Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Cloud Security

Are British Businesses over confident about the threat of data breaches?

Ilex International have launched their Breach Confidence Index. The Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. The Index shows high confidence levels

  • 24% of IT decision makers surveyed very confident
  • 59% fairly confident that their business is protected against a data security breach

The Breach Confidence Index raises major concerns for British businesses. Businesses are not currently required to report security breaches and in many cases, may not even know that they have experienced one. The survey found that 49% said their business has not experienced a security breach. In comparison to actual statistics shared at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses.

According to the survey the most common weaknesses resulting in a Data Breach were
22% MALWARE VULNERABILITIES
21% EMAIL SECURITY
15% EMPLOYEE EDUCATION
12% CLOUD APPLICATIONS
12% INSIDER THREATS
8% ACCESS CONTROL
8% BYOD OR MOBILE ACCESS
6% NON-COMPLIANCE TO CURRENT REGULATIONS

Weaknesses relating to identity and access management considerably increase as organisations expand their workforce. Some of the most common issues highlighted by large businesses include:

  • 44% insider threats
  • 42% employee education
  • 26% access control
  • 24% BYOD or mobile access

All figures in the Ilex International Breach Confidence Index, unless otherwise stated, are from YouGov Plc. Total sample size was 530 IT Decision Makers. Fieldwork was undertaken between 6th – 12th August 2015. The survey was carried out online.

Policy problems with cloud Storage revealed by survey

UK companies are placing themselves at risk of cyberattacks and data breaches as a result of rampant use of cloud storage services and unclear or non-existent corporate policies according to research released today by WinMagic Inc. The survey, conducted by CensusWide, of 1,000 office workers in organisations of 50 or more employees revealed widespread, and often unilateral employee use of cloud storage services could be leaving businesses with poor visibility of where their data is stored, placing potentially confidential data at risk.

Key Findings

  • 65% of employees don’t have or don’t know the company policy on cloud storage
  • 1 in 10 employees who use cloud storage services at least once a week have no confidence in the security of their data saved and accessed from the cloud
  • Cloud storage use varies widely – 41% use cloud services at least once a week, whilst 42% never use these services at all
  • 1 in 20 employees who use cloud services at least once a week, do so despite these services being restricted by their company
  • 35% of employees used a company sanctioned service
  • 43% were unaware of their employer’s policy on the use of these services. In addition, of those that use cloud storage at least once a week
  • 50% of respondents use personal equipment to access work information and services at least one a week
  • 47% of employees use company-issued equipment at home at least once a week

Darin Welfare, EMEA VP at WinMagic, said: “This survey highlights the challenge businesses face when managing data security in the cloud. IT teams have had to cede a level of control as employees have greater access to services outside corporate control and this research indicates that IT must take additional steps to protect and control company data in this new technology landscape. The wide range of employee adoption of these services also means an additional layer of complexity when devising corporate policies and education programmes for the use of cloud storage services.”

Employees are increasingly accessing work documents and services outside the office, particularly among regular users of cloud storage. The survey revealed 70% of employees who use cloud storage at least once a week will also use work equipment at home at least once a week, significantly higher than the UK average of 47%.

The WinMagic survey highlights a clear disparity between employee use of cloud services and company IT policy, which suggests that businesses must increase focus on devising clearer security policies and better staff training programmes in order to minimise the risk for the business.

Darin Welfare added: “One of the key steps that any organisation can take to mitigate the risk from the widespread use of unsanctioned cloud services is to ensure that all company data is encrypted before employees have the opportunity to upload to the cloud. In the eventuality that the cloud vendor does not adequately put in place control mechanisms and procedures to ensure security across their infrastructure, sensitive and valuable corporate data is still encrypted and cannot be accessed and understood beyond those who have the right to. This approach provides the company with the assurance that the IT team is in control of the key and management of all company data before any employees turn to cloud storage services.”

“This survey should serve as a wake-up call for IT teams to focus resources on crafting the stringent security policies, and employee education programmes that will help the business stay secure. It also indicates that this is not something that is only down to employee behaviour. Businesses need better training for all staff on the potential dangers of cloud services. Businesses must catch up with the employee cloud revolution or risk potentially catastrophic data loss.”

The full press release can be found here.

In cloud environments, 75% of the security risk can be attributed to just 1% of users

Cybercriminals continue to focus their efforts on what is widely considered to be the weakest link in the security chain: the user. Consequently, developing a comprehensive understanding of user behavior and the implications thereof becomes paramount to corporate security strategy.

In analysing user behavior across 10 million users, 1 billion files, and over 91,000 cloud applications, CloudLock surfaced surprising trends.

In this report, Cloudlock examine cloud cybersecurity trends across three primary dimensions: users, collaboration, and applications. The Pareto Principle, the “80/20” rule, holds true across all three dimensions, revealing a truth with surprising implications for security professionals.

Key Findings

Users: 1% of users create 75% of cloud cybersecurity risk, signalling abnormal user behavior whether unintentional or malicious.

  • Collaboration: While organizations on average collaborate with 865 external parties, just 25 of these account for 75% of cloud-based sharing per organization. Unexpectedly, 70% of sharing occurs with non-corporate email addresses security teams have little control over.
  • Apps: 1% of users represent 62% of all app installs in the cloud – a high concentration. Without security awareness, this small user base introduces a high volume of risk. Additionally, 52,000 installs of applications are conducted by highly privileged users – a number that should be zero given privileged accounts are highly coveted by malicious cybercriminals.

4 Actionable Takeaways for a more secure cloud environment

The findings of this report show disproportionate cloud cybersecurity risk across users, collaboration, and applications. Consider the four following risk remediation strategies.

1. Focus on the User Behavior

Focusing on the riskiest subset of users, security professionals can efficiently and dramatically reduce risk. Any abnormal behavior by data-dense and risky users should be prioritized providing the security team with valuable direction on what truly requires attention and resolution immediately.

2. Focus Security on Organizations You Collaborate With Most

Given that, on average, 75% of inter-organizational sharing is with 25 external organizations, focus on the frequent collaborative organizations to eliminate the bulk of risk, then address the long tail of remaining organizations.

3. Take Application Security beyond Discovery

Discovering third-party applications that reside on the network is only the tip of the iceberg. Elevate your security game beyond app discovery through enforcement capabilities, policy-driven app control, and end-user education. If users are blocked, they will find a way around.

4. Correlate Insights Across Cloud Environments

With multi-cloud intelligence, security teams can correlate security events across platforms, preventing cybercriminal exploits from slipping through the cracks. Consider an individual logging into Salesforce in San Francisco and ServiceNow in Kuala Lumpur using the same credentials simultaneously, indicating account compromise. Avoid point security solutions in favor of platforms offering multi-cloud insights across not only SaaS applications, but also laaS, PaaS, and IDaaS environments.

Reaching the Cloud Era in the European Union

The ‘EU28 Cloud Security Conference: “Reaching the Cloud Era in the European Union” brought to the foreground the current cloud landscape. The aim of the conference was to bring together practitioners, academics and policy makers to discuss the level of cloud computing security in the context of current and future policy activities. The conference included presentations and panel debates on legal and compliance issues, technical advancements, privacy and personal data protection, critical information infrastructures and cloud certification.

During the conference the important role of cloud computing was acknowledged for the development of the digital economy in Europe. Cloud computing is becoming essential for users, including individual consumers, businesses and public sector organisations. However, recent figures indicate that users’ concerns on cloud security are still the main barrier to the adoption of cloud services in Europe.

Key conclusions highlight that:

  • There is a need to raise awareness and educate users and SMEs on cloud security, to encourage safe and responsible use of cloud services. “Informed customers” should be able to ask the right questions to providers and understand where their responsibilities lay, and SMEs understand that they are co-responsible for the security of the cloud services provided. A risk assessment culture should be nourished applicable to all. Transparency of cloud services must be improved by the implementation of continuous monitoring mechanisms, increasing accountability through evidence-based assurance solutions, and certification, keeping in mind that one size does not fit all. Rapid, context-based information sharing of incidents within the industry sectors, will also enable collaborative information security able to respond quickly to the changing cybersecurity landscape.
  • There is a need for flexible policy approaches towards cloud security to allow further technological advancements. Within this framework co-regulatory and self-regulatory initiatives should be supported, and create technology-neutral legal guidelines and obligations based on principles, to allow for flexible solutions. Europe-wide solutions should be encouraged.
  • Data protection is an important element to be considered. Implementation of existing rules and techniques should be encouraged and this information should be shared.
  • Governmental clouds bring benefits to cloud security. There is space to strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector. Furthermore, customised solutions based on the needs of each country and sharing of best practices can be encouraged.
  • Cloud benefits from an open market. Meanwhile discussions are required on security in relation to data location requirements, foreign jurisdiction and access to European data.
  • As cloud usage for critical sectors is increasing there is a need for elaborated security measures and specific risk assessment techniques addressing each critical sector’s needs.

Furthermore, cloud security was discussed in relation to the recent regulatory and policy initiatives, such as the ongoing data protection reform, the proposal for a Network and Information Security directive, cloud computing communication and the Digital Single Market strategy. There was consensus that further policy actions on cloud security could support trust and confidence in cloud services by addressing the key findings and issues deriving from the conference.

Shadow Cloud Services 20 Times More Prevalent than Sanctioned Cloud

Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations

Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.

Password Insecurity
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.

Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Top ten enterprise cloud services are:-
1. Microsoft Office 365
2. Yammer
3. Cisco WebEx
4. ServiceNow
5. SAP ERP
6. Salesforce
7. DocuSign
8. NetSuite
9. Oracle Taleo
10. SharePoint Online

Top ten consumer cloud services are:-
1. Twitter
2. Facebook
3. YouTube
4. Pinterest
5. LinkedIn
6. Reddit
7. Flickr
8. Instagram
9. StumbleUpon
10. Vimeo

The “Cloud Adoption & Risk in the Government Report” is based on data from 200,000 public sector employees in the United States and Canada.

Two thirds of British workers willing to breach data protection rules

Despite the risk to their employer of criminal proceedings and heavy fines, two thirds (66%) of UK workers would not report a serious data protection breach if they thought it would get one of their  colleagues into trouble, according to recent research.

The study by telecoms and IT firm Daisy Group, which looked at data security risks, found that 13% UK workers had disabled the password protection features on work laptops, mobiles, or tablet devices because they found them annoying. Of those who did have password protection, 36% said they didn’t change their passwords regularly, and 17% admitted their password was very simple and would be easy to guess.

Data security breaches 

However, if asked by a third party to email a client or supplier’s personal details outside of the company,  56% said they wouldn’t and 19% said they would check with their boss before doing so. Although 7% said that they would send the details without querying the request, as they didn’t think anyone would mind.

When asked if data security was an important issue for the company they worked for, 19% said they had no idea.

Cloud specialist, Graham Harris, explained: When it comes to data security, all too often businesses focus purely on IT processes and forget about the staff that will be using them.

As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Businesses must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member’s responsibilities are and reassure them about what to do in the event of a problem

confidential

Estate agents and those working in the property industry were among the most likely to turn a blind eye to colleagues’ data security failings, with 71% saying they wouldn’t report a data security breach that would get a colleague into trouble. Those working in marketing were the most likely to raise the alarm.

Despite the potential risk of commercially-sensitive data theft, business management and professional services workers were the most likely to disable data security features on their mobile devices.

Mobile Device Management 

The research was conducted to assess the demand among UK businesses for ‘mobile device management’. The new cloud-based technology gives organisations more control over smartphones and tablet computers by letting them remotely track and wipe the content of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK last year, but it is likely that the true figure is much higher as not all thefts are reported to the police.

Graham Harris explained: “It is important to ‘common sense’ test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.”

The EU is currently in the process of reforming laws on Data Protection which, among other things, will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as €100m. The legislation changes are expected to be in force by the end of 2018.

Enterprises have more than 2,000 unsafe mobile apps installed on employee devices

Veracode has released analytics from its cloud-based platform showing that, based on the mobile applications it assessed, the average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment.

Based on an analysis of hundreds of thousands of mobile applications installed in actual corporate environments across various industries including financial services, media, manufacturing and telecommunications Veracode found 14,000 unsafe applications of which:

  • 85% expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
  • 37% perform suspicious security actions, such as checking to see if the device is rooted or jailbroken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
  • 35% retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections.

According to Gartner,

Through 2015, more than 75% of mobile applications will fail basic security tests.”  At the same time, cybercriminals and nation-states are constantly looking to exploit insecure applications in order to steal corporate intellectual property, track high-profile individuals or insert aggressive adware for monetary gain.

This creates a challenge for enterprises that want to increase productivity and employee satisfaction by providing BYOD programs or corporate-owned devices.  Modern MDM and enterprise mobility management (EMM) systems are designed to enforce corporate policies on managed devices, but need an automated and scalable mechanism for maintaining up-to-date information about thousands of unsafe apps that are constantly being added to public app stores around the world.

Existing approaches for addressing unsafe mobile apps, such as manually-curated blacklists, are difficult to scale because of the sheer size and constantly-changing nature of the problem.  As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps for no reason.

Many mobile apps are unsafe because they unknowingly access insecure third-party libraries and frameworks in the software supply chain – while other apps have been specifically designed to perform malicious actions,” said Chris Wysopal, Veracode co-founder, CISO and CTO. “Veracode’s automated cloud-based reputation service and MDM/EMM integrations were purpose-built to address the speed and scale required to effectively secure employee devices in global enterprise environments

Cloud usage is extending the perimeter of most organisations

CloudLock have produced an interesting report on how the use of the cloud and apps has extending the perimeter of most organisations.

CloudLock Executive Summary

The adoption of public cloud applications continues to accelerate for both organizations and individuals at an exponential rate, evidenced across the massive growth in the volume of accounts, files, collaboration, and connected third-party cloud applications.

The rapid surge of accounts, files, and applications presents increased risk in the form of an extended data perimeter. The adoption of cloud applications has significantly increased the threat surface for cyber attacks. Faced with this massive growth and the elevated risk, security professionals are looking to enable their organizations to embrace and leverage the benefits of cloud technologies while remaining secure and compliant.

Sensitive data is moving to the cloud, beyond the protection of your perimeter controls. As this occurs ,the amount of data, and, most importantly, the amount of sensitive or ‘toxic’ data the enterprise stores in these Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (laaS) platforms is increasing by the day – and regardless of its locations, S&R pros still need to protect it effectively.” Forrester Research (2015, March) Market Overview: Cloud Data Protection Solutions

Cloudlock key findingsOther findings

  • 100,000 files per organization that represent risk. Number of files per organization stored in public cloud applications that violate corporate data security policy, amplifying the danger of exposing sensitive information.
  • 4,000 files per organization contain passwords. Number of files per organization stored in public cloud applications containing credentials to corporate systems, inviting cybercriminals to hijack corporate SaaS environments.
  • 1 in 4 employees violating security policies. Number of employees that violate corporate data security policy in public cloud applications, opening organizations to risk of data breach and compliance concerns.
  • 45,000 third-party apps installs conducted by privileged users. Third-party cloud applications with access to privileged users accounts significantly elevates organizational risk.
  • 12% of an organizations files are sensitive/Violate a policy
  • 65% of Security Teams Care about what type of sensitive data is exposes
  • 35% care about how/where it is exposed
  • 70% of corporate cloud based external collaboration occurs with non-corporate entities
  • 77,000 Third Party cloud Apps that touch corporate systems
  • 4x increase in the number of third-party applications enabled per organization, from 130 to 475. The total number of unique third-party cloud apps ballooned to 77,000, amounting to 2.5 million installs
  • 2% growth in third-party SaaS application installations performed by privileged users (administrators and super admins)

Information that organizations worry about most includes:

  • 59% Intellectual Property and Confidential Information
  • 19% PCI DSS data
  • 13% PII data e.g. social security numbers
  • 5% Objectionable content for CIPA compliance- e.g. curse words, harassment
  • 4% PHI/healthcare related data such as medical conditions, prescription drug terminology, patient identification numbers or Compliance

CloudLock Methodology

Cloudlock bases findings on anonymized usage data over 2014 and 2015

  • 77,500+ Apps
  • 750Million Files
  • 6 Million Users

The full report can be found here.

Cloud Security: What Higher Education Needs to Know

Cloud Security: What Higher Education Needs to Know
Cloud Security: What Higher Education Needs to Know
by Ellucian

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: