First, our profession is definitely challenged by a lack of understanding or appreciation of what it is we actually do, particularly at the earlier stages of formal education systems. When young people are exposed to this field, able to break down many of the perceptions that exist about cybersecurity and recognize that it could be an achievable career path, we’ll open the industry up to a greater volume and diversity of talent, particularly if our primary and secondary schools offer more practical learning paths and coursework.

Second, as I alluded to before, even certified professionals with lots of experience need to continue to train and improve their skillsets. That’s why (ISC)2 developed the Professional Development Institute, which is a robust portfolio of online self-paced courses that serve as a go-to resource for timely and relevant continuing education opportunities to help keep skills sharp and curiosity piqued. These courses are free to our members and by the end of this year we’ll have a portfolio of roughly 30 available, covering a vast range of topic areas.

We’re also very excited about this year’s (ISC)2 Security Congress taking place from October 28-30 in Orlando, Florida. While this has traditionally been a North American conference in the past, the 2019 iteration will be a truly global event, with 4,000 attendees expected from all across the globe, and more than 175 sessions planned on a range of topics that will be educational and actionable. Having attended the conference myself last year, I can say with great confidence that attending such events and networking with others in the industry is a great way to keep abreast of the latest trends in cybersecurity.

What do you see as the most important steps organizations of all sizes can take in order to address the growing cybersecurity skills shortage?

I don’t think it comes as any surprise that companies are essentially in competition for the best talent, and as such, should take an inward look at how they market themselves and appear to candidates. Part of this was covered in (ISC)2’s 2018 research Building a Resilient Cybersecurity Culture, which found that those companies whose executive teams prioritized cybersecurity and reinforced good practices were much more successful in hiring and retaining enough talent to make them feel confident in their defenses.

Organizations should also look at opportunities such as mentorship programs, cross-training from different departments and subsidizing continued training for their IT and cybersecurity staffs in order to develop new talent.

What have been the major security developments in the past year, and how have these informed the (ISC)2 Security Congress agenda for 2019?

To a large extent, the topic submissions we receive from our speakers, many of whom are our members, really drive the content for the agenda each year. As such, for 2019 we established a Security Automation track to deal with machine learning and artificial intelligence, which was a particular area of interest for our applicants.

Additionally, we expanded our Privacy track based on interest and demand, particularly with the attention that the California Consumer Privacy Act (CCPA) is generating, as well as the increasing prevalence of mandatory breach reporting directives in economies across the world, including Asia-Pacific.

And on a slightly different note, this year we’re introducing a “Student Experience” program to offer sessions aimed at students and newcomers to the cybersecurity practice. This is an effort to build that awareness around what a great profession and career path it is and encourage students to seek out education, training and ultimately, opportunities.

What trends or sessions do you think will be of particular interest?

We’re all very excited to hear our keynote speakers this year, including Captain “Sully” Sullenberger, Admiral William H. McRaven, Catherine Price and Erik Wahl. We have received some outstanding submissions in the area of ICS and Critical Infrastructure that I feel are compelling to attend. This is an area that affects all people around the world, and to understand the impact of cybersecurity on these areas and make this meaningful to those outside of our industry who are reliant on these services will go some way to helping break down misconceptions.

I also have a close affinity for the Governance, Risk and Compliance realm and will be looking to learn new ideas and concepts in relation to this space, particularly with the regulatory changes that are ever-constant. On a personal level and as a student of law, the Privacy track will guarantee my attendance at many of the sessions there.

Finally, having recently gained my CCSP certification, cloud computing and the rapid changes in this space will necessitate that I attend some of the sessions within the Cloud track. The full conference schedule can be found here.

from Help Net Security https://ift.tt/2KPxiSh

Priorities IT pros follow to ensure ingrained privacy and compliance

Products that help businesses discover and map data flows top the list of purchase plans and the privacy team is playing a larger role in privacy tech purchasing decisions as organizations navigate a complex field of regulations, according to TrustArc and International Association of Privacy Professionals (IAPP).

“As the number of privacy regulations grows, organizations must contend with the complexity of managing an increasingly fragmented privacy regulatory landscape,” said Chris Babel, CEO, TrustArc.

“These rapid regulatory changes make cross-regulation management more difficult. As a result, organizational leaders are purchasing technology that can streamline the process of building global privacy compliance at scale, while turning more to privacy and data protection professionals for purchase input.”

The increasing complexity of business in the digital world, coupled with a growing list of global privacy frameworks, has increased the need for organizations to adopt solutions that demonstrate compliance and are scalable and efficient. With the entry of GDPR last year, privacy technology solutions were pushed into prime time.

Not only do privacy professionals need tools to organize and record data mapping and inventory exercises, as well as systems for conducting privacy impact assessments, they also increasingly require support with consent management, cookie compliance and data subject access requests (DSAR). The latter is becoming increasingly critical with the impending implementation of the California Consumer Privacy Act (CCPA).

Key findings

Data mapping, data discovery, assessment management, and individual rights are top growing privacy tool categories:

• The top purchase plans for the next twelve months include Data Mapping / Flow (24%), Data Discovery (23%), Assessment Management (20%) and DSAR / Individual Rights (18%).
• Compared to last year’s survey, demand for Privacy Legal Updates and Information Management solutions has grown by 5%.
• Survey results showed similar privacy tech-purchasing habits among companies, regardless of size or whether in highly regulated (e.g., financial and health) or non-regulated industries.

Privacy department plays large role in purchase process:

• Privacy teams are the leading decision input for 9 of the 11 tool categories; The top four include Program Assessments (37%), Legal Updates (36%), Data Mapping (31%), and Individual Rights (31%).
• Privacy teams are the top budget sources for Privacy Assessment (51%), Privacy Legal Updates (45%), Individual Rights (41%), Data Mapping (35%), and Data Subject Consent (34%) tools.

from Help Net Security https://ift.tt/2FKeWxZ

What is and what is not working for security operations teams in securing cloud data

Security professionals continue to face a number of major challenges as more organizations move legacy IT operations to cloud infrastructure and applications, and traditional security tools often fall short, according to Delta Risk.

The research, produced by Cybersecurity Insiders, clearly shows that organizations must assess their cloud security posture and strategies on a regular basis and have a well-developed incident response plan that includes cloud applications and infrastructure.

Among the findings:

• The top cloud security concern is data loss and leakage (64 percent).
• Unauthorized access through misuse of employee credentials and improper access controls (42 percent) takes the number one spot in this year’s survey as the single biggest perceived vulnerability to cloud security, tied with insecure interfaces and APIs (42 percent). This is followed by cloud misconfigurations (40 percent).
• Most respondents (54 percent) say cloud environments are at higher risk of security breaches than traditional on-premises environments – a 5 percent increase from last year.

“The 2019 Cloud Security Report highlights the fact that IT and security professionals have to take the lead in securing their cloud data, systems, and services under the shared responsibility model,” said Holger Schulze, CEO and Founder of Cybersecurity Insiders.

“The 2019 research supports what we hear from organizations about their challenges with effectively monitoring cloud applications and infrastructure,” said Tempy Wright, Vice President of Marketing at Delta Risk. “High-profile data breaches in the past year have driven increased concerns about the security of cloud environments, and we see this reflected in the survey results.”

from Help Net Security https://ift.tt/324K4BW

Annual spend on Mobile Edge Computing will reach $11.2 billion by 2024

Total annual spend on Mobile Edge Computing (the collection and analysis of data at the source of generation, at the Edge of the network, instead of a centralised location such as the cloud), will reach $11.2 billion by 2024, according to Juniper Research.

This is up from an estimated $1.3 billion in 2019, with an average annual growth of 52.9%.

The leaders in Edge Processing

Juniper Research ranked leading players in the Edge Processing sector by a range of factors, such as the depth of their experience in IoT, their geographical footprint, along with the number, and type, of industries served.

The top five players are:

• Siemens
• Bosch
• AWS
• VMware
• Telit

Mobile operators to support Edge Processing of 5G applications

Juniper Research believes that mobile operators will play an important role in connecting Edge processing devices via 5G, particularly for smart city initiatives, due to the large numbers of device users they serve, as well as their ownership of mobile spectrum and local real estate assets.

Far East and China accounts for lion’s share of $9.8 billion increase

The new research Edge Processing in IoT: Market Strategies, Challenges & Future Outlook, 2019-2024 forecasts that the annual spend on Edge processing in the Far East & China region will reach an estimated $4.6 billion in 2024; 41% of the global total spend.

China’s three leading mobile operators have been conducting Edge processing pilots since 2017, while Huawei, Intel and Alibaba have collaborated to further Edge processing capabilities.

Research author, Elson Sutanto explains: “Edge Computing and 5G, supported by continued advancements in machine learning and AI-derived algorithms, will continue to be the key drivers of Big Data analytics and complex real-time analysis at the Edge of networks.’’

from Help Net Security https://ift.tt/2XDHVxK

How to Write a Great Cover Letter

Offensive Security launches OffSec, a new cybersecurity training program for enterprises

Offensive Security, the leading provider of hands-on cybersecurity training and certification, announced OffSec Flex, a new program for enterprises designed to simplify the cybersecurity training process and allow organizations to invest more in cybersecurity skills development.

Organizations can now use OffSec Flex to purchase blocks of Offensive Security’s industry-leading practical, hands-on training, certification and virtual lab offerings, allowing them to proactively increase and enhance the level of cybersecurity talent available within their organizations.

With Offensive Security’s hands-on courses, labs and exams readily available, organizations are able to offer educational opportunities to new hires and non-security team members alike, improving their security posture and equipping their employees with the adversarial mindset necessary to protect modern enterprises from today’s threats.

“Cybersecurity training is not just for security professionals anymore,” said Kerry Ancheta, VP of Worldwide Sales, Offensive Security.

“Increasingly we see organizations recommend pentest training courses for their software development or application security teams in order to improve their understanding for how their systems and applications are attacked.

“With the OffSec Flex program, it will now be easier for organizations to access more training options, offering cyber skills growth opportunities to more employees to better defend IT systems from sophisticated attackers outside of their companies.”

Cybersecurity spending reached new heights in 2019. Gartner estimates that it will reach $124 billion by the end of the year1. Yet, while organizations are increasingly willing to spend on cybersecurity solutions, security incidents continue at an alarming rate.

Over 1.9 billion records were exposed during the first quarter of 2019, an increase of almost 30 percent2. Despite increasing their cyber spend, most organizations are unable to close the cybersecurity skills gap due to a lack of available training options.

With the launch of OffSec Flex, Offensive Security simplifies the allocation and use of training budgets, making it significantly easier for organizations to invest in cybersecurity skills.

Once an organization sets its training budget, it can pre-purchase a block of Offensive Security training from across its range of offerings. It is then able to utilize that training time as needed throughout the year while extending its budget through Flex Bonus Funds, contributed by Offensive Security.

Offensive Security not only provides some of the industry’s most sought-after training courses and certifications, including the Penetration Testing with Kali Linux (PWK) course and the Offensive Security Certified Professional (OSCP) along with the Advance Web Attacks and Exploitations (AWAE) course and the Offensive Security Web Expert (OSWE).

The company’s rigorous training programs force students to develop adversarial mindsets and persistent work habits, demanding that they think like attackers and try harder to earn the industry’s most sought-after certifications.

from Help Net Security https://ift.tt/2J1bDVm

Stellar Cyber Starlight platform now integrates with Amazon’s VPC traffic mirroring

Stellar Cyber, a Silicon Valley-based security analytics provider, announced that its Starlight platform can immediately integrate with Amazon’s newly released VPC traffic mirroring, allowing Starlight customers to get raw traffic logs from AWS environments, then utilize its advanced machine learning and AI to detect, alert, and respond to anomalous behaviors.

The RFC 7438 VXLAN capabilities that make this integration possible have been part of the company’s offerings since 2017. AWS’ new traffic mirroring validates Stellar Cyber’s vision around pervasive visibility across public, private and hybrid cloud workloads.

When traditional traffic mirroring was not feasible, Stellar Cyber’s Starlight was the first AI-based security analytics platform to enable VXLAN capabilities to capture traffic from virtual, physical and cloud environments.

For more than two years, the Starlight platform has utilized VXLAN technology to gain visibility across cloud workloads to detect and respond to threats within the AWS and other VXLAN-capable environments.

Stellar Cyber’s customers have been able to gain security visibility and automation in AWS to give them a better understanding of what is actually happening in their cloud. “Visibility and automation have always been part of the holy grail for security practitioners,” said David Barton, CISO of Stellar Cyber.

“The announcement from AWS confirms our established strategy of using VXLAN to provide that visibility, and Starlight to perform automation and response.”

With Starlight’s pervasive data collection, coupled with advanced data handling and machine learning, Stellar Cyber customers have multiple ways to detect anomalous behavior attacks across the Lockheed Martin cyber kill-chain. With defense-in-depth methodologies, an attack missed in one stage of the kill chain will be caught by Starlight in another stage.

According to a recent survey by the SANS Institute, 31 percent of responding organizations experienced unauthorized access to cloud environments or cloud assets by outsiders this year. This number is likely even higher as most of those companies didn’t have the visibility needed to detect that access. As cloud adoption rates continue to rise, this problem will only escalate.

“With tools such as Starlight, security teams have the visibility they need to collect the right data, detect anomalous behaviors, investigate and threat hunt those anomalies, and ultimately respond in automated ways to stop those threats,” said John Peterson, Chief Product Officer of Stellar Cyber.

Stellar Cyber’s new Starlight 3.1, the first Unified Security Analytics Platform that leverages artificial intelligence (AI) and machine learning (ML) for automated threat hunting and advanced breach detection, enables businesses to not only rapidly detect and contain emerging threats, but also to reap significant savings in time, costs, and human capital.

Now, security professionals who have long struggled with cyber defense activities like manual threat detection and extreme firewall noise have a solution.

from Help Net Security https://ift.tt/2Nl4eEn

SoftwareAG launches webMethods Service Designer for building integrations and APIs

Software AG unveiled webMethods Service Designer, a lightweight integrated design and development tool for building integrations and APIs. This tool provides users free access with a one year trial license to develop Flow services, APIs and integrations using Eclipse and generate unit test cases for the purpose of DevOps automation.

Lightweight and easy to install and set up, the download comes with a simplified view of the Service Development perspective coupled with VCS integration capabilities, along with the Eclipse E-Git plugin. It can be used for developing, editing, testing and debugging APIs and their underlying services.

“The digital age is creating new business models and new opportunities virtually overnight,” said Stefan Sigg, Software AG’s Chief Product Officer.

“To compete, you need to harness your digital DNA by connecting business apps, devices, big data, the Internet of Things (IoT) and hybrid cloud and quickly be ready for what’s next. The webMethods Service Designer offers a lightweight possibility to do just that – be ready virtually overnight for whatever comes next.”

webMethods Service Designer: Free download

This free download is available in the Software AG TECHcommunity. Users can get started by just downloading the zip file, where they can extract it and get started creating APIs and services instantly. The download includes:

• Service Development plugin for designing and developing Integration Server assets (such as services, APIs, document types, triggers, and web service descriptors) and managing them with version control.
• Unit Test Framework for creating unit tests for the services, included in Continuous Integration for build verification.
• JDBC connectivity for integrating with SQL-based databases.

from Help Net Security https://ift.tt/2LsyMBy

Ingram Micro’s cloud migration solution to help Microsoft’s SQL Server and Server 2008 users

For users of Microsoft’s SQL Server and Windows Server 2008, the end is near: Microsoft is actively winding down service for these servers, with support for its SQL Server slated to end entirely in July of this year, and for its Windows Server 2008 in January of 2020, leaving users’ critical data unprotected moving forward.

Ingram Micro, a leading global provider of services that streamline and simplify server infrastructure design and management, is preparing its partners for SQL Server and Windows Server 2008 end-of-support with a comprehensive solution that streamlines migration to Microsoft’s modern Azure server platform.

“Companies who use Microsoft’s SQL Server and Server 2008 are facing the unavoidable July 9 deadline, and are now working against the clock to guarantee data and infrastructure vulnerability does not become an issue,” said Duncan Robinson, Global Director, Microsoft Alliance at Ingram Micro.

“This critical juncture provides a low friction window of opportunity for our partners to modernize and future-proof their clients’ businesses by migrating them to Azure. Our Azure Accelerate program and support offerings ensure this happens swiftly, effortlessly, and right on time. We’re here for our customers every step of the way, no matter how many or few steps it takes.”

Azure is the latest in Microsoft’s lineup of award-winning data management services. Compared to SQL, Azure offers IT partners greater control over their clients’ digital workplaces, as well as faster response times and simplified user interfaces.

The program empowers employee productivity through best-in-class content management and communications, streamlined project management and effective collaboration interfaces.

Ingram Micro’s Azure Accelerate program ensures that partners can transfer their clients’ businesses to Azure more efficiently than any other service available.

Through a three-step process of assessment, migration and optimization – the program is designed to fully meet each partner’s individual needs, enabling a quick, all-inclusive and straightforward journey that allows their customers to realize the benefits of Azure near instantly.

Additionally, those who join Ingram Micro’s Azure Accelerate partner program receive exclusive services, promotions and offerings to drive depth and scale in Azure consumption.

from Help Net Security https://ift.tt/2KPmXpI

Denim Group and WhiteSource to help customers manage their open source vulnerabilities

Denim Group, the leading independent application security firm, announced an integration with WhiteSource, the leader in open source security and license compliance management.

This integration will allow WhiteSource customers to view and manage their open source security vulnerabilities from within ThreadFix, enabling them to improve security management with a comprehensive view of all of the software vulnerabilities in both their proprietary and open source code.

Open source code comprises the backbone of today’s software development ecosystem, with more than 90% of applications relying heavily on open source components1. However, this code can contain vulnerabilities and leave companies exposed if not detected and patched quickly.

Software development teams require effective tools to detect and remediate vulnerabilities within their internally developed and externally sourced code throughout the development lifecycle.

“Maintaining security within the development pipeline is vital for the DevSecOps community,” said Dan Cornell, Denim Group CTO.

“We are excited to announce our integration with WhiteSource as it is a direct response to market demand and commercially relevant products, and we are confident that it will provide current and future customers the resources necessary to manage code vulnerabilities and risk effectively.”

Through the integration with ThreadFix, WhiteSource customers will be able to consolidate their Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) results into one single unified view, streamlining their vulnerability management efforts.

The simplified view and risk-based filtering will also allow security teams to more readily prioritize vulnerabilities based on severity, giving them the perspective they require to find and remediate the most serious vulnerabilities first.

“We are excited to move forward in our partnership with the Denim Group team, making it easier than ever for WhiteSource and ThreadFix customers to manage their open source security as a part of their software development management practices,” says WhiteSource’s VP of Product, David Habusha, adding that, “It’s important to us that WhiteSource customers can manage their open source vulnerabilities as seamlessly as possible.”

from Help Net Security https://ift.tt/2ROJseT

Avoid Traffic on July 4th By Leaving at The Right Time

Create Written Notes From YouTube Videos Instantly With this Chrome Extension

Week in review: Vaccinating algorithms against attacks, cybersecurity pros burning out

Here’s an overview of some of last week’s most interesting news, articles and reviews:

Anatomy of a ransomware attack: How attackers gain access to unstructured data
Ransomware isn’t a new phenomenon, but it’s effects are starting to be felt more widely, and more deeply than ever before. Behemoths like Sony, Nissan, FedEx, Kraft Foods and Deutsche Bank have all been hit in recent years, and the list is growing. The ongoing saga of the ransomware attack in Baltimore, MD has left citizens unable to pay parking tickets or finalize property sales.

When it comes to cybersecurity, perfection is the enemy of progress
In information security, perfection is the enemy of progress, says Lenny Zeltser, VP of Product at Axonius. But it’s one thing to know about this maxim, and another to internalize its wisdom through trial and error.

Review: Specops uReset
Specops Software came up with a tool to help with and automate the password reset procedure in a secure way. Specops uReset is a Windows-based tool that plugs into the Active Directory authentication process and allows you to customize the level of security that your organization requires by extending various multi-factor authentication options to the password reset process.

Elastic SIEM: Speed, scale, and analytical power drive your security operations and threat hunting
The initial launch of Elastic SIEM introduces a new set of data integrations for security use cases, and a new dedicated app in Kibana that lets security practitioners investigate and triage common host and network security workflows in a more streamlined way.

Cybersecurity professionals are outgunned and burned out
Nearly half (48 percent total) of cybersecurity leaders across France, Germany and the UK believe their teams are falling behind in the skills race against would-be cyber criminals, according to Symantec.

How past threats and technical developments influence the evolution of malware
If we want to anticipate how malware will evolve in the near future, we have to keep two things in mind: past threats and current technical developments.

Why businesses need IAM to push their zero trust frameworks forward
Many organizations are finding themselves between a rock and a hard place when it comes to the security of their digital transformation strategies. On the one hand, the number of data breaches continue to increase and damages stemming from cybercrime have businesses losing more than $3.86 million on average, per breach, according to the Ponemon Institute.

Consumers believe privacy is not possible, leading to a change in online behavior
82% of online users in the US and 75% in the UK are choosing to change the way they behave online, according to a new consumer survey by FigLeaf.

Over reliance on public cloud vendor security puts data and companies at risk of breach
As global organizations increasingly move critical applications, regulated customer data and development work into public cloud environments, 36 percent say the number one benefit for moving workloads to the cloud is to offload security risk, a new survey from CyberArk reveals.

Google delivers new G Suite security tools
Google has announced several new security tools for G Suite admins and users, as well as a new 2FA option: one-time security codes based on security keys.

Beating biometrics: Why biometric authentication alone is not a panacea
As we witness the accelerating use of biometrics throughout our lives, we must pause to consider the risks and ramifications of doing so as technological advancements make it increasingly easy to mimic, manipulate and manufacture biometry. As the world becomes more reliant on biometric authentication, it’s vital that we understand how it’s being threatened, what happens when it’s compromised and what we can do to prevent a biometric dystopia.

Medtronic recalls vulnerable MiniMed insulin pumps
Medtronic, the world’s largest medical device company, has issued a recall of some of its insulin pumps because they can be tampered with by attackers.

Where are organizations stalling with cybersecurity best practices?
UK organizations are failing to make progress towards strong cybersecurity and are facing paralysis as cybercriminals become more advanced, according to NTT Security.

Threat actors are doing their homework, researchers identify new impersonation techniques
There is an increase in three main areas: spoofed phishing attempts, HTTPS encryption in URL-based attacks, and cloud-based attacks focused on publicly hosted, trusted file-sharing services, FireEye found, after analyzing a sample set of 1.3 billion emails.

Eurofins ransomware attack affected UK police work
Eurofins, a global provider of scientific testing services, said that operations are returning to normal after the recent ransomware attack, but that its impact on their financial results “may unfortunately be material.”

Cybercriminals leverage malicious Office docs, Mac malware, web app exploits
There’s been a 62% increase in overall malware detections in Q1 2019 compared to the previous quarter. A new WatchGuard report also found that cybercriminals are leveraging a wide array of varied attack techniques, including malicious Microsoft Office documents, Mac malware and web application exploits.

Cloud security exacerbated by immature security practices
Surveying 1,250 security decision makers across the globe, Symantec’s Cloud Security Threat Report (CSTR) uncovered insights on the shifting cloud security landscape, finding enterprises have reached a tipping point: more than half (53%) of all enterprise compute workload has been migrated to the cloud.

Emergency Presidential Alerts can be spoofed, researchers warn
Spurred by the panic-inducing fake alarm about an inbound ballistic missile received by Hawaii residents in January 2018, a group of researchers from University of Colorado Boulder wanted to check whether attackers could spoof Presidential Alerts, which are delivered to all capable phones in the United States via the Wireless Emergency Alert (WEA) program.

You don’t just acquire a company, but also its cybersecurity posture
53% of IT and business decision makers report their organization has encountered a critical cybersecurity issue or incident during a M&A deal that put the deal into jeopardy, a Forescout survey reveals.

Researchers develop a technique to vaccinate algorithms against adversarial attacks
A set of techniques to effectively vaccinate algorithms against adversarial attacks have been developed by researchers from CSIRO’s Data61.

Which SD-WAN products offer a notable return on investment?
Eight of the industry’s leading SD-WAN products were examined by NSS Labs to help enterprises understand the merits of products in the market and identify the capabilities best suited to meet their use case requirements.

Why poor visibility is hampering cybersecurity
Data from an external survey of 200 enterprise security leaders, conducted by Censuswide, reveals concerns on visibility and access to trusted data, leaving organizations open to attack. Fuelling this issue is an inability to receive timely visibility across a multitude of installed security technologies.

New infosec products of the week: June 28, 2019
A rundown of infosec products released last week.

from Help Net Security https://ift.tt/2LtHIXl

Sunday's Best Deals: Casper Mattresses, Sony Z9F Sound Bar, Fun Dip, and More

Grab Your Eggos and Get This Throwback Eleven Funko For Only $6

The Kinja Deals Guide to the Best Fourth of July Sales [Updating]

Get Android Q's 'Digital Wellbeing' Features Now With This App

How to Tell If Your iPhone is Refurbished By Looking at Its Model Number

How to Livestream Wimbledon Next Week

Saturday's Best Deals: Weighted Blankets, Natural Deodorant, Samsung 4K TV, and More

How to Avoid Getting Scammed When Traveling

How Do You Install Windows to Multiple Computers at Once?

$50 DeepNude app undresses women with a single click

Medtronic recalls hackable MiniMed insulin pumps

Medtronic, the world’s largest medical device company, has issued a recall of some of its insulin pumps because they can be tampered with by attackers.

About the vulnerable devices

The affected devices are insulin pumps from the MiniMed 508 and Paradigm series (more specific info here).

“The potential risks are related to the wireless communication between Medtronic’s MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with these pumps,” the US Food and Drug Administration noted in the recall announcement.

“The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids in the blood).”

The vulnerability (CVE-2019-10964) is not exploitable remotely, and a high skill level is needed to exploit it.

The FDA says that they are “not aware of any confirmed reports of patient harm related to these potential cybersecurity risks” and ICS-CERT added that there are currently no known public exploits for targeting this vulnerability.

But the affected pumps can’t be adequately updated or patched and that’s the reason for the recall.

“Medtronic recommends U.S. patients who are currently using the affected products talk to their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection. Patients outside the U.S. will receive a notification letter with instructions based on the country where they live,” ICS-CERT noted.

“Additionally, Medtronic will be sending a letter to all patients who are current known users of these pumps further detailing the risks and defensive measures.”

The FDA says that there are 4,000 confirmed U.S. patients that use one of the affected pumps, and that Medtronic is working with distributors to identify additional patients potentially using these pumps.

Medtronic: Related security news

The company has said that previous research work by a slew of external researchers (Nathanael Paul, Jay Radcliffe, Barnaby Jack, Billy Rios, Jonathan Butts, and Jesse Young) has lead their internal research team to the discovery of this latest vulnerability.

Medtronic is one of the medical device manufacturers that, as part of the #wehearthackers initiative, pledged to work with security researchers to ensure their devices are secure.

It’s interesting to note that many of the vulnerable Medtronic MiniMed insulin pumps are highly prized by diabetes sufferers because they have a security flaw that allows them to modify the firmware.

This makes it possible to load the OpenAPS (“open artificial pancreas”) software into them to automate the process of monitoring the user’s blood sugar, calculating the right insulin dose and administering it, sparing users from the trouble of doing that themselves multiple times per day and per night.

from Help Net Security https://ift.tt/2IWieQR

Cellebrite Claims It Can Unlock Any iPhone

The digital forensics company Cellebrite now claims it can unlock any iPhone.

I dithered before blogging this, not wanting to give the company more publicity. But I decided that everyone who wants to know already knows, and that Apple already knows. It's all of us that need to know.

from Schneier on Security https://ift.tt/2ZW9ek2

Mozilla’s bizarre robo-surfer project demonstrates ad snooping

Google Maps shortcut turns into 100-car mud pie in farmer’s field

The biggest SecOps burdens hindering progress for enterprises and MSSPs

Only 16% of security operations professionals think that their SecOps programs have reached the highest maturity level, according to a Siemplify and Cyentia Institute study.

The majority of the 250 security operations practitioners surveyed, reported that they are just starting their maturity journey or only midway through it. Of verticals, MSSPs expectedly ranked highest in terms of SecOps maturity, while not-so-predictably the traditionally regulated industries of healthcare and finance rated near the bottom.

Key security operations trends

Not all SecOps programs are created equal: For example, over half of financial firms report having 10 or more SecOps staff, but only 14% in the health care sector have that level of resources.

Tiered structure tapering: A little over half of respondents work in traditional ‘tiered’ security operations centers (SOCs), which are comprised of different analyst levels. The rest form teams of mixed roles and experience.

Structure influences strategy: Programs with a ‘tiered’ structure stress optimizing and managing tools. Those organized by ‘teams’ emphasize improving people and processes.

Teams are busy and broadly tasked: The average SecOps staff member handles 3.5 major functions, with some taking on as many as 12. Counterintuitively, those in larger firms wear more hats than their SMB counterparts.

Coding matters: 25% of staff in lower-maturity SecOps programs possess coding or scripting skills compared to 40% in higher-maturity programs.

Functions not evenly distributed: SecOps use cases like event monitoring, vulnerability management and incident response are experiencing the widest adoption among functions. Meanwhile, specializations such as threat hunting are four-times less common in SMBs.

Challenges span people, processes and technology: The most common SecOps challenge experienced by respondents was lack of trained staff. Poor correlation and orchestration among processes and technologies was a close second.

SecOps maturity level

Overall, the responses yielded one clear message: SecOps maturity is about robust, documented, repeatable processes that tie technology, teams and their respective functions together to drive success.

“We already know that an overload of security alerts, reliance on manual processes and – of course – the global skills epidemic are all combining to cause chaos within IT and security departments,” said Nimmy Reichenberg, chief marketing officer at Siemplify.

“But this report goes deeper and gets more personal to help us understand what security operations professionals are feeling, how their programs are being challenged and what the future holds.”

from Help Net Security https://ift.tt/2FDaSQ5

Cybersecurity professionals are outgunned and burned out

Nearly half (48 percent total) of cybersecurity leaders across France, Germany and the UK believe their teams are falling behind in the skills race against would-be cyber criminals, according to Symantec.

This has put increased pressure on an already overloaded profession, with nearly two thirds of cybersecurity professionals considering quitting their jobs (64 percent total) or leaving the industry entirely (63 percent total).

“It is disturbing enough to know the barbarians are at the gate, without knowing the people attempting to defend you are outgunned and burned out. Yet, this is exactly what this new data reveals,” comments Darren Thomson, EMEA CTO, Symantec.

“It is hard to overstate the threat posed by an enemy that is learning faster than you are. If organisations value the security of their data and their finances, they must heed this warning and make strategic investments to address this emerging skills gap.”

Surveying 3,045 cybersecurity decision makers across France, Germany and the UK, the ‘High Alert’ study was commissioned by Symantec and conducted by Dr. Chris Brauer and his team at Goldsmiths, University of London.

The findings reveal a dire situation that is likely to become worse, before it gets better, as a vicious cycle of overload and stress is hampering professional skills development and decision making.

Just under half (44 percent total, 38 percent UK) of cybersecurity professionals say their teams lack the necessary skills to combat the threats their organisations face. Over a third (37 percent total, 23 percent UK) report their teams are simply not able to manage the sheer scale of the current workloads.

“I see a huge risk of burnout in today’s industry. Many people are operating at their limit,” says Dr Steve Purser, Head of Core Operations for ENISA and a former financial sector CISO. “When you look at the hours on top of the day job, you don’t have to be a rocket scientist to know that it’s going to take its toll.”

Falling further behind

As cybersecurity teams struggle to keep pace with would-be attackers and the speed of technological change continues to accelerate, the cybersecurity talent gap will only grow larger as organisations’ defences grow weaker. The research shows that:

• 46 percent (39 percent UK) of cybersecurity professionals report their teams are too busy to keep up with necessary skill development
• 45 percent (37 percent UK) say technological change is happening too quickly for them and their teams to adapt
• Almost half (48 percent total, 46 percent UK) say attackers now have ‘unprecedented’ resources and support from ‘bad actors’, such as organised crime and state-sponsored hackers

“Cybersecurity professionals are first responders, locked into a constant arms race with attackers – where talent and skill are the most important weapons,” comments Dr. Chris Brauer, Director of Innovation, Goldsmiths, University of London.

“The vast majority find this battle of wits an exciting and deeply intellectual challenge. But, this demanding work comes with high stakes and is fought at a frenetic pace with little support. Add to this the relentless volume of alerts and more mundane tasks, and the job can quickly turn toxic.

“Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already plagued by a skills shortage, this is a significant risk to businesses.”

Taking its toll

The strain being placed on an already limited pool of cyber talent is negatively impacting the security of enterprises and the quality of threat analysis:

• Three in four (78 percent total, 67 percent UK) of cybersecurity professionals find themselves underestimating what is required to properly deal with a cybersecurity threat or incident
• The same number (77 percent total, 67 percent UK) find themselves rushing when assessing a threat
• Over two thirds (69 percent total, 55 percent UK) of respondents report feeling responsible for a cybersecurity incident that could have been avoided

“We’re not going to be able to recruit our way out of the talent gap. A more systemic change has to take place,” says Darren Thomson, EMEA CTO, Symantec.

“The cybersecurity landscape has changed dramatically since today’s CISOs entered the industry. With thousands of threat events happening every second and the complexity of the IT estate growing exponentially, simply keeping pace is a challenge.”

“Defensive strategies need to change. Machine augmentation is mission critical, but security leaders must ensure that these tools don’t become part of the problem. Taking steps to reduce the complexity of cybersecurity, use of cloud-delivered security, increased automation and smart use of managed services can all help to reduce overload and improve retention.”

from Help Net Security https://ift.tt/2Xz9Leh

Consumers believe privacy is not possible, leading to a change in online behavior

82% of online users in the US and 75% in the UK are choosing to change the way they behave online, according to a new consumer survey by FigLeaf.

For these respondents, 74% say they are sharing less information online as a result. As for the 25% who indicated that recent privacy scandals had no impact on their online behavior, the prevailing reasons were that they were already highly protective of their information, or that they had accepted a lack of privacy when engaging online.

The survey follows a similar study conducted by FigLeaf in March 2018 that queried more than 7,500 users in five different countries: United States, United Kingdom, Germany, France and Australia.

The initial 2018 study, which took place prior to the Cambridge Analytica-Facebook fallout and subsequent privacy scandal stories, revealed 39% of users in the US and UK did not believe online privacy was possible.

Approximately one year later that number has jumped to 68%, demonstrating a greater awareness among consumers of their online privacy, but also a significant loss of confidence in the ability to keep personal information private.

In fact, when consumers were presented with a list of options for safeguarding their privacy online, 29% in the US and 23% in the UK still believed it was impossible to protect their digital information.

“Without question, consumers are telling us that online privacy is important to them. However, far too many believe online privacy is difficult, if not impossible, to achieve,” said Slava Kolomeichuk, CEO of FigLeaf.

“This attitude is resulting in individuals who are choosing to restrict their own online activity, which limits their personal freedom. Unfortunately, current tools do not give consumers the assurance they need that it is possible to control one’s own online privacy.”

The role of governments

The two studies also highlighted a significant discrepancy in consumers’ views of how governments should be involved in online privacy. In 2018, 75% of all respondents thought governments should protect users’ privacy, with 63% believing more laws and regulations should be enacted as part of that effort.

By 2019, however, only 6% thought privacy should be handled by the government. Instead, 21% said the companies receiving the information should be accountable to keep it private, 28% believed it was up to the individual person, and the majority of responses, 45%, considered it a joint responsibility between all three.

The attitude toward government regulation could stem from the impact of the GDPR, which went into effect May 2018. In the UK, one of the countries responsible for the legislation, only 48% of respondents believe it has given them more control of their privacy online. In the US, that number dropped to 18%, with a full 48% of users saying they did not even know what GDPR was.

“Regulation is a critical component of privacy, particularly as it relates to how individual companies can use or share someone’s private information,” said Pankaj Srivastava, COO of FigLeaf.

“Regulations, however, are in place primarily to penalize bad behavior of companies. They do not give consumers a practical way to manage their privacy on a daily basis. How many of us, for example, have requested our data to be deleted from a company’s server?

“This is because regulations are not well understood by consumers, driving greater incentive for individuals to take matters into their own hands, and ultimately leading to dissatisfaction and mistrust online.”

The survey, conducted in May 2019, included 4,088 online users across the United States and the United Kingdom, comprised of men and women ages 18 and older.

from Help Net Security https://ift.tt/2X44lDL

New infosec products of the week: June 28, 2019

Elastic SIEM: Speed, scale, and analytical power drive your security operations and threat hunting

The initial launch of Elastic SIEM introduces a new set of data integrations for security use cases, and a new dedicated app in Kibana that lets security practitioners investigate and triage common host and network security workflows in a more streamlined way.

AWS Security Hub aggregates security alerts and conducts continuous compliance checks

AWS Security Hub gives customers a central place to manage security and compliance across an AWS environment. It aggregates, organizes, and prioritizes security alerts – called findings – from AWS services such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, and from a large and growing list of AWS Partner Network (APN) solutions.

Threat Stack expands its host-level support for Windows Server OS

Threat Stack has expanded its host-level support to include Windows Server OS. Customers will now be able to leverage a single interface within the Threat Stack Cloud Security Platform to achieve full stack security observability across Linux and Windows cloud workloads, dramatically improving productivity.

McAfee integrates security into the DevOps process with validator for AWS CloudFormation

With McAfee MVISION Cloud, security is pushed earlier into the DevOps process so that security professionals can catch risky configurations before they become a threat in production. This gives organizations the ability to confidently deploy applications in the cloud with greater speed and efficiency.

Indegy unveils CIRRUS, offering ICS security as a cloud-delivered service

Indegy CIRRUS enables any size organization from global multi-site to single facility companies to comprehensively monitor and protect their OT networks using cloud-based technologies, and benefit from real-time threat intelligence sharing. For optimal flexibility and to support future requirements, Indegy CIRRUS can be deployed in hybrid cloud or pure cloud configurations.

from Help Net Security https://ift.tt/2KLFq6b

Over reliance on public cloud vendor security puts data and companies at risk of breach

As global organizations increasingly move critical applications, regulated customer data and development work into public cloud environments, 36 percent say the number one benefit for moving workloads to the cloud is to offload security risk, a new survey from CyberArk reveals.

This is despite many public cloud providers providing straightforward guidance on their shared responsibility models for security and compliance in cloud environments.

“The risks caused by a lack of clarity about who is responsible for security in the cloud is compounded by an overall failure by organizations to secure privileged access in these environments,” said Adam Bosnian, executive vice president, global business development, CyberArk.

“Despite the often sensitive and highly regulated data being stored in the cloud, it was surprising to see that less than half of organizations don’t have a strategy in place for securing privileges in the cloud, a finding that remains unchanged since our last report.”

As organizations utilize the cloud to accelerate digital transformation, there must be greater awareness of where potential security risks exist:

• 49 percent of respondents migrate business critical applications (i.e., ERP, CRM or financial management) into the public cloud
• 45 percent store customer data subject to regulatory oversight in the public cloud
• 39 percent use the public cloud for internal development, including DevOps
• 75 percent rely on the cloud provider’s built-in security, despite half (50 percent) of this number recognizing cloud providers’ built-in security is not sufficient

Privileged access is the greatest cloud security concern

According to the survey, the greatest security concerns in public cloud usage are:

• Insiders, partners and contractors with privileged access (46 percent)
• Unauthorized access to cloud management consoles (46 percent)
• Shared credentials across compute, storage or application instances (44 percent)

The problem becomes critical when unsecured and unmanaged credentials provide privileged access, which can enable attackers to escalate privileges and gain elevated access within cloud infrastructure. According to the survey:

• A majority of organizations (62 percent) are unaware that credentials, secrets and privileged accounts exist in IaaS and PaaS environments
• Only 49 percent currently have a privileged access security strategy in place for cloud infrastructure and workloads

from Help Net Security https://ift.tt/31WnfQL

Interoperability and security remain critical factors in any smart city deployment

Smart cities are expected to be commonplace within the next 10 years, according to a new poll by Wi-SUN Alliance.

Over half of respondents expect to see widespread smart city deployments in 10 or more years, while a third predict 5-10 years. Just 15 per cent expect it in less than 5 years.

However, half cite lack of funds or investment in projects as the biggest challenge currently holding back smart city development. A further 21 per cent point to security and privacy issues, while lack of interoperability (14 per cent) is also seen as a major factor in progressing deployments.

When asked about their specific security concerns, respondents point to data privacy as their biggest worry (37 per cent), while attacks on critical infrastructure (28 per cent) and network vulnerabilities (24 per cent) are also cause for concern. Eleven per cent cite insecure IoT devices.

“It’s interesting to see the timeframe that many of our respondents place on smart city deployment, when in fact smart cities are already here,” according to Phil Beecher, President and CEO of Wi-SUN Alliance.

“Smart lighting is being deployed using canopy mesh networks and is already helping to save operational costs through reduced energy consumption and better reliability. These deployments can be used to improve public safety and for additional services such as intelligent transport systems, smart parking and electric vehicle charging stations.

“As more IoT devices connect to the network, the opportunity for major disruption through security vulnerabilities is increasing all the time, while greater IT/OT (operational technology) convergence, especially in utilities, will increase the risk of attacks on critical infrastructure.”

from Help Net Security https://ift.tt/2FE5psf

PCI SSC unveils two new validation programs for software vendors and assessors

The PCI Security Standards Council (PCI SSC) announced two new validation programs for use by payment software vendors to demonstrate that both their development practices and their payment software products address overall software security resiliency to protect payment data.

Under the Secure Software Lifecycle (Secure SLC) and Secure Software Programs, Software Security Framework Assessors will evaluate vendors and their payment software products against the PCI Secure SLC and Secure Software Standards. PCI SSC will list Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website as a resource for merchants.

PCI SSC is introducing these programs as part of the PCI Software Security Framework (SSF), a collection of standards and programs for the secure design, development and maintenance of existing and future payment software.

The SSF expands beyond the scope of the Payment Application Data Security Standard (PA-DSS) and will replace PA-DSS, its program and List of Validated Payment Applications when PA-DSS is retired in 2022. During the interim period, the PA-DSS and SSF Programs will run in parallel, with the PA-DSS Program continuing to operate as it does now.

Secure SLC Program and Secure Software Program documentation is now available on the PCI SSC website. This includes Program Guides and FAQs, with information on the vendor and payment software validation process, and Qualification Requirements for SSF Assessors.

PCI SSC plans to start accepting applications from assessors by the end of 2019. Training will be available in early 2020, first for Payment Application Qualified Security Assessors (PA-QSA) and QSAs, and then for new assessors. Once SSF Assessors are in place, vendors can begin the validation process for their software lifecycle practices and payment software.

Secure SLC Program

• Validation to the Secure SLC Standard illustrates that the software vendor has mature secure software lifecycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.
• Upon successful evaluation by a Secure SLC Assessor, validated software vendors will be recognized on the PCI SSC List of Secure SLC Qualified Vendors.
• Secure SLC Qualified Vendors will be able to self-attest to delta changes for any of their products that are listed as Validated Payment Software under the Secure Software Program.

Secure Software Program

• Validation to the Secure Software Standard illustrates that the payment software product is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks.
• Initially, this program is specific to payment software products that store, process, or transmit clear-text account data, and are commercially available and developed by the vendor for sale to multiple organizations. As new modules are added to the Secure Software Standard to address other software types, use cases and technologies, the program scope will expand to support them.
• Upon successful evaluation by a Secure Software Assessor, validated payment software will be recognized on the PCI SSC List of Validated Payment Software, which will replace the current List of PA-DSS Validated Payment Applications when PA-DSS is retired in October 2022. Until then, PCI SSC will continue to maintain the PA-DSS Program and list, which includes honoring existing validation expiration dates and accepting new PA-DSS submissions until June 2021.

“These programs work together with the PCI Secure SLC and Secure Software Standards to help vendors address the security of both their development practices and their payment software products.

“We’re pleased to have the Secure SLC and Secure Software Programs documentation available now as the initial step towards providing the industry with validated listings of trusted payment software vendors and products under the PCI Software Security Framework,” said PCI SSC Chief Operating Officer Mauro Lance.

“In the meantime, PCI SSC recognizes that transitioning from PA-DSS to the Software Security Framework will take time, and we want to reassure PA-DSS vendors, PA-QSAs and users of PA-DSS validated payment applications that the PA-DSS Program remains open and fully supported until October 2022, with no changes to how existing PA-DSS validated applications are handled.”

from Help Net Security https://ift.tt/3224hIH

Rambus CryptoManager Root of Trust expansion to address the security needs of applications

Rambus announced the expansion of the CryptoManager Root of Trust family of products, a series of fully programmable, hardware-level secure silicon IP cores to address the security needs of applications including IoT, AI, ML, cloud, government, military and automotive.

CryptoManager cores employ a siloed architecture. They isolate and secure sensitive code, processes, and algorithms from the main processor cores. This mitigates the risk of critical vulnerabilities like the Meltdown and Spectre security flaws.

The CryptoManager Root of Trust is purpose-built for security — it features tailored configurations that allow chip designers to optimize main processors for high performance, while relying on the root of trust to perform security processes.

“Security is a mission critical imperative for SoC designs serving virtually every application space,” said Neeraj Paliwal, vice president of products, cryptography at Rambus. “The Rambus CryptoManager Root of Trust family offers tailored secure silicon IP solutions which chip architects can incorporate to meet the specific security needs of their designs.”

Offering a full array of security services, the CryptoManager Root of Trust enables secure boot and runtime integrity checking, remote authentication and attestation, and hardware acceleration for symmetric and asymmetric cryptographic algorithms.

Featuring a layered security model, Federal Information Processing Standards (FIPS) 140-2 certified crypto accelerators, and multiple roots of trust to support independent privilege levels, the CryptoManager Root of Trust serves a wide range of applications.

The CryptoManager Root of Trust creates a foundation for Rambus’ comprehensive CryptoManager suite of solutions, including the CryptoManager Infrastructure for secure provisioning. For more information on the Rambus CryptoManager Root of Trust family of cores, visit rambus.com/security/cryptomanager-platform/root-of-trust/.

CryptoManager Root of Trust technical details

Within the product family, seven standard configurations address the specific security requirements and certification standards of different end markets. The RT-730 automotive design offers an ISO-26262-2018 ASIL-D-ready implementation, targeting vehicle-to-vehicle and vehicle-to-infrastructure (V2X), advanced driver-assistance systems (ADAS), and infotainment uses.

For cloud, AI and ML accelerator chips, the RT-630 helps secure valuable training models, and training and inference data. For government-focused chip designs, the RT-650 offers a design that targets FIPS 140-2 Cryptographic Module Validation Program (CMVP) certification with Suite B accelerators.

The RT-660 extends the functionality of RT-650 with the addition of Differential Power Analysis resistant cryptographic cores.

The CryptoManager Root of Trust family of products offers an end-to-end security implementation, comprised of a fully synthesizable IP core that anchors trust in silicon.

It includes state-of-the-art crypto accelerators, security firewalls, an entropy source, secure key generation and derivation, secure one-time programmable (OTP) memory management, and a complete secure embedded firmware stack.

The secure firmware stack offers secure boot for the root of trust as well as the SoC CPU(s), communicating securely with the SoC stack and running signed secure applications on the root of trust’s CPU.

A reference SDK allows integrators to build secure boot, secure firmware updates and secure applications, with provided examples and references. Available evaluation boards and QEMU allow chip designers to easily evaluate the CryptoManager Root of Trust and secure applications.

from Help Net Security https://ift.tt/2Jd9y7g

Deadspin A Scout’s Honor | The Slot Adam Scott and Mitch McConnell Are in a Fight Involving Parks an

Deadspin A Scout’s Honor | The Slot Adam Scott and Mitch McConnell Are in a Fight Involving Parks and Recreation GIFs and the Confederate Flag | Splinter Twitter Comes Up With a Very Weird Solution to the Problem Of Trump’s Tweets | The Grapevine If Chaka Khan Had Heard Kanye West’s Final Sample of Her Song, She…

Read more...

from Lifehacker https://ift.tt/2ITGsLl

CyberGRX Global Partner Program to accelerate CyberGRX’s expansion into the global market

CyberGRX, provider of the world’s first and largest global cyber risk exchange, announced the launch of The CyberGRX Global Partner Program. Arming partners with an innovative and cost-effective approach to third-party cyber risk management (TPCRM), the CyberGRX Global Partner Program will accelerate CyberGRX’s expansion into the global market and enable the company to scale quickly to meet demand.

Whether a reseller, systems integrator or managed service provider, CyberGRX’s Global Partner Program will help connect organizations around the globe with local, trusted advisors who can deliver on the needs of distinct localities in order to extend the reach and strength of their Exchange.

Designed with four tiers, the program provides channel partners with a strong, guaranteed margin floor and other incentives based on their level of commitment and tier. Additionally, CyberGRX’s partner program features comp neutrality, which supports strong relationships between the internal sales team and partner organizations.

Meanwhile, MSSPs and system integrators benefit by providing their customers with a truly scalable and innovative approach to TPCRM. Together, they will deliver a solution that unites customers and third parties with a dynamic, cost-effective and collaborative approach to TPCRM.

With more than 60% of all breaches linked to a third party, organizations across the globe are looking for solutions to better manage third-party cyber risk. Current TPCRM practices, however, drain human and financial resources while providing limited value in return.

CyberGRX’s innovative approach brings much needed change to TPCRM, uniting organizations and their third parties via a cost-effective and efficient cyber risk exchange.

The CyberGRX Exchange, coupled with dynamic, validated assessments and advanced analytics, helps organizations make informed, data driven decisions to better manage risk in their shared ecosystems while enabling third parties to complete one assessment and share it many times.

To date, CyberGRX has initiated successful partnerships with many influential value added resellers, consultants and service providers serving North America and international markets. Current partnerships include, but are not limited to, Bitsight, Consortium, CriticalStart, Eurofins, IOS, K logix, Optiv, and Tevora.

“Eurofins focuses on developing partnerships that align with our core values, which include helping our customers solve security related business problems and manage cyber risk at acceptable levels.

“In today’s complex business and technology environment, Vendor Risk Management is a top concern, and ensuring supply chain resiliency and security is a critical part of any good business strategy. However, this process can be daunting and inefficient, leading to less than optimal outcomes, which is why we’ve partnered with CyberGRX,” said Sean Walls, Vice President at Eurofins Cyber Security.

Walls adds, “CyberGRX helps reduce the complexity and level of effort associated with managing vendor risk, both internally and externally. Having a trusted third party to manage and validate vendor security saves valuable time, money and effort that our customers can spend proactively on other important initiatives. Eurofins Cyber Security is excited to partner with CyberGRX and looks forward to a successful and impactful relationship.”

The CyberGRX Global Partner Program will be led by newly appointed Director of Channel Development, Walter Specht Jr. Walter brings a wealth of experience, including serving in channel development roles for companies such as Guidance Software (acquired by Opentext), Nuix and BitSight.

“We designed a world-class partner program that offers our partners commitment, support and benefits not available from others in this space,” said Specht.

“Not only will our partners be able to offer their customers a truly innovative and force-multiplying approach to TPCRM, our program also provides our partners with strong margins and other incentives to ensure we are helping them grow their business.”

from Help Net Security https://ift.tt/2XJlzuR

Kount launches new AI-driven solution for transactional fraud prevention

Kount, the leading digital fraud prevention company, announced the next-generation AI-driven solution that changes the way payments fraud prevention is delivered. Kount is the pioneer in using machine learning in transactional fraud prevention, with supervised and unsupervised solutions dating back to the company’s inception over a decade ago.

Kount’s latest advancement creates the closest simulation of the decision process of an experienced fraud analyst, yet in a faster, more accurate, and more scalable manner. Kount’s AI uses both supervised and unsupervised machine learning along with additional calculations to deliver a near-human decision, allowing companies to control business-driven outcomes such as higher revenue, reduced fraud losses, and lower operational costs.

Kount’s AI emulates an experienced fraud analyst by taking into account both historical fraud patterns as well as anomalies. When fraud analysts consider historic data for known fraud patterns, they look at the company’s data and their own experience to identify whether or not the person or transaction can be trusted.

When Kount’s AI considers historic data, it turns to supervised machine learning, which is trained on Kount’s universal data network that includes billions of transactions over 12 years, 6,500 customers, 180+ countries and territories, and multiple payment networks.

Then, fraud analysts look for anomalies—something in a transaction that doesn’t look right. This is where emerging fraud trends are detected. Kount’s AI uses unsupervised machine learning that employs advanced algorithms and models to detect anomalies much faster, more accurately, and on a more scalable basis than human judgment alone.

An experienced fraud analyst weighs the risk and safety of the transaction to make a decision based on the business’ risk tolerance, whether that be controlling chargeback rates, accept or declines rates, or manual reviews.

Kount’s solution allows the analyst to set policies for these thresholds based on a new score: Omniscore. The new enhancement is twice as effective as existing models at detecting payments fraud, while maintaining Kount’s 250 millisecond response rate.

“The supervised machine learning aspect of Omniscore reflects the historical experience that seasoned fraud analysts possess, while the unsupervised features simulate the instinct or ‘spidey sense’ of the very best analysts to detect that a new type of attack is underway,” says Tricia Phillips, Kount’s SVP of Product and Strategy.

“More than any other model we’ve seen, Omniscore truly behaves as a human would in the risk assessment of a payment transaction, which is the very definition of artificial intelligence.”

“The next generation of AI in fraud prevention is much more than machine learning – supervised or unsupervised. It is the ability to simulate, augment, and scale the decision process of an experienced fraud analyst to greatly increase the accuracy and effectiveness of fraud prevention and to deliver desired business outcomes,” stated Steven D’Alfonso, Research Director with IDC Financial Insights.

“The ability to quickly identify complex and emerging fraud patterns by Kount’s new AI solution, along with customizable controls for the business, will play an important role in allowing businesses to achieve their financial goals without sacrificing customer experience.”

The next frontier in AI-driven fraud prevention, Kount’s AI quickly and accurately detects existing or emerging, automated, and complex fraud. Kount provides the customizable control companies need to protect against fraud and confidently achieve specific business objectives, such as balancing chargeback rates, decline rates, and operational costs.

from Help Net Security https://ift.tt/2Nf3ssq

Aporeto Cloud Identity Framework to bridge distributed on-premises and AWS workloads

Aporeto, a leader in Identity-Powered Cloud Security, announced the Aporeto Cloud Identity Framework, a suite of identity-based security services that allows consistent policy enforcement between homegrown enterprise applications and Amazon Web Services (AWS) managed services.

This suite continues to expand the Aporeto identity-based security platform, which leverages both user and application identities to manage access to resources and cloud workloads on any infrastructure.

Simplicity for complex identity architectures

The security industry is moving toward using identity to define policies for applications, but there is overwhelming complexity in managing multiple identity sources and identity architectures.

Sprawling identity architectures often include Lightweight Directory Access Protocol (LDAP) and Active Directory services, the adoption of OpenID Connect (OIDC) compliance identity providers, and AWS Identity and Access Management (IAM).

Aporeto’s identity-based security solution is independent of the infrastructure, thus reducing the burden of managing identities across cloud environments. Aporeto’s solution allows customers to move towards homogenous identity for their applications across all infrastructures, making auditing and centralized policy governance more robust with simpler operations.

The Aporeto Cloud Identity Framework includes Distributed Firewall, Cloud Privileged Access Management (PAM), and Identity-Aware Proxy. This suite leverages Aporeto’s identity management capabilities to secure workloads at L3-L7 through mutual authentication and authorization, supporting enterprises as they radically simplify their network infrastructure.

Moreover, this framework offers a full PKI infrastructure that enables the transparent mTLS encryption of in-flight data, obviating the need for VPN tunnels or private links for traffic on any infrastructure and across the internet.

Because Aporeto’s identity-based access management security solution is not dependent on network constructs, Aporeto’s security posture follows applications no matter where they reside.

“We have invested many years in developing web applications for internal consumption,” said Lucas Tischhauser, Security Architect II, NAIC.

“As we migrate our infrastructure to AWS, we want to have a more cloud-native architecture and implement a Zero Trust security posture without having the burden of rewriting our applications or putting efforts into undifferentiated, but required, security tasks.

The Aporeto Cloud Identity Framework, and in our case, Identity-Aware Proxy, empowered us to migrate more rapidly on AWS while having the best-in-class security posture.”

“The desire to accelerate migration to the cloud is a common goal across our customer base,” said Jason Schmitt, CEO of Aporeto.

“But these objectives are hampered by complex network-based security concerns for both users and applications. Our core competency lies in providing identity-based access control for cloud applications. Our Cloud Identity Framework is a powerful identity-powered security bundle that strengthens security, simplifies operations, and accelerates cloud migration.”

The benefits of the Aporeto Cloud Identity Framework are stronger security, simpler IT operations, and flexibility for enterprise customers as they migrate to the cloud. Features include:

• Decoupling the identity and authorization system from the infrastructure, making contiguous secure operations across hybrid clouds possible without requiring any application code or architectural changes
• Easier integration of new or different AWS services with existing enterprise services and assets for seamless operations
• Improved security posture with a consistent, policy-driven authentication and authorization process for hybrid infrastructure
• Elimination of secrets management for any application interfacing with Aporeto Cloud Identity Framework
• Improved adherence to regulatory and internal compliance requirements, making auditing simpler and more bulletproof

“Customers and their security needs are a top priority for AWS,” said Benjamin Andrew, Global Lead, Security & Networking, AWS Marketplace, Amazon Web Services, Inc.

“We know that enterprises have significant investments in their existing applications and services and we are delighted to be working with Aporeto to help our customers continue to extract maximum value from their existing IT assets while they build a more agile, secure, and flexible infrastructure on AWS.”

from Help Net Security https://ift.tt/2ZR6y7l