Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

infosec

Top 5 Strategic Infosec issues in Higher Education

The EDUCAUSE infographic of the Top Five strategic information security issues for Higher Education:-

  1. Developing an effective information security strategy that responds to institutional organization and culture and that elevates information security concerns to institutional leadership.
  2. Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training.
  3. Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection, access control, and end-user awareness).
  4. Using risk-management methodologies to identify and address information security priorities.
  5. Developing, testing, and refining incident response capabilities to respond to information systems/data breaches.

The Infographic is below:-

educause-infographic'

Top 10 technologies for information security and their implications for security organisations in 2014

At the Gartner Security & Risk Management Summit they highlighted the top 10 technologies for information security and their implications for security organisations in 2014. 

Enterprises are dedicating increasing resources to security and risk. Nevertheless, attacks are increasing in frequency and sophistication. Advanced targeted attacks and security vulnerabilities in software only add to the headaches brought by the disruptiveness of the Nexus of Forces, which brings mobile, cloud, social and big data together to deliver new business opportunities,” said Neil MacDonald, vice president and Gartner Fellow. “With the opportunities of the Nexus come risks. Security and risk leaders need to fully engage with the latest technology trends if they are to define, achieve and maintain effective security and risk management programs that simultaneously enable business opportunities and manage risk 

Gartner believes the top 10 technologies for information security are: 

1. Cloud Access Security Brokers

Cloud access security brokers are on-premises or cloud-based security policy enforcement points placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed. In many cases, initial adoption of cloud-based services has occurred outside the control of IT, and cloud access security brokers offer enterprises to gain visibility and control as its users access cloud resources.

2. Adaptive Access Control

Adaptive access control is a form of context-aware access control that acts to balance the level of trust against risk at the moment of access using some combination of trust elevation and other dynamic risk mitigation techniques. Context awareness means that access decisions reflect current condition, and dynamic risk mitigation means that access can be safely allowed where otherwise it would have been blocked. Use of an adaptive access management architecture enables an enterprise to allow access from any device, anywhere, and allows for social ID access to a range of corporate assets with mixed risk profiles.

3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation

Some attacks will inevitably bypass traditional blocking and prevention security protection mechanisms, in which case it is key to detect the intrusion in as short a time as possible to minimize the hacker’s ability to inflict damage or exfiltrate sensitive information. Many security platforms now included embedded capabilities to run (“detonate”) executables and content in virtual machines (VMs) and observe the VMs for indications of compromise. This capability is rapidly becoming a feature of a more-capable platform, not a stand-alone product or market. Once a potential incident has been detected, it needs to be confirmed by correlating indicators of compromise across different entities, for example, comparing what a network-based threat detection system sees in a sandboxed environment to what is being observed on actual endpoints in terms of processes, behaviors, registry entries and so on.

4. Endpoint Detection and Response Solutions

The endpoint detection and response (EDR) market is an emerging market created to satisfy the need for continuous protection from advanced threats at endpoints (desktops, servers, tablets and laptops), most notably significantly improved security monitoring, threat detection and incident response capabilities. These tools record numerous endpoint and network events and store this information in a centralized database. Analytics tools are then used to continually search the database to identify tasks that can improve the security state to deflect common attacks, to provide early identification of on going attacks (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide remediation capability.

5. Big Data Security Analytics at the Heart of Next-generation Security Platforms

Going forward, all effective security protection platforms will include domain-specific embedded analytics as a core capability. An enterprise’s continuous monitoring of all computing entities and layers will generate a greater volume, velocity and variety of data than traditional SIEM systems can effectively analyse. Gartner predicts that by 2020, 40% of enterprises will have established a “security data warehouse” for the storage of this monitoring data to support retrospective analysis. By storing and analysing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of “normal” can be established and data analytics can be used to identify when meaningful deviations from normal have occurred.

6. Machine-readable Threat Intelligence, Including Reputation Services

The ability to integrate with external context and intelligence feeds is a critical differentiator for next-generation security platforms. Third-party sources for machine-readable threat intelligence are growing in number and include a number of reputation feed alternatives. Reputation services offer a form of dynamic, real-time “trustability” rating that can be factored into security decisions. For example, user and device reputation as well as URL and IP address reputation scoring can be used in end-user access decisions.

7. Containment and Isolation as a Foundational Security Strategy

In a world where signatures are increasingly ineffective in stopping attacks, an alternative strategy is to treat everything that is unknown as untrusted and isolate its handling and execution so that it cannot cause permanent damage to the system it is running on and cannot be used as a vector for attacks on other enterprise systems. Virtualization, I\isolation, abstraction and remote presentation techniques can be used to create this containment so that, ideally, the end result is similar to using a separate “air-gapped” system to handle untrusted content and applications. Virtualization and containment strategies will become a common element of a defense-in-depth protection strategy for enterprise systems, reaching 20% adoption by 2016 from nearly no widespread adoption in 2014.

8. Software-defined Security

“Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on. Like networking, compute and storage, the impact on security will be transformational. Software-defined security doesn’t mean that some dedicated security hardware isn’t still needed, it is. However, like software-defined networking, the value and intelligence moves into software.

9. Interactive Application Security Testing

Interactive application security testing (IAST) combines static application security testing (SAST) and dynamic application security testing (DAST) techniques. This aims to provide increased accuracy of application security testing through the interaction of the SAST and DAST techniques. IAST brings the best of SAST and DAST into a single solution. This approach makes it possible to confirm or disprove the exploitability of the detected vulnerability and determine its point of origin in the application code.

10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

Enterprises, especially those in asset-intensive industries like manufacturing or utilities, have operational technology (OT) systems provided by equipment manufacturers that are moving from proprietary communications and networks to standards-based, IP-based technologies. More enterprise assets are being automated by OT systems based on commercial software products. The end result is that these embedded software assets need to be managed, secured and provisioned appropriately for enterprise-class use. OT is considered to be the industrial subset of the “Internet of Things,” which will include billions of interconnected sensors, devices and systems, many of which will communicate without human involvement and that will need to be protected and secured.

Most organisations struggle to resolve the effects of a breach

According to IDG research in a CSG Invotas white paper “Security Automation: Time to Take a Fresh Look” most organisations struggle to resolve the effects of a breach.

There’s no doubt that improving intrusion response and resolution times reduces the window of exposure from a breach,” said Jen McKean, research director at IDG Research. “More companies seek security automation tools that will enable them to resolve breaches in mere seconds and help maintain business-as-usual during the remediation period

Researchers polled decision makers of information security, strategy, and solution implementations at companies with 500 or more employees. They explored the security challenges commercial organizations face when confronted with security breaches across their networks. Key findings include:

  • 46% of respondents report an average detection time of hours or days
  • 54% reporting average resolution times of days or months
  • On going management of electronic identities that control access to enterprise, cloud, and mobile resources take the most time to change or update during a security event
  • A majority of respondents seek ways to reduce response time in order to address risk mitigation, preserve their company’s reputation, and protect customer data
  • 61% of respondents admit they are looking for ways to improve response times to security events
  • 82% of respondents report no decrease in the number of network security events or breaches last year whilst more than a quarter of those surveyed report an increase
  • 60% of IT Security Resources dedicated to protecting the network layer
  • 10% of respondents reporting they’re able to resolve issues in seconds or minutes; 54% say it takes days, weeks or months
  • 28% of respondents say the number of security events or breaches increased in 2013
  • 24% report that the severity of incidents increased
  • 39% of respondents say they can detect a security breach within seconds or minute

Business process automation solutions offer a new approach to the most difficult step in security operations: taking immediate and coordinated action to stop security attacks from proliferating. Building digital workflows that can be synchronized across an enterprise allows a rapid counter-response to cyber-attacks. Speed, accuracy, and efficiency are accomplished by applying carrier-grade technology, replicating repetitive actions with automated workflows, and reducing the need for multiple screens.

It is no longer a surprise to hear that a breach has compromised data related to customers, employees, or partners,” said Paul Nguyen, president of global security solutions at CSG Invotas. “CIOs recognize that they need faster, smarter ways to identify security breaches across their enterprises. More importantly, they need faster, smarter ways to respond with decisive and coordinated action to help protect threats against company reputation, customer confidence, and revenue growth

A quarter of respondents say they are comfortable with the idea of automating some security workflows and processes and that they deploy automation tools where they can. 57% of respondents say they are somewhat comfortable with automation for some low-level and a few high-level processes, but they still want security teams involved. On average, respondents report that 30% of their security workflows are automated today; but nearly two-thirds of respondents expect they will automate more security workflows in the coming year.

The full survey and key findings are available here.

Most European organizations believe using a European cloud is easier from a regulatory and compliance perspective

Perspecsys Infograph from research at InfoSec Europe Conference

Another successful Infosecurity Europe finishes

Considering there was a tube strike I had no problems taking the normal underground route of Victoria and District lines but the North South didn’t’ seem as affected as East West.

I hadn’t realised until I saw the promotional signs for InfoSec 2015 at Olympia that this is the last time it will be at Earls Court as the building is being demolished and replaced by a retail park with houses and apartments. That is sad as it is a great art deco 1930s building, OK a bit tired but it is a better venue than Olympia.

Image

In the first minute I bumped into a couple of ex-colleagues who were exhibiting but never saw them again over the next 2½ days which serves to demonstrate the size of the event.

I then set off on my marathon walk around and around the stands talking to lots of customers, prospective customers, ex-colleagues and friends resulting in a range of outcomes:-

  • Business opportunities
  • Developed a potentially new service offering
  • Finding out where people are working this year, same person different polo shirt,
  • Speaking opportunities where a vendor wishes to educate their prospective customers on PCI, ISO and other standards

The exhibition itself had a different feel, maybe because there were less people or maybe because all the big stands had huge screens, like something from Bladerunner, backed by stages and speakers and a small army of table magicians whizzing cards everywhere.

Some of the larger vendors weren’t there but that trend isn’t new with vendors like Cisco and Check Point having missed previous events.

There did seem to be more distributors, resellers and service providers than previous years and the trend of vendors having reseller “pods” continued.

The Innovation and Overseas Pavilions of the USA, France, Israel and Moscow had some innovative solutions on offer although no one ever seemed to man the massive Moscow City stand/pods. 

Overall it was a great event.

The Cost Of Insecurity

It is simple, your investment in securing your data will be considerably less than the potential cost of a breach and the subsequent clean up.

Cisco’s Infographic is an interesting turn on the ROI message as it looks at security from the loss prevention angle rather than earnings.

Especially with Data Centre downtime costing on average $336,000 per hour.

100,000 new security threats are identified each day

Is your data secure?  Infographic

Hostwinds have produced a great Infographic on how data is secured. Focused on Google but the processes could be anyone or anywhere.

SMEs are putting larger customers at risk of security breaches

According to Shred-it’s third annual Security Tracker survey SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking enough preventative measures of confidential data.

It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain,” warns Robert Guice, Vice President Shred-it EMEA.

The survey reveals SMEs are 10 times less likely to have an information security system set up than is the case with larger businesses.

SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency”, Mr Guice said. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe

Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners” Mr Guice continued.

There is a worrying gap between the protocols in place between smaller and larger businesses. Whilst companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37 per cent of small businesses in the UK have no information security management system in place. Moreover, three in ten (28 per cent) small business owners have never provided any information security training to their employees.

Key findings include

  • 2 in every 5 large businesses suffering a data breach have incurred losses of more than £500,000
  • The average fine is approximately £150,000 – large enough for 30% of companies to have to lay off staff as a result.
  • 77% of larger businesses have an employee directly responsible for managing information security issues at management level (66%) or board level (11%)
  • 48% of SMEs have a nominated person
  • 95% of large businesses have an employee devoted to data protection compared with only 53% of small business owners, suggesting that larger businesses better understand the potential threat of data breaches and have put control systems in place accordingly.
  • 33% of senior business executives and only 4% of small business owners use a professional shredding service
  • 88% of large businesses are more than twice as likely to be aware of the EU Data Protection Directive reforms as small businesses (43%).
  • Although the gap is closer, large businesses are still more likely to be aware of the UK Data Protection Act (92%) than small business owners (72%).
  • With more information being stored in electronic form, it is equally worrying that less than one quarter of large (23%) and small businesses (25%) crush their electronic media – which means the vast majority of UK businesses are inadvertently putting themselves and their customers at risk.
  • Businesses could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. 66% of large business and 49% of small business owners wrongly think that degaussing or wiping a hard drive will remove confidential information kept on them.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: