Expert Blogs

Blog Post: Creating a secure online environment in the workplace, online, and at home

Glen Gooding — Thu, 16 May 2013 14:30:00 GMT

This week is National Cyber Security Week in Australia, and annual Government initiative that is held in partnership with industry, community and consumer organisations and all levels of government. The aim of awareness week is to help Australians using the internet – whether at home, the workplace or school – understand the simple steps they can take to protect their personal and financial information online.

Regardless of what hemisphere you reside in, technology can ensure organizations can achieve protection of their critical data. However, one area where it will not help provide a secure environment is you, the human sitting between the chair and the keyboard.

As the "1800 hotline support" for my family and friends, I have compiled a list of security " to-do's ", to better protect your work and home online presence.

1. Tablets/Smartphones
Set a password, full stop! Preferably choose an alphanumeric password, rather than the standard 4 digit pin. A lost phone with no password, or default password can expose a lot of personal and private information about yourself. Voice mail, Facebook, email, contact lists, work files, password files, notes, photos, vpn access, work collaboration sites, bank account access are all available to the person who picks up your phone/tablet. Set auto lock on your device.

2. Social media protection
Many of the default settings that we use for social media are designed for ease of use and therefore do not include any of important privacy and security settings. Take the time to learn what your settings are and be diligent in setting some of the more critical options. With over a billion potential friends out there, not all are friendly. Enforcing SSL encryption (https) is a good start, you don't want anyone on a public wifi network (read more later) sniffing your password as you type it in. Tighten your privacy settings, to allow only friends (friends of friends) to view your posts, photos, timeline, etc. There are many sites that provide suggestions on locking down your on line social presence, a simple google search will point you in the right direction.

3. Tweets and SMSs from the vast unwashed
Take the extra second to breathe before clicking on that unknown Twitter followers post, or that link in an SMS from an unknown number. Many of these links are shortened and therefore you don't know where they are taking you, or more importantly, what has just been downloaded to your device. If you don't know the origin of the sender, ditch it.

4. Public Wifi
Use with caution! Quite often you are so excited to find a public Wifi that doesn't require a password or doesn't require any payment that you readily connect to and start emailing, tweeting, facebooking, etc. Think about who owns this network you have just connected to and how they now have access to see everything you are typing, inclusive of passwords entered, usernames used, sites connected to. A network trace of your initial minutes on the internet can expose a lot about yourself that can be used as information that could lead to online identity theft.

5. Multiple passwords for multiple personas
In our busy on line life we assume multiple personas. Try and keep multiple passwords for each of those personas. At IBM we are fortunate that we have one id and password to remember to access most of our work related sites. We are also encouraged to change our passwords every 90 days, keep passwords fairly complex, don't reuse them. Maintain a layered password approach, a simple, easy to remember phrase for many online sites that if compromised wouldn't cause much grief, a more complex approach to sites that could, if discovered, provide a means to your private details and finally a strong a password as you can get for your online financial transactions. Importantly, in your non work personas, try and stick with the same regime of password change, complexity, etc., that your organization instills for your outside of work ID's.

6. Emails from (strangers acting as) friends asking for help
Many phishing scams involve infiltrating a friends account, then mass mailing all of their contacts. The mail often asks you to click on a link to provide help, or sending money or open some attachment. These can be written in such a way, That may be appealing to click to read further information. Stop for a moment and think about the implications of clicking the link or the attachment. If it doesn't sound quite right about your friend, or a friend of a friend, then don't click it. Report the mail as spam, then delete completely.

7. Secure your home Wifi
Your internet provider will ship standard comms equipment to your home and these will be configured with the standard default configuration settings. You should reconfigure and/or change a number of these settings. A couple of no brainers right up: Change the default admin password; change the SSID; configure support for encryption, such as WEP/WPA/WPA2/PSK; and disable SSID broadcasting.

8. Software updates
Don't delay the annoying reminders to update your software: anti virus signatures; operating systems, Java, applications such as Adobe; etc. Once upon a long time ago, these were designed to include new features and functions, but nowadays it is more to include security patches where hackers have exposed vulnerabilities. Many times we click the 'Remind me Later' option but in doing so, leave yourself and your system vulnerable to outside attack.

9. On line browser popup ads
Simple rule with these - click the close button. Get rid of them. Even better, use your keyboard shortcuts to shutdown browser windows (common CTRL-W, CMD-W will do this). If you are not sure, even if they look like operating systems updates or application updates in a browser window, more than likely they are not and in many cases will be malicious code designed to log every keystroke you make.

10. Build education into your organization’s social computing guidelines
Today, there are over 280,000 IBMers on LinkedIn, over 170,000 people on Facebook with IBM listed as their workplace, and an estimated 30,000 IBMers engaging on Twitter each month. Done the right way, social media can pay off both for individuals and the enterprise. Read more about how IBM is building education and guidance into the fabric of the enterprise’s social media strategy to leverage the opportunities and risks of the digital world in Security Essentials for CIOs: Navigating the Risks and Rewards of Social Media.

Blog Post: Prepping College Kids for a Career in Cybersecurity

Institute for Advanced Security — Wed, 15 May 2013 12:00:00 GMT

This blog was originally posted on asmarterplanet.com by Laurie Williams. Laurie Williams is a Professor in the Computer Science Department of the College of Engineering at North Carolina State University (NCSU). Her research focuses on software security particularly in relation to healthcare IT; agile software development practices and processes; software reliability, software testing and analysis; open source software development; and broadening participation and increasing retention in computer science. Laurie has more than 170 refereed publications. Laurie received her Ph.D. in Computer Science from the University of Utah, her MBA fromDuke University Fuqua School of Business, and her BS in Industrial Engineering from Lehigh University. She worked for IBM Corporation for nine years in Raleigh, NC and Research Triangle Park, NC before returning to academia.

According to a recent IBM Tech Trends report, both educators and students view security as extremely important. In fact, 56 percent of students and 44 percent of educators ranked it as one of the top three issues the IT industry will face over the next two years. In addition, a UK government report said that it may take 20 years to address the current cybersecurity skills gaps.

To help try and change that, North CarolinaStateUniversity is partnering with IBM to help better prepare the next generation of engineers with a secure-by-design focus and curriculum.

Why dedicate so many resources to building cybersecurity skills? The world operates with interconnected systems and as technology progresses these systems will only proliferate. The linchpin to success in securing these systems is in the design stage – not at the end of the process.

At North Carolina State University, my students are focusing on healthcare systems, specifically building and analyzing electronic medical record applications. The students leverage IBM AppScan to test these applications for potential vulnerabilities. Critical cyber systems must inspire trust and confidence. They must predictably protect the integrity of data and resources as well as the privacy of data owners, and perform securely, safely, and reliably.

Earlier this year, I had the opportunity to collaborate with IBM researchers to identifycommon themes and pinpoint some of the major challenges academic institutions are facing in relation to building next generation cybersecurity skills. Four common trends were identified:

1.) Information security is increasing in relevance. No longer just a highly-specialized area, information security impacts people every day. It has become personal in an interconnected world that’s reliant upon smart phones, social media, e-commerce and cloud services. In other words, information security impacts us every day.

2.) Increasing attention and demand from students, private industry and government agencies. More and more industries, from banks and financial services companies to aerospace and defense firms, as well as healthcare providers, are seeking graduates with specialized security skills. Training an expert cybersecurity workforce is now a national priority for many countries.

3.) The field of cybersecurity has significantly expanded with more domains to secure and more ways to attack. This means more to teach and to learn. Today, attacks are extremely hard to detect; attackers are stealthier and more evasive. In response, academic programs are expanding beyond traditional areas like cryptography and countering sniffing and denial of service attacks. Cybersecurity education now covers new areas like cyber-physical attacks, the protection of heterogeneous systems and real-time security data analysis.

4.) Academic programs are evolving from teaching purely the principles and theory of security to focus more on the practices. This is largely driven by the demands of industry and governments, as well as by students who want to focus more on real-world problems and practical challenges.

While these may be the four common themes we identified, in reality it will take all of us to create a more secure future.

Read the original article here.

Blog Post: The Congruence Model for Security

Institute for Advanced Security — Tue, 14 May 2013 14:25:00 GMT

This post was written by Javed Shah for http://expert-tech.blogspot.com. Javed Shah is a Practice Director for Security at Prolifics with more than 12 years experience in identity and access management architectures. He has broad exposure developing identity and access management solutions, and system software components that deliver reliable data security, web enablement and user lifecycle management services to customers. Before joining Prolifics, Javed founded and ran a professional services company in India for 6 years. Spanning over a decade, Javed has led identity management projects to successful exits at Nestle, University of California San Francisco, Kaiser Permanente, ABM Industries, BRE Properties, UPS, Tampa General Hospital and E*TRADE Bank. He was also the leader of the ITIM Level 3 defect resolution and analysis team in India where he was responsible for handling all customer defects for North America and Asia. Javed holds a Bachelor’s degree in Computer Science, a Certificate in Implementing and Managing an Enterprise Architecture using the Zachman Framework and the CISSP certification. He is also currently pursuing an MBA from the Haas School of Business, University of California Berkeley.

From management literature (Tushman & O'Reilly), the congruence-based problem solving is a method to quickly and accurately identify the root cause of performance or opportunity gaps. In the context of security architecture, the congruence model can be applied to creating comprehensive security assessments for an organization. The model emphasizes analysis of the relationships among four core components of an organization (shown in the graphic below) also called the building blocks whose alignment relationships are the focus of congruent security architecture techniques. The goal is to leverage the relationships and interactions between those core components to reveal the underlying security posture of an organization.

Each congruence relation is important in forming organizational diagnoses that help us understand the current state of security in the enterprise, and the causes of the vulnerabilities. Analyzing these relations tends to define the political map and how the players tend to navigate it. It helps identify organizational behaviors that are helpful, neutral or detrimental to the security architecture initiative.

Analyzing the following three alignments using an appropriate "congruence questionnaire" is crucial to determining the security posture of the enterprise.

The Task and People Congruence Relation:

Do people have the required competencies to perform the critical tasks that ensure safety of data and process?
To what extent do the skills, abilities and motives of today’s human resources fit with security planning, architecture formulation and implementation requirements?

Identification goals: task-human resource inconsistencies that inhibit the ability to execute on security strategy.

The Task and Formal Organization Relation:

Do the formal linking mechanisms between units facilitate security task integration, security team building and agility from a product delivery perspective?
Is there a company wide vision for security and a strategy for addressing regulations, audit and security breaches?

Identification goals: task-structure inconsistencies that inhibit necessary integration among SBUs, needed to deliver a comprehensive security solution.

The Task and Culture Relation:

Does the existing culture energize the accomplishment of critical tasks?
Does the informal communication network and informal distribution of power help get the work done?
Is there a reluctance to take action? Is there reliance on being told what to do? Identification goals: culture-task inconsistencies that drag performance down and inhibit consensus on security goals.

This due-diligence analysis can help identify the need for managers and their teams to realign the formal structures, people processes and cultural aspects of their organization with the critical tasks necessary to achieve the overall security vision. Managers and their teams should learn from this process, and even re-initiate the process iteratively within their own SBUs if necessary.

You can read the original post here.

Blog Post: Cybersecurity Education: The struggle to develop the future workforce

David Jarvis — Mon, 13 May 2013 12:30:00 GMT

This blog was originally posted on IBM.com.

Sometimes time and space conspire to create an opportunity that you weren't expecting. That was the case for me last week. Near where I live, the University of Rhode Island (URI) hosted their third Cybersecurity Symposium on education and workforce development. Speakers included the entire Rhode Island Congressional delegation, the director of the U.S. Defense Intelligence Agency, the CIO for the U.S. Department of Defense and a number of industry practitioners, including IBM’s VP for Cyber Security Innovation Marisa Viveros. Marisa was the co-author of the paper that we recently published on leading practices for cybersecurity education.

The symposium was open to the public and students, had over 400 attendees, and flew at a fairly high level. There were some excellent takeaways and parallels to IBM’s recent research with respect to cybersecurity skills and education. The Congressional delegation, which included Sen. Whitehouse, Sen. Reed, Rep. Langevin and Rep. Cicilline, each emphasized different areas of the cybersecurity challenge. This included improving public awareness, the national security implications of the rapidly changing cyber threat, the difficulties with law enforcement, and the need to protect our privacy, civil rights and liberties.

Lieutenant General Flynn of the U.S. Defense Intelligence Agency (and URI alum) was a very engaging speaker and talked about the “invisible war” that is currently being waged in cyberspace. He highlighted the profound transition U.S. security is currently going through – caused by population, economic and technology shifts – which require new ways of thinking. To fight this invisible war, he said that for every person currently working in cybersecurity today, we need a staggering twenty-eight more. He also repeatedly talked about the generational issues involved in cybersecurity and that real rules and discipline have yet to emerge on the international stage. He advocated something akin to the “law of the sea”, but for the cyber domain.

The business and industry panel included speakers from Google, IBM, Dell SecureWorks, CVS and Fidelity Investments and was much more open and conversational. They all brought their perspectives – whether providing information security or managing it for their organizations. There was a lot of discussion about how to break into the field of cybersecurity, what skills to have, what courses to take, and career paths. Stephan Somogyi, from Google, talked about the need to educate everyone on digital hygiene and focusing education on the basics of computer science. He said that you have to have a passion for security, it is a calling. If you have that, you can come from any field. Jeff Shilling, from Dell, talked about the incredible need for security technicians, those with hands-on skills. He has enough security managers, what he needs are those that can do the work (he agreed with Lt. Gen. Flynn’s assessment).

A lot of the themes from the day echoed what we recommended through our research. Local and national collaboration was evident with the diversity of speakers and the support from the entire university, the Congressional delegation, the military and industry. The importance of awareness was highlighted over and over. URI is working on innovative ways to provide hands-on experience for students through a low-cost Open Cyber Challenge Platform they are developing. The need for improving non-technical cybersecurity academic programs for business and policy leaders was highlighted in a new study from the Pell Center for International Relations and Public Policy.

This was a very valuable event, and I hope that it continues on an annual basis. Even though it was to raise local awareness and promote URI and its computer science program, it could stand to have increased global participation in the next iteration – which was one of our key findings.

Read the original post here.

Blog Post: Don't Get Me Started: FUD

ChrisP — Fri, 03 May 2013 12:00:00 GMT

Presentations about the information security industry can be motivating or they can be boring, but one emotion they should not elicit is fear. We do not need one more talking head lecturing us through a stern look about the dire state of security.

They start with statistics meant to scare us:

"90% of organizations we polled have suffered a system breach in the last year."
“$21 billion worth of electronic health information was stolen in the last three years.”
"50% of organizations say they have no formal incident response plan.”

Now statistics are fine, but only when placed in context, which means talking about what’s working as well as what’s not. That’s not usually the arc of the dialog. It continues as the ersatz persuader piles on qualitative statements, like “we’re losing the battle to hackers”, or "APTs are unstoppable".

Fear is good for controlling people and selling snake oil. Which is the next step in the pitch: buy my product or service and I’ll take away your pain. Just as with traveling medicine shows, a single product will not solve the problems of the world. So stop insulting us, elixir peddlers; you’d do better to have an honest conversation without the hyperbole.

That’s not to say we shouldn't discuss the dangers of doing business in the information age. A healthy exchange of experiences helps us all to assimilate the threats and formulate a strategy to detect, defend, and respond. Anyone in this industry who’s progressed beyond the crawling stage understands that information security is complicated and requires a program to effectively stand against the varied challenges like APTs, DDoS, malicious and accidental insider actions, BYOD, and cloud.

So I implore you, Mr. and Ms. presenter: please look over your decks and ask yourself whether you’re giving a balanced view of the threatscape and how you fit into the security ecosystem, or are you just trying to scare us into buying your product? And for those of you on the other side of the podium or conference table, practice your critical thinking skills and don’t get led by emotions. Chipmunks squeak and scurry randomly with their tails in the air at every vaguely threatening sound, often into the path of an oncoming car. Don’t end up an orange and black striped road pancake.

Blog Post: Near Field Communication (NFC): Mobile Payment Confidence?

Tue, 30 Apr 2013 14:00:00 GMT

NFC or Near Field Communication is a standard that defines the exchange of data between two devices in close proximity. For NFC enabled smartphones, that means consumers can replace their credit and debit cards with an electronic wallet. Besides payment transactions, the technology has a wide variety of applications that it’s suitable for:

Access: Electronic identity & Physical Access control
Transactions: Store Transportation passes, Electronic Payments
Information: Store Personal information, View Product information, Receive discounts, Swap Media

How vulnerable is the technology?

NFC is inherently secure for mobile payment since transactions can only take place within roughly 4 cms, making it uncomfortably close for an attacker to ‘skim’ information. And since the NFC chip has to be queried by a reader, any encrypted credit card information stored on your smartphone can only be accessible when it’s activated at an NFC POS terminal or similar device. A strong password protected phone will add an extra layer of protection to prevent unwanted access of a stolen device to further protect sensitive credit card or other personal data.

But wait, if you have six months of free time to debunk these NFC factoids, you may discover otherwise. That’s just what someone did with a few NFC enabled smartphones to test out the security of the technology. At a 2012 BlackHat conference, a researcher presented his findings on how he painstakingly hacked the devices to take advantage of a variety of exploits. With the appropriate know-how, NFC can be manipulated to; launch a browser to link to a malicious website, download malware, upload personal info, make unwanted calls or even send SMS messages. Pretty impressive huh? And what about the concept of card skimming? Imagine an NFC tag discretely placed at a point-of-sale terminal to quietly collect credit card information with some NFC skimming technology. Ouch!

Fortunately, the slow adoption of NFC technology is being impacted by a few big barriers (lack of industry coordination / standardization, lack of infrastructure to support NFC) that will give smartphone providers some extra time to address these technology vulnerabilities (let’s hope that’s the case).

While retailers may be feeling consumer pressure to deploy NFC payments and other applications, a mis-step with the technology can have a huge impact not only on its adoption but also on the erosion of customer satisfaction, loyalty and retention. A bigger ouch!

Check out my webcast, How New NFC and EMV Technologies will Affect PCI Compliance Approaches, on May 29th, 2013 for more details.

Sources:

http://arstechnica.com/security/2012/07/android-nokia-smartphone-hack/

Blog Post: Cybersecurity Education: Improving Protection through Global Connections

David Jarvis — Mon, 29 Apr 2013 20:35:00 GMT

This blog was originally posted on IBM.com.

In a world of increasing and varying information security threats, academic initiatives focused on cybersecurity are proliferating - yet, there is still the danger of falling short in addressing the long-term threat. To avoid becoming too focused on near-term issues, programs must be more collaborative across their own institutions, with industry, government, and among the global academic community. Only by working in concert can we meet today’s demand while educating the next generation to create a more secure future.

There have been a lot of recent reports, blog posts and news articles discussing the cybersecurity skills gap. It has been an ongoing issue for a while, and will continue into the future. We wanted to tackle this problem, not from the demand side, but from the supply side. So, the IBM Center for Applied Insights and IBM’s Cyber Security Innovation team selected 15 academic programs in 6 different countries from the over 200 institutions we monitor and work with. We conducted interviews with faculty members, department chairs and others. This week, we released a synthesis of those interviews in our latest security insights paper,“Cybersecurity education for the next generation: Advancing a collaborative approach” .

Through our interviews it was confirmed that cybersecurity is top of mind for students, educators, industry and government. Industry and government are currently facing a significant skills gap and this is causing the programs we interviewed see extremely high demand for their students, both undergraduate and graduate.

But, not all is rosy with the increased demand and attention. Programs are expected to provide more of everything – courses, graduates, opportunities, research – which has caused programs to face a number of organizational and technology challenges. Stained programs are addressing these challenges in different ways, taking different approaches to cybersecurity education, but still sharing similar common principles.

The trends, challenges, issues and differing perspectives cannot be fully addressed by each academic program on its own; cybersecurity is a global problem and should have global solutions. A set of leading practices promoting a longer-term and more collaborative approach is needed. We identified three general areas that the leading programs we talked to excelled at, all dealing with collaboration and connection.

1. Collaborate within your own institution – Cybersecurity programs should embed security practices and principles in computer science and engineering courses and take a holistic technical approach. They should work with other disciplines and schools in the university (e.g., business, law, ethics, medicine, policy). They should offer diverse education options for students and professionals (graduate, undergraduate, professional development, etc.).

2. Co-evolve with industry and government – Academic programs should have deep ties with industry and government – partnering and collaborating on research, curriculum development, and opportunities for students. A hands-on, practical, approach is also extremely important. Laboratory work, projects, special-interest groups, and internships should all be cultivated.

3. Connect across the global academic community – A number of the programs we talked with discussed the need for building a “science of security” to anticipate security problems and a cross-discipline lingua franca among scientists, engineers and policy makers. Fundamental concepts and common vocabulary can only be developed with participation of the entire global cybersecurity community.

To read more about leading cybersecurity education practices, case studies, and IBM’s recommendations, download ourreport . The paper is part of our ongoing security insights series which includes the 2012 IBM CISO Assessment and theSecurity Essentials for CIOs series.

Read the original article on IBM.com here.

Blog Post: Security in the Clouds: Part 2

Institute for Advanced Security — Thu, 25 Apr 2013 12:00:00 GMT

This post by Jeff Crume originally written for Wired.com. Jeff Crume is an IBM Distinguished Engineer, Master Inventor and author of “Inside Internet Security: What Hackers Don’t Want You To Know."

In the previous post we discussed some of the fundamental challenges of securing a public cloud environment, which is analogous to “your data on my hard drive.” This computing model introduces some tremendous opportunities to do more with less by taking advantage of the economies of scale of a cloud provider. Additionally, it can free your organization to focus on core competencies rather than being distracted by the details of managing the underlying infrastructure. But just how public should your public cloud be? How much visibility and control can you afford to give up? How much have you already given up that you don’t know about?

Public cloud, public data?

Storing your data on my hard drive when my hard drive just happens to be shared by all sorts of other organizations and users of every make and model imaginable means that particular diligence must be given to ensuring that only authenticated users have access to only those resources they are authorized to access. We’ve already touched on what this means in terms of the data you know has been relocated to the cloud but what about all that you don’t know about?

How can you know about what you don’t know? Rather than ponder the existential implications let’s just say that because public clouds are so easy to use and so pervasively deployed and so cheap to access, they are sprouting up like weeds. Chances are that at least some of your data already exists in public cloud even if your organization hasn’t decided to make the leap. iCloud, Dropbox, Evernote, SugarSync, SkyDrive, Google Drive, … the list goes on and on. All offer free (or reasonably priced) public cloud storage which can be accessed via the web or an app on your laptop, tablet or smartphone. All could potentially house confidential data that your users either were careless with or didn’t know was being copied, for instance, as part of a backup/recovery solution.

As the saying goes, “if you aren’t paying for it, you are the product not the customer.” In other words, there really is no free lunch here. The business model for the “free” cloud service that your users are leveraging may involve the cloud provider scanning the content it has been entrusted with in order to provide targeted advertising or lead generation.

This can be good or bad, of course. If you don’t have kids you might not care much about ads for diapers but an offer to save on the latest gear to feed the hobby you are passionate about might be appreciated. On the other hand, if you are expecting but have only told a few close family members at this, then the sudden appearance of those same diaper ads might seem a little creepy.

Aside from the personal privacy angle, what might be going on with sensitive corporate data that is being hosted by one of these services as well? Who or what else might have access? Can data from one user accidentally spill over to another or be accessed by an attacker who has found a way to circumvent the security controls? Could a sudden uptick in demand for another organization’s data (e.g. holiday buying season) cause a undue burden on the cloud provider’s infrastructure that impacts your user’s ability to access key services? Shared infrastructure equals not only shared costs, which is good, but also shared risk, which can be good or bad depending on how well that risk is managed.

These are great services with compelling value propositions for end users and organizations alike but if you aren’t conscious about implementation, they could end up leaking sensitive information like a sieve. If your company is going to use these (and your users surely will), make sure that sensitive data is encrypted before sending it out into the ether. While the provider might say that the data is encrypted, encryption is only as strong as the security around the passwords. Without such deliberate precautions, your free public cloud could become a very expensive nightmare.

From in-house to outsource (or out house?)

Conceptually, shifting to a public cloud infrastructure is nothing new. It’s just the latest variation on the theme of outsourcing. As we have learned from some of the early adopters of this trend, there are right ways and wrong ways to this approach. We’ve all heard the horror stories of failed implementations along with the trade press profiles of smiling CIOs who became heroes by figuring out how to swim with the sharks and achieve previously unrealized levels of efficiency.

So which will it be when it comes to security in a public cloud environment? Will it be better or worse? As any good engineer will tell you – it depends. If your organization is currently struggling to keep up with the demands of security auditors, expertise is dwindling and too much time is being spent by senior technical leaders on day-to-day firefighting instead of more strategic architecture and planning, then you might actually see security improve by letting a team of specialists who have learned through previous implementation experience what works and, equally important, what doesn’t.

If, however, your provider is focused only on cost reduction and lining up more customers they will inevitably have to cut corners somewhere and you can bet security will be one of them. It’s the nature of the beast because when it’s working properly, no one sees it. When it fails, though, nothing could be more visible. If the priorities of the provider aren’t properly aligned, they may be willing to take risks with your resources that you would not approve of. Throw in the potential for lesser visibility and control which can accompany the new computing paradigm if you don’t insist otherwise, and this could lead to devastating results.

So, better or worse? As the EPA says, “your mileage may vary.”

In conclusion

Public clouds offer a compelling value proposition. If they didn’t, there wouldn’t be so much buzz surrounding them. If your organization hasn’t looked into them, they probably should, even if the answer turns out to be “no.” As you consider what you might do in this space (or if you need a sanity check regarding what you’ve already done), IBM offers some guidance on security considerations for cloud environments that might be worth a look.

For a high level view try “Cloud Security: Who Can You Trust?”

For a more technical discussion there’s an IBM Redpaper entitled “Cloud Security Guidance: IBM Recommendations for the Implementation of Cloud Security” can be found at http://www.redbooks.ibm.com/abstracts/redp4614.html.

Read the original article here.

Blog Post: The Healthcare Industry Needs to Implement Tighter Controls and Policies, According to the IBM X-Force 2012 Annual Trend and Risk Report

ChrisP — Mon, 22 Apr 2013 12:00:00 GMT

In 2012, there were 1,502 documented incidents resulting in loss of personally identifiable information, almost a 40% increase over the previous year’s 1,088 event count. In the last three years, 21 million patients in the United States have had their medical records exposed in data breaches.

Data leaks are becoming a common occurrence, exposing personal details such as email addresses, passwords (both encrypted and clear text), and even national ID numbers. The IBM X-Force 2012 Annual Trend and Risk Report calls for tighter security controls and policies in the healthcare industry.

With healthcare providers and payers alike trying to retain customers through better quality care and comply with an ever increasing corpus of regulations, patient records are the currency in trade, and as such must be protected with all due care. Moving to electronic health records (EHR) is a must for organizations to be able to share data between providers—even competing facilities—insurance companies, and the patient consumer themselves. Creating a record once and enriching it over the lifespan of the patient by all caregivers and payers involved holds the promise to reduce costs and improve outcomes. In addition, the U.S. government provides financial incentives for the meaningful use of EHR through the American Recovery and Reinvestment Act’s (ARRA) HITECH provisions.

Yet converting records to electronic format makes them convenient to steal en masse if not properly protected. The outcome of EHR theft include brand reputation damage in a competing market and financial penalties for non-compliance.

Here are some of the fundamental security controls healthcare organizations must undertake in order to safeguard patient data:

Discover all EHR and personally identifiable information (PII)
Encrypt or mask EHR and PII at rest and in transit
Impose and manage role-based access, coupled with central and/or federal authentication, to EHR and PII
Contract with Business Associates (BA) who have access to EHR and PII to ensure they are held to the same data protection standards, and audit them regularly
Protect the infrastructure housing EHR and PII using standard technical controls such as firewalls (perimeter and enclave), VPNs, network and host IPS, and endpoint protection
Monitor all system and network activities, optimally with automated detection of suspicious activity, particularly as it affects systems containing EHR and PII

Exposure of sensitive data is but one of the salient observations in the IBM X-Force 2012 Annual Trend and Risk Report. Download it now and get the full picture of how 2012 shaped up in terms of threats and gain intelligence into what to expect in 2013.

Blog Post: Security in the Clouds: Part 1

Institute for Advanced Security — Fri, 19 Apr 2013 12:00:00 GMT

A post written by Jeff Crume for Wired.com. Jeff Crume is an IBM Distinguished Engineer, Master Inventor and author of “Inside Internet Security: What Hackers Don’t Want You To Know."

Security in the Clouds: Part 1

Sometimes it seems that everything in the IT world is going virtual, moving to the cloud. Poof! That server farm you used to maintain so diligently has suddenly vaporized — cloud-like, as it were — out of sight, out of mind. Now you can let someone else sweat the details, right? Well, if you aren’t careful just as all that equipment moved to an undisclosed location, your mission critical information could enter witness protection without a forwarding address or, even worse, become a matter of public record. Manage the transition to a public cloud correctly and the rewards could be significant, but if you get it wrong, the consequences could be dire.

At the risk of sounding like your parents interrupting the party to remind you to brush your teeth before you go to bed, there is a need for a sober look at security issues arising from this rush to the cloud. This is not an attempt to discourage you from considering cloud computing. On the contrary, the intention is to make sure you do so with your eyes wide open in order to ensure maximum success in the move. So, while all those around you are acting drunk and disorderly, throwing caution to wind in the name of lower infrastructure costs, here are a few thoughts from your designated driver, whose interest is in making sure you get home in one piece so that you can live to enjoy the next wave of IT transformation — and, yes, there will be another one …

Variation on a familiar theme

Securing a cloud environment involves doing everything we do for traditional IT security plus more. In other words, the fundamental issues of ensuring the CIAs of security – Confidentiality, Integrity and Availability – are still in play. In fact, it’s even more complicated since now we are dealing with the additional complexity of someone else’s infrastructure.

That means we have to begin with a comprehensive risk assessment and from there proceed to develop relevant policies, a solution architecture, a solid implementation that enforces those policies and finish up with a process to analyze results and feedback improvements into the previous steps of the cycle. Nothing new here but sometimes in the cloud rush some people think the laws of gravity have somehow been suspended.

Just because it’s not hosted locally doesn’t mean that magic happens and there isn’t the same need for provisioning accounts, authenticating users, enforcing access controls, analyzing audit logs, encrypting data, blocking intrusion attempts, applying the latest security patches and so forth. That’s all the stuff we already need to do today.

What the public cloud adds to the equation is a heightened need to get all this right since it will be in a shared infrastructure at a remote location. In addition, things like federated single sign-on (to connect across disparate authentication systems), federated account provisioning/deprovisioning (to create and delete the correct access privileges on the system you no longer have direct access to) and securing the hypervisor layer of the virtualization system used by the service provider become key issues. That last part is often overlooked but it shouldn’t be because each new layer of infrastructure represents a potential attack vector. We know OS’s and apps aren’t perfect so we harden them, patch them and stand up intrusion prevention layers to protect them from the bad guys. The hypervisor in a virtualized computing environment needs the same protections but doesn’t always get the same scrutiny.

SLAs — all bark and no bite?

Another aspect that isn’t exactly new but that requires more intense scrutiny with a public cloud is the Service Level Agreement (SLA) you have with the provider. A starter list of issues to consider appears below but don’t take this to be an exhaustive enumeration. What’s critical for one application may be inconsequential for another. There’s no such thing as “one size fits all” here.

Of course, the cloud provider is hoping for just the opposite. The more customers they can get to accept their basic terms of service, the better it is for them because cookie cutter rollouts are a lot easier than custom made orders. Your job at the end of the day, though, is to look out for your organization’s best interests and that means taking care not to get swept up in the tide of lowest common denominator offerings.

Seemingly obviously aspects such as what it really means for a provider to say they will provide 99% up time are critical. First of all, realize that what might sound really great at first blush in this example could, in fact, result in more than three days of down time per year and still be in compliance. Furthermore, what happens if the SLA is not met? Many assume that the provider has the capability to guarantee this commitment but in some cases this may be nothing more than a best effort statement with no penalties if violated and no actual ability to deliver this level of service.

Again, it’s all the traditional IT responsibilities plus more.

Your data on my hard drive

Cryptography expert Bruce Schneier has described the public cloud model as “your data on my hard drive.” The need for access and the value of the resource hasn’t changed but the risk profile has. You may have limited visibility and control over the infrastructure you are now effectively renting. Some questions to consider:

Is the data sufficiently isolated from other users of the shared cloud?
Are access controls up to the task of keeping the prying eyes of unauthorized users at bay?
Are you protected against data leakage by administrators working for the cloud provider who are not authorized to view the data but may, by virtue of their privileged status, be able to subvert protections in place?
Can you get easy access to an audit trail showing who, when, from where, etc., has accessed the data?
Is it being backed up in case a hard drive crashes?
Is the environment sufficiently provisioned to handle the demand placed upon it not only by legitimate users but also by attackers launching a denial of service attack?
What about disaster recovery?
Is there a mechanism to failover to hot or warm standby at a substantially different geographical location so as to not disrupt operations during an outage?
Will auditors and regulators be satisfied with your answers to all of these questions?

OK, so it may not be all that simple to let someone else handle it as you might have first thought as you clearly have some due diligence to perform before turning over the keys to the kingdom. More on that as well as other considerations in securing a public cloud in Part 2…

Read the original article.

Blog Post: Don’t Get Me Started: The Top Ten “Derailers” of a Security Program

Lynn Price — Wed, 17 Apr 2013 17:32:00 GMT

While a majority of security organizations have remained steady in the current explosive threat environment, it is easy to get thrown by the headlines of the latest cyber strike, the discovery of a new and far reaching vulnerability, or even the connection of cyber security with dark matter.

Achieving the basics of a solid security practice is really hard work. The challenge of implementing a sound and impenetrable defense ranks right up there with other highly visible business achievements.

There are many common threads and themes found throughout the maturing security, risk and governance practice. Take heart and try to side step these pitfalls that are often heard echoing throughout the banking and financial services industries.

TOP TEN “DERAILERS”

Coming in at number 10

10) “Our security policy is based on what we think best ---- ISO 27000, CoBit, NIST, FFIEC, and other industry standards/regulations are just too overwhelming to be our foundation”.

Starting with ISO 27001 making good sense as it is a risk based security standard and stands the test of longevity. Optimally, take a blended approach with the backbone policy based on 27001 along with specific industry standards with an eye on others.

Coming in at number 9

9) “Did you hear about the latest attack" --- we have to implement new technology now”

Knowing the chicken-little approach never works, but new technology is often the ready response to the pressures from executives. Go back to your strategic objectives and align any new threats with similar ones. Develop a well thought out approach/strategy integrating with current directions and technologies. Stay cool in the heat.

Coming in at number 8

8) “We work in silos and don't have the organizational structure for a centralized program”

This is a recipe for inefficient and ineffective security solutions and practices. Certainly some functions can be decentralized as solutions can be very specific to business units; however the core SOC, SIEM, correlation and alerting should be centralized.

Coming in at number 7

7) “Our metrics are based on shared data from supporting organizations - there is no way to audit the accuracy of this data”

As metrics are used to evaluate the effectiveness of the security program as well as score the overall security posture, you can’t base it on untrusted data. You will likely end up in the weeds. Find a way to audit or validate the data even it is self-audited.

Coming in at number 6

6) “We have some real security geeks that blaze the trail with the latest and coolest technology. We follow whatever they say”.

While this may be an easy way out the first time, it will be downhill from there on. When weighing technologies, make sure you have a set of standard and practiced criteria requirements for the environment as well as stated use case requirements. Make sure you have proven product demonstrations and pilots as needed.

Coming in at number 5

5) Our security program is still in boxes on the shelf

What can I say but it is more than time to dust it off; re-evaluate it; and determine if it is still within the overall security goals and objectives. Get to it and move it higher on the priority list.

Coming in at number 4

4) We don't have the support of our executives - no meetings, no steering committee, no measurements for their review, they just don't understand security

Humph. No time like the present to start communicating. Don’t wait for senior executives to come to you as it will probably not be positive. Go to them and start by getting their direction on the overall business risk tolerance. This is a decision that should be made by the business at an executive level, not the security organization. Build out from there, hopefully through the formation of a steering committee body which made up of organizational executives such as business owners, architecture review board owners, and other stronger business influencers. Make sure your overall enterprise security posture is being communicated to the top. They don’t like surprises.

Coming in at number 3

3) We don't have time to really understand our current security posture or plan a strategic security program as we are too busy responding to incidents

You cannot afford to not focus on a security strategy so it is time cleave the herd and assign some to the security strategy. If there is a call for “all hands on decks” due to a security incident, keep blinders on those for those assigned to strategy.

Coming in at number 2

2) We do not have a good asset inventory or classification process - just can't get the information

Pointing to the old adage of ‘You can’t manage what you can’t see”. Understanding the asset value and sensitivity are key to protecting the kingdom. Ensure you have a classification system with your policies and practices. You will need to go to the business as only the business owners will be able to assert the value.

Coming in at number 1

1) We can’t patch our systems as we have a business to run

Identify those systems that are hard to patch due to high availability requirements. Create a separate and distinct patch time process for those. If possible, hot patch them. Implement automated health checking agents that look for new patches and apply them wherever possible. If not, understand and accept the risk.

Blog Post: The Retail Industry Must Protect Its Information Assets from Web Services Inward, According to the IBM X-Force 2012 Annual Trend and Risk Report

Mon, 15 Apr 2013 07:00:00 GMT

The IBM X-Force 2012 Annual Trend and Risk Report reports that exploitation of web services has seen a 14% increase in 2012 over the previous year, mainly attributed to SQL injection and cross-site scripting (XSS) attacks.

As retailers look for new ways to engage customers beyond the traditional brick and mortar store, multi-channel retailing continues to be a winning strategy. To meet the customers' desire for convenience and flexibility, retailers are boosting their online capabilities to tap into the growing e-commerce and m-commerce. But as retailers build a bigger web presence to extend the shopping experience, retailers are collecting more and more information about the consumer and their purchases to better understand their shopping habits.

Consequently, the web applications are a big target for attackers to expose vulnerabilities and get at back end data containing credit card data and other sensitive customer information, making the design of the web application, even more critical for retailers.

Some of the steps retailers can take to make their web applications more safe are:

Adopt secure by design coding practices
Provide security training for developers
Conduct code reviews, both manual and automated
Frequently scan applications for vulnerabilities
Install patches with fixes to latest known vulnerabilities

Attacks on exposed web services is but one of the salient observations in the IBM X-Force 2012 Annual Trend and Risk Report. Download it now and get the full picture of how 2012 shaped up in terms of threats and gain intelligence into what to expect in 2013.

Blog Post: The Financial Services Sector is at Risk of Sophisticated Attacks, According to the IBM X-Force 2012 Annual Trend and Risk Report

Lynn Price — Mon, 08 Apr 2013 13:00:00 GMT

The recent DDoS attacks against Spamhaus punctuated the conclusion in the IBM X-Force 2012 Annual Trend and Risk Report that DDoS attacks have increased in sophistication. Last year’s attacks on financial institutions, which continue even now, employed compromised servers connected to high-capacity internet links, allowing traffic floods reaching 60 - 70 Gbps and higher. The newest “old” technique is DNS amplification, which, according to one source, “almost broke the internet.”

There are a couple notable observations from these attacks:

DDoS is regaining popularity among activists, adding to the arsenal of defacement and doxxing, and is moving beyond bot herding
Financial institutions are a prime target, whether or not they have anything to do with the activsts’ cause, as evidenced by the recent DDoS attacks.

The financial sector is the backbone of our economy, and has been demonstrated over the last five years, a collapse in one country cascades to others. Arguably, the finance sector is one of the most if not the most important component of our critical infrastructure. They were visibly impacted by DDoS last year and many were unprepared for the increased traffic volume and attack complexity. Impacts varied from consuming personnel to tarnishing brand reputation.

Forward thinking organizations not only responded to the immediate threat but also assembled longer term strategies as they analyzed the advanced methods in the current attacks, anticipating future advances.

Organization should implement a multi-faceted approach adopting planning, monitoring, and response phases:

During the planning stages, an organization should negotiate with their telecommunication and cloud services providers for elastic computing power to deal with traffic surges. If they choose in-house solutions, architectures should be implemented with scalable and flexible computing capacity. Edge devices which cleanse or sinkhole traffic should be considered.
During the monitoring phase, enterprises should ensure they have centralized management instituting network and application behavior analysis that can detect anomalous and nefarious activity.
During the response phase, organizations must have a well-documented and rehearsed response plan, moving into a disaster recovery plan if needed.

Prediction of increase DDoS sophistication is but one of the salient observations in the IBM X-Force 2012 Annual Trend and Risk Report. Download it now and get the full picture of how 2012 shaped up in terms of threats and gain intelligence into what to expect in 2013.

Blog Post: Is 2013 the Year of Security?

Glen Gooding — Thu, 04 Apr 2013 22:45:00 GMT

The two weeks of the year, where security experts from around the world descend upon the United States, have come and gone as quickly as $100 on a single deck black jack table in Fremont Street. I have been attending RSA and Pulse for many consecutive years now, and for the first time in 6 years I did not visit RSA in San Francisco, opting to spend my 2 week indulgence on the latest in security technology at Pulse in Las Vegas alone, hence the earlier comment re my $100.

With IBM's Security Systems being in its second year of existence, as an IBM security professional I felt proud walking around the expo centre, mingling with colleagues and customers alike, attending keynotes, sitting in on birds of a feather session, and witnessing amazing demos of technology. It was visibly apparent that security really has come of age. It is no longer an afterthought, or the distant cousin of a once magnificent IT Service Management conference, the realization (that many of us have known for years) that security is critical in managing a successful and sustainable business.

Listening to our senior executives tell the complete IBM security story, encompassing software and services, linked with a compelling discussion from a guy 'who has all of our data' made for an easy recount to my Aussie colleagues who were not able to make the event. For Institute followers who have not seen these short 10-15 minute clips, I strongly recommend taking the time to view and understand our direction.

Security is a discussion point that needs to be heard at the most senior executive levels of our customers, and it was evident at our Board of Advisors meeting how important it is to build a strong partnership with a true security vendor. A security vendor that not only provides industry leading technology and services, but one that has been proven to follow guidelines to implement controls to manage the security requirements for 450,000 plus employees, is a vendor to sit up and listen to. Industry often neglects to look further into the DNA of IBM and see how we, as an innovative, technically savvy and sometimes bleeding edge organisation, spanning the globe in over 178 countries, provide a level of security control that could arguably be seen as a bench mark to any industry worldwide. Why wouldn't IBM be seen as a visionary in the space of security, why shouldn't IBM seen as a leader in the security arena.

This to many of us that have been around for some time, the message has been clear, I hail from the very first IBM security acquisition of DASCOM, back in September '99, and nearly every year since then, internally, we have touted, 'this will be the year for security'. The 2013 Vegas show may have finally been the 'year' that proved that statement correct. True, it’s been 13 1/2 years in the making, but our strategic direction, our development imperatives and our ability to acquire capabilities in areas where we see game changing features for the future, will continue to drive IBM up the list of most recognised security vendors in the world. So, I'm keen to see how the security industry gets shaped this year.

And speaking of the security outlook this year, our X-Force team just announced 2012 full year report highlighting key findings that will shape the global threat landscape in 2013. Be sure to Download a copy of the X-Force 2012 Annual Trend and Risk Report.

I look forward to getting back into the field, meeting with my customers that I act as trusted security advisor for, and improving the IBM security brand.

See you soon, and keep the tweets to me @gg00ding and the Institute @InstituteAdvSec flowing.

Blog Post: IBM X-Force 2012 Annual Trend & Risk Report Has Been Released

Leslie — Tue, 02 Apr 2013 14:41:00 GMT

It is always exciting to be able to announce the next version of the IBM X-Force® 2012 Trend & Risk Report and today we are announcing the full year 2012 findings of key highlights that were researched by IBM X-Force. One of the differentiators that we observed across various attacker efforts was that by targeting vulnerabilities in cross-platform frameworks, and building on a solid foundation of tried-and-true attack techniques, attackers are achieving a greater return on exploit development in 2012.

Looking back over the year, there was a measurable increase in the public announcements of security incidents and breaches, where SQL injection and DDoS attacks continued to wreak havoc on IT infrastructures.

Over the past year the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, had both consumers and corporations inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.

At the mid-year of 2012, we predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case.

Operational Sophistication—Advanced Persistent Threats—not always so Advanced

2012 marked notable advances in operational sophistication – more than technical sophistication – across all attacker groups and many attack methods. While media headlines are dominated by the achievements of advanced tactics used to breach high profile organizations, more often than not, these efforts follow a path of least resistance and rely on simpler, tried-and-true methods rather than zero-day attacks and sophisticated malware. Advanced persistent threats, while persistent, did not always use advanced technical approaches such as zero-day exploits and self-modifying malware.

The exploitation of web application vulnerabilities rose 14% in 2012 to more than 3,500 known issues or 43% of all reported vulnerabilities led by Cross-site scripting (XSS) and SQL injection. The level of XSS vulnerabilities was the highest X-Force has ever seen at 53% and driven by third party add-ons or plug-ins for Content Management Systems. Attackers know that CMS vendors more readily address and patch their exposures compared to smaller organizations and individuals producing the add-ons and plug-ins, and went after the softer targets.

ABC’s and DDoS’s

Denial of Service (DoS or DDoS) is another approach where attackers modified their tactics to increase sophistication. 2012 saw an enormous increase in DoS traffic volumes using up to 60 – 70 Gbps of data driven by compromised 24X7 higher bandwidth web servers instead of PCs. Hacktivists selected DDoS as their weapon of choice, and the ready availability of exploit toolkits such as ‘itsnoproblembro’ provided upgraded technology to even the rank-and-file antagonists.

The Java Connection

In 2012, it was clear that web browser exploit kit authors were favoring the use of exploits targeting newly discovered Java vulnerabilities, and successfully incorporating them within a span of two to three months after the code was made available or detailed information published. The reason for this is simply: Java is a means to successfully infect the highest number of systems possible.

Unlike the often exploited web browser environment, the Java platform has the following important characteristics:
1. Exploits written for Java vulnerabilities, particularly logic vulnerabilities leading to a Java Virtual Machine (JVM) sandbox bypass, are very reliable and do not need to circumvent exploit mitigations in modern operating systems.
2. The Java plugin runs without a process sandbox, meaning that once a Java plugin is compromised, an attacker will be able install persistent malware on the system without the need to exploit a separate privilege elevation vulnerability.
3. Java is available on multiple operating systems making it a cross-platform attack opportunity and one of the primary ways that drive-by downloads are affecting the Mac OS X platform.

IBM X-Force offers several suggestions to better prepare organizations for whatever the next actions of mass exploit kit authors might be. These include reducing your attack surface, keeping your software up-to-date, and taking advantage of the security features offered by your browser and browser plugins.

CVE-2012-4681 Timeline

Social media and intelligence gathering

Few innovations have impacted the way the world communicates quite like social media; however, the mass interconnection and constant availability of individuals has introduced new vulnerabilities and caused a fundamental shift in intelligence gathering. In 2012, social media repositories were leveraged for enhanced spear-phishing techniques, duping users into clicking on bad links seemingly originating from friends and co-workers. The ability to focus on individuals allowed attackers to see enterprises as a collection of personalities helping them take advantage of the employees’ personal activities, and more easily bypass enterprise email security countermeasures or perimeter security defenses.

Attacker reaction to botnet take downs

And while overall spam volume is down in 2012, the nature of this spam and the resiliency of the botnet command and control servers continue to cause problems. Today’s spam is better targeted and continues to include effective methods to inject malicious code--such as images and zip files--or instead pointing users to malicious links. IBM X-Force also witnessed operational sophistication in the way botnet command and control servers improved their resiliency against take downs by compensating with other readily available networks.

Emerging Trends

Mobile Security Practices can Increase Overall Security and Lower Risk

Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on existing security control trends and needs that already exist driven by the popularity of mobile computing and BYOD. The challenges have resulted in new control technologies that will allow for more finite controls over previous approaches for traditional computing devices. It is also logical that we've already seen some of these improvements trickle down into mainstream desktop operating systems and should expect this trend to continue.

Developing applications for mobile environments is fundamentally different. Application sandboxing limits the exposure of system level interfaces, digital signing prevents the installation of rogue code, the ability to remotely wipe the whole device—or selected applications and associated data—is another built-in safeguard, and biocontextual authentication involving physical location, network identification, voice recognition, eye and facial recognition are all being pioneered on mobile platforms.

Operational Security Practices

Risk modeling, assessment and management

Finally, the IBM Professional Security Services (PSS) Emergency Response team provides readers with creative methods to help reconsider risk modeling, assessment and management. Helping security professionals to assess risk for the threats to their networks and to help document ways to treat, transfer, tolerate or terminate that threat within systems. Below is a chart from this article which discusses example threat assessment and actionable mitigation processes.

We encourage readers to not only check out the highlights listed here, but read the full report with additional contributions from the IBM Security division.

Download a copy of the X-Force 2012 Annual Trend and Risk Report.

Blog Post: A Better Way to Pay and Fight Credit Card Fraud

Mon, 25 Mar 2013 20:25:00 GMT

The payment landscape is evolving and there is a lot of technology out there jockeying to replace the traditional magnetic stripe credit cards. Smartphones are driving new types of payment methods to make payments at the checkout line with options like:

Smartphone credit card readers (mobile point of sale—think Square)
Software based solutions that debit our prepaid balances
NFC-enabled Smartphone (includes chip that stores your credit card information). But there is an intelligent chip technology that poised for adoption in the US – EMV cards – to allow consumers to more confidently make purchases without the worry of credit card fraud.

EMV (Europay, MasterCard and VISA) is a global standard for authenticating payment transactions involving credit or debit cards that have an embedded chip. EMV adoption is steadily growing outside the US and is becoming the defacto payment method to replace the magnetic stripe cards. Retailers are having to adapt to EMV or be left behind—or bankrupt.

Here are some adoption rates for EMV Cards worldwide: Western Europe 84%, Eastern Europe 14%, Africa & Middle East 21%, Asia-Pacific 25%, and Canada/Latin America/Caribbean 41%.

So where is the US in this? Still reliant on magnetic stripes technology, exposing consumer to continued credit card fraud. Criminals can read the static account data from the magnetic stripe (using a card reader at the point of sale - known as skimming) and easily duplicate it on another card. They have even figured out how to ‘skim’ credit card information using wireless technology.

With the adoption of EMV payment in participating countries, fraud losses have dropped dramatically because it’s more difficult to steal payment information when the data is dynamically encrypted and unique for each purchase. And by layering on a PIN or signature authentication step on top of an EMV transactions, unauthorized use of a lost or stolen card is nearly impossible.

Here are some stats on the decline in credit card fraud in countries that have adopted EMV cards.Europe 36%, Brazil 80%, Canada 35% and Australia 25%.

These adoption rates are bad news for US because criminals around the world are targeting their attacks on the US to take advantage of the more vulnerable magnetic stripe cards that we continue to use. Not only did the UK and France experienced a reduction in domestic fraud with the adoption of EMV, but they also noticed their cross-country fraud stats dropped because it’s more difficult to commit fraud and produce counterfeit cards in countries using chip embedded technology.

With the adoption of EMV chip technology, retailers will position themselves to bolster their security and reduce fraud. In addition, the new infrastructure that supports EMV can be used to add new payment options like NFC and RFID. And did I mention, some merchants can even get a pass on their annual PCI validation if at least 75% of their Visa transactions are EMV card enabled?

Blog Post: Mobile Takes Center Stage with Client Executives at IBM Pulse 2013

Lynn Price — Mon, 18 Mar 2013 15:10:00 GMT

The world has gone mobile. If there was any remaining doubt, it became readily apparent as CIOs, CISOs, and other sundry executives stepped onto the vast center stage at the IBM Pulse Conference, and touted their latest prowess in the mobile platform. They cited case after case of its enabling capability to leap-frog their competition. This esteemed group represented every industry from Transportation and Trams, to Healthcare and Patient Care, to Banking and the Mobile Wallet/Payments.

The opening act was an executive of Yarra Trams, telling the story of the reinvention of an aging trolley-like business over 100 years old to an award winning “learning and adaptive” transportation system. One of the more noteworthy enabling technologies is a GPS enabled mobile application that notifies passengers of their current train status. Complementing the application is a Twitter/Facebook utility which gives minute by minute updates of any track or connection problem. Passengers along their way can take photos/Instagrams of any graffiti in route, and instantly upload them to a management center to generate a work order.

These stories were exhilarating to say the least. While it is easy to think that innovation and security are mutually exclusive, there is much evidence both can coexist. Innovation can be created responsibly. As these mobile applications go viral, responsible innovation protects and secures the data hurling throughout the ecosystem.

Pivoting to an announcement from the previous week, news headlines announced the FTC had filed a legal suit against a manufacturer of mobile devices for not designing its products with security in mind. This set a new precedent for mobile device manufactures, not the application/platform developers. The company must not only immediately develop a security program that was clearly lacking, but also face 20 years of third party assessments of that program.

Privacy guidelines and security practices are just now being established by regulating bodies. One of the better guidelines for the mobile ecosystem is published by the State of California. With Silicon Valley in their territory, they play a weighty role in establishing recommendations.

The document, titled “PRIVACY ON THE GO”, published in January of this year, should be in the toolkit of forward leaning businesses in this mobile world. Implementing a robust security program that follows not only these guidelines, but those of a traditional practice, pays huge dividends down the road.

Blog Post: Don’t Get Me Started: A Quantum of Security Solace

abochman — Thu, 14 Mar 2013 15:52:00 GMT

Recent tech news trumpets the advancement of quantum cryptography (QC) to secure the Smart Grid. I watched the Academy Awards this year (not normal) and found a whole bunch of Bond (James Bond) running through it, including performances of Goldfinger by the great Shirley Bassey and the latest Skyfall theme by Adele.

So into this mix, the quantum crypto news of course triggers a recent 007 echo, but also more than a subatomic particle of concern: that in a search for a silver security bullet the Federal government and some utilities are going to be tempted to leapfrog the basics.

A colleague had forwarded me this article on QC the night before. Here are a couple of its claims:
“According to the press release, single photons were employed to produce secure random numbers that served as cryptographic keys between users. These random numbers were used to authenticate and encrypt the grid control data and commands”.

and ...
“The scientists said that their system could be deployed with only a single optical fiber to carry the quantum, single-photon communications signals; data packets; and commands.”

I think I get it and if I understand correctly, versions of this technology are already deployed in certain 3-letter agencies. Though from the outside it’s probably going to be difficult to tell how effective and practical it is.

But my don’t-get-me-started security gripe goes as follows: let’s start with the concept of security maturity. In which the flow will go like this:

Crawl - Walk - Run - Fly - Quantum cryptography

Reminds of the many talks I’ve had with electric utilities, as well as government agencies and companies in every sector, who are really trying to get the basic fundamentals right.

For example, this mock exchange from my own security terra firma - application security:

Q: How many apps do you have?
A: Don’t know

Q: What are the top 10/20 most critical to biz/ops?
A: Don’t know.

Q: What essential business processes depend upon them?
A: Don’t know.

Q: How do you secure them?
A: We do periodic pen testing of some of our apps.

Overly obvious point being: if your org is trying to master crawling and move on to walking with a future eye on running, you shouldn't be distracted by thinking about quantum anything yet. There are bigger (or in other words, more fundamental) fish to fry.

This year my focus is on Security Governance, Security Situational Awareness, Security Architecture, Operational Technology (OT) Security, and Emergency Response. I don’t want to be distracted by gee-whiz technology and don’t want the companies I care about to be either. In my experience with security, starting with the Orange Book for mainframes which I referenced in Air Force and Navy source selections 25 years or so ago, this business is 90% people/culture and 10% technology.

Get the people doing the right things and the technology can play its part. If the humans aren’t on board, all the cool tech in the world isn’t going to save you from Dr. Evil.

Blog Post: IBM Pulse 2013 and the Security Blueprint

Martin Borrett — Tue, 12 Mar 2013 17:22:00 GMT

February has been an interesting month for the Institute on a number of fronts. In Europe, we ran our first Board of Advisors meeting for a number of CISOs. Hosting the meeting in our own executive board room, I was reminded just how valuable the insight and networking opportunities were. There was a strong sentiment from the group that security should be part of every conversation across the business, that data loss is a big problem and while organisations can lock down databases, the challenge is how to secure the data once it has been accessed and used in another form, a spreadsheet, in an email etc. There was considerable discussion around the use of mobile devices and the pressure to support BYOD. I'm looking forward to continuing to work with these organisations during the course of the year to help them address these challenges.

Just last week I returned from Pulse in Las Vegas. This year, the Pulse conference was bigger and more successful than ever with more than 8000 people in attendance. For the second year running the event had a dedicated security stream. It was great to see over 1000 people attending the security kick off session where Brendan Hannigan, Kris Lovejoy and Tony Spinelli (Equifax) shared their perspective on the current security challenges organisation face and successful approaches to tackle them. There was a strong theme around security intelligence and the need to apply this to all domains of security; people, data, applications and infrastructure.

Kris Lovejoy shared some interesting and thought provoking data points on stage. IBM's Managed Security Services (MSS) monitors tens of billions of events per day for more than 3,700 clients in more than 130 countries, 24 hours a day, and 365 days a year. This global presence provides our analysts with the wealth of data used to understand current threats and the Cyber threat landscape as a whole. Security intelligence is a vital part of an effective cybersecurity strategy. Insights generated from extensive security monitoring alert Chief Information Security Officers to current attacks, identify sources and suggest measures to block or mitigate those attacks. While analysing threats is critically important, it is only part of the story. A soon to be published report based on this data is intended to ask the follow-up questions. How many attacks turn into incidents? What measures could have stopped them? And how do these trends vary from industry to industry?

One of the highlights of the main tent was Peyton Manning. Peyton is an American football quarterback for the Denver Broncos in the NFL and something of a football legend. Despite not being familiar with Peyton given my European roots and our love of another version of football I found his speech inspiring and motivational. Peyton spoke at length about the importance of decision making and the approaches he took to improve it. This included the used of research and intelligence which reminded me very much of or recommended approach to the security challenges we face. I've often heard it said that it is important to make a decision, and even that a bad decision is better than no decision at all. Peyton spoke to the importance of making a decision, sticking with it, believing in it and making it the right decision through will and effort, inspiring words.

Finally, as the custodian of the IBM Security Blueprint and sponsor of this initiative I am delighted to announce the latest edition of the IBM Security Blueprint. It follows the tremendous success and interest from clients around the world in the second edition, which was downloaded more than 21,000 times. It has been used by many clients and their security professionals. The need for a structured and well founded approach to security capabilities is something, our clients tell me, that is vital in this era of Cyber threats and rigorous regulation. The initial idea for this third version of the IBM Security Blueprint started during informal discussions with clients and colleagues at the Pulse conference one year ago. I remember during an early breakfast meeting in Brussels between Stefaan Van Daele and myself, discussing the scope of the possible areas for both improvement and additional content. This ultimately resulted in the building of an international team with broad experience in many different security domains and team members that contributed from all over the world. This updated version represents a significant step forward in describing and explaining the IBM Security Blueprint approach. There is additional detail, use cases and insight into other industry frameworks. I am proud of the result of this collaboration and I have to say that such efforts rely on the passion and commitment of a number of IBMers, and this version is no exception. I want to say a big thank you to the team, and in particular thanks to Axel Buecker for keeping this project on track with his extensive publishing experience and great work on security at the International Technical Support Organization.

Blog Post: The Rise of the Data Scientist in the Security Environment

Lynn Price — Mon, 11 Mar 2013 13:00:00 GMT

It was nearly 1.8 million years ago when man’s cognitive development reached a pivotal milestone in that he could coordinate and shape complex information. For the first time, man demonstrated his spatial concept skills and created tools of his own design: axes and cleavers. Monkeys couldn’t do this; they could only use tools such as sticks to ferret out ants. This leap distinctively separated man from the monkey.

The Data Scientist

We are again entering a new era and it’s the dawn of Big Data. Man has invented new tools and technologies that can reshape information in ways that were previously inconceivable. Tools like Hadoop can be exploited to their greatest value by those who also have a capacity to transform data. Today’s evolved data scientists can demonstrate their knowledge of statistical and mathematical algorithms, linear algebra, data structures design, system optimization, and architecture. These Data Scientists are able to employ skills and technology in the real world of finance to stop fraudulent consumer transactions in real time. They are able to predict with a high degree of certainty which employees are likely to commit crimes against their employers. They are able to reconstruct Advanced Threat attacks that are so complex that most go undetected by traditional means. They are able to cross the ubiquitous banking channels and see a digital diversion at the front door and a data thief at the back door. The possibilities are limited only by the imagination.

In a time when there is already a skills shortfall of security professionals, organizations are in a position where they have to prioritize their needs. As Big Data transforms security, enabling defenders to contend with a highly advanced threat environment, the role of scientists must move to the top of this list.

As the sector marches forward in a time of doubling the amount the data it analyzes every year¹, the placement of this role in a holistic position comes none too soon.

The general definition of the scientist is someone who collates disparate data, discovers commonalities, and presents them to invested business entities. These excogitative folks have long been part of the business, mostly in the business intelligence arena such as investment trading, credit risk assessments, and portfolio management.

One of the questions organizations must answer is where to find these rare skills, and whether to reach within the organization or to outsource it. In-house resources have a striking benefit with their knowledge of the existing business intelligence. The business can leverage this experience with a significant payoff in their mission to herd, merge, and massage structured and unstructured data from different silos and venues.

Data Quality

There is evidence that many of today’s organizations do not have quality data, which can lead to inaccurate conclusions. Businesses must ensure they are collecting data from all viable resources, including cloud, web, and mobile, or the analysis risks being skewed. Most organizations must also provision a structured team of data quality analysts with a broad view of the business. To ensure success of the data scientist, there must be a data quality program, whose mission is to ensure the data is understood and accurate.

Big Data Technology

To further ensure the success of the data scientist, organizations must have supporting tools and technologies that embrace the power of data with its soaring volume, velocity, and variety. There are two main technologies that have much improved performance and computing capabilities: Hadoop and Streams. Working together, they allow the union of disparate data, and the interrogation of data at rest and in motion.

If organizations are responding to their CEO imperatives to amplify their analytics capabilities, they can best position their track for success through the skills of security data scientists, the data quality team, and the right technology platforms.

¹ Gartner - Information Security Is Becoming a Big Data Analytics Problem, written by Neil MacDonald, March 2012