Pinnacle Group Security Solutions
Implementing and managing a tightly secure environment is difficult and generally requires a significant resource commitment. We can help you address your security and compliance needs by providing full scope penetration testing, outsourced security staff and services, compliance preparation, and security program creation and strategy.
Data Breach Digest
The Verizon RISK Team performs cyber investigations for hundreds ofcommercial enterprises and government agencies annually across the globe.In 2015, we were retained to investigate more than 500 cybersecurity incidentsoccurring in over 40 countries. In 2008, the results of our field investigationswere the genesis of the first Data Breach Investigations Report (DBIR), an annualpublication that dissects real-world data breaches with the goal of enlighteningthe public about the nature of the threat actors behind the attacks, the methodsthey use, including the data they seek, and the victims they target.Our incident data corpus, which contains a wealth of breach information from over70 contributors, has fueled eight years of DBIR reporting (to include this year'sninth DBIR). VERIS has allowed us to analyze this data to uncover the actors,actions, assets, and attributes involved in the incidents. While the DBIR focuseson trends and patterns found in an aggregated incident data set, the Data BreachDigest (DBD) gets you closer to the action. With the DBD, we're leveraging VERISlike never before. We're lashing up the cold, hard VERIS metrics to our on-thegroundcasework experience. Essentially, we have opened our case files, and aregiving you a first-hand look at cyber investigations from our experiences—a viewfrom the field.
9 Top Security Breaches and How to Prevent Them From Happening to Your Business
Lapses in basic security measures continue to result in attackers comprimising sensitive data. Password hacks, malware, and phishing have grown every year, resulting in the theft of intellectual property and exposure of sensitive customer data. These attacks endanger reputations and threaten a business's ability to serve customers. It's clear you need to protect your enterprise.
Forrester Wave Report: Security Analytics Platforms Reviewed
In our 36-criteria evaluation of security analytics (SA) providers, we identified the 11 most significant ones — BAE Systems, E8 Security, Fortinet, Hewlett Packard Enterprise (HPE), Huntsman Security, IBM, Intel Security, LogRhythm, RSA, Securonix, and Splunk — and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk (S&R) professionals make the right choice.
2017 End User Security Survey
The Dell End-User Security Survey paints a picture of a workforce caught between two imperatives: be as productive and efficient on the job, and maintain the security of company data. To ease the friction between these competing goals, companies must focus on educating employees and enforcing policies and procedures that secure data wherever they go, without hindering productivity. We hope these findings are illuminating for both security and IT professionals, as well as business managers tasked with safeguarding data and ensuring productivity for the organization.
ISMG Report: 2016 Mobile Security Business Transformation Study
Ninety-nine percent of the enterprise workforce currently uses mobile devices – smart phones and tablets – to perform their jobs today. And nearly 60 percent of security leaders describe their organizations as either partially or fully mobile, deriving enhanced productivity and other business benefits. But 63 percent also say that mobility comes with a greater number of security risks and concerns than expected. And 59 percent say more IT resources are required to support the increased number of devices and applications. These are among the key findings of the 2016 Mobile Security & Business Transformation Study, which examines how mobility has transformed how enterprises conduct business. In this study, respondents detail:• The impact of mobility on global enterprises;• How mobility has truly transformed how enterprises conduct – and secure – business;• The current state of mobile security, and how enterprises will improve it in 2016.
Managed Services Perception vs Reality Infographic
Even though managed services have a multi-year, proven track record, some business managers still hold on to the same old perceptions. We think it’s time for a reality check.
Technology Experts Foreshadow Technology's Future
Technology is moving so quickly, predictions for next year already are losing relevance. A more distant view is now required to stay ahead of the curve. Short-term trends come and go, but the true impact of mobility, Big Data and the cloud still remains to be seen. That’s why we asked some experts to weigh in on their long-term predictions for business technology. So 2020, here we go. Or rather, here we come.
The Pinnacle Group is Your Answer for Security Questions
Is your organization prepared for a cyber attack? Watch this video to learn how we make sure you are prepared!
www.youtube.com Top 15 Security Predictions for 2017
Looking into the crystal ball It is once again, as the song doesn’t quite say, “the most predictive time of the year.” Not that anybody knows for sure what will be happening even a month from now, never mind six months to a year.But that does not, and should not, stop organizations from trying. The way to get ahead and stay ahead, especially in online security, is to look ahead.So here are some of the best guesses about what we will see in 2017 from several dozen vendors and analysts. There are many more than 15 predictions out there, of course, but these are the ones we heard most frequently. Internet of malicious things (Portnox, BitSight, Juniper Networks, HP Enterprise, TrapX Security, Netskope) Internet of Things (IoT) devices –everything from consumer devices to smart meters, medical devices, automobiles and more – have already been conscripted as zombie troops for cyber attackers, due to their limited computing power and the firmware running on them, which in many cases can’t be patched or updated. This will get much worse in 2017, given that too many organizations still aren’t inspecting their most commonly used apps for malware, enabling everything from DDoS attacks to Trojans to serving as entry points into enterprise networks for other attacks like ransomware and APTs. IoT winners will be those that can code their own solutions to ensure their products are secure. Crimeware at your service (HP Enterprise) Rookie hacktivists and hobby hackers, driven by pop-culture references and increased media attention, will increasingly get into the cybercrime game. They will use off-the-shelf tools for nuisance attacks like web defacement and port scans, plus more damaging attacks through DDoS as a service and Ransomware as a Service (RaaS). While these adversaries won’t have the skills for lateral movement, their attacks could be costly and cause reputational damage to the company brand. DDoS: Weapon of mass obstruction (Symantec, HP Enterprise, BitSight, Cloudflare) DDoS attack firepower in 2016 increased to frightening levels – rising from 400Gbps bandwidth to 1Tbps or more becoming the norm – thanks to millions of IoT devices lacking even basic security. These attacks require specialized protection that very few organizations in the world today can provide. That firepower will be used sometime in 2017 to take down critical infrastructure and even the internet infrastructure of whole countries in support of a physical military attack. (Nubeva, Symantec, enSilo, ZL Technologies) Financial institutions have been slow to adopt the cloud. However, with more regulations, compliance, and better security features in the cloud, more of these companies will no longer be able to ignore its benefits, will start testing the cloud on workloads and move some services beyond just the corporate data center.More businesses will allow a dispersed workforce to introduce wearables, virtual reality and IoT-connected devices onto the network, supported by cloud applications and solutions.But enterprises will need to shift their security focus from endpoint devices to users and information across all applications and services to guard against ransomware and other attacks. Cloud Security-as-a-Service will cut the cost of purchasing and maintaining firewalls. However, some will find that the risk of security breaches means they will decide to keep their data “on the ground.” (ThetaRay, Kaspersky Labs, RSAC Advisory Board, Symantec, Fireglass) Cyber espionage, already rampant with Chinese theft of US intellectual property and the OPM hack, plus Russia’s suspected role in seeking to interfere with the US presidential election, will continue to expand across the globe. Drones will be used for espionage and attacks as well, with efforts beginning to hack into drone signals and allow “dronejacking” in a few more years.As was the case in 2016 with the Trident incident, which leveraged mobile browser vulnerabilities and the latest iOS JPEG zero-day, more espionage campaigns will target mobile, benefiting from the security industry’s struggle to gain full access to mobile operating systems for forensic analysis. Hack the vote, the campaign and the candidates (Portnox, Sonus Networks, BitSight, Area 1 Security, RSAC Advisory Board, CrowdStrike) Expect more Wikileaks-style releases of embarrassing photos and corporate documents, through hacking of SS7 and diameter networks that will allow exploitation of mobile phone location and conversation data. Hacking will become a common technique for opposition research that will trickle down from the presidential election to House, Senate and state contests. The damage to public figures could range from embarrassment, like the hack of the Democratic National Committee, to physical danger from the use of location data to launch a physical attack.The US response will become more aggressive, to include not just cyber tactics but also diplomatic, law enforcement, economic and other policy means.RELATED: Hacking an election is about influence and disruption, not voting machines (Portnox, Contrast Security, Kaspersky Labs, TrapX Security, Aperio Systems) Think takedowns of traffic lights, portions of the power grid, water systems, etc. – they might not cause catastrophic damage, but they will disrupt daily life. But in some cases, the damage could be significant, through the use of data forgery.In response, we will likely see a major retaliatory cyber action from the US government. But because of attribution difficulty with cyberattacks, made even more difficult through the widespread use of misdirection (generally known as false flags) there will be considerable ambiguity about the attacker’s identity. Open season on open source (Black Duck) Open source has become the foundation of global app development because it reduces development costs, promotes innovation, speeds time to market and increases productivity. But hackers have learned that applications are the weak spot in most organizations’ cyber security defenses, and that companies are doing an abysmal job of securing and managing their code, even when patches are available. That means open-source vulnerability exploits deliver a high ROI. And those exploits will increase in 2017 against sites, applications, and IoT devices. (Area 1 Security, BitSight, Exabeam, Risk Strategies Company, Arctic Wolf) After spending $81.6 billion on security technology in 2016 (Gartner), and still seeing breaches continue and ROI on security solutions hitting all-time lows, companies will figure insurance is a better bet.But insurers, while be happy for the added business, won’t be handing out claims money easily. They will begin developing programs that drive better security hygiene, offering incentives for better detection and incident response capabilities, much like health insurance providers with no-smoking policies or discounts for gym memberships.And, as attacks become more common and damages more widespread, some insurers will cut back their cyber liability offerings.RELATED: Why doesn’t my cybersecurity insurance cover that? (Area 1 Security, Symantec) It is long established that employees are the weakest link in security. Nearly all enterprise hacks begin with phishing, in spite of employee training conducted on security best practices – workers are human, and therefore, will always be fallible. Organizations will reframe the way they approach cybersecurity accordingly.But they will need to pay closer attention to the rise in popularity of free SSL certifications paired with Google’s recent initiative to label HTTP-only sites as unsafe. That will weaken security standards, driving potential spear-phishing or malware programs.ALSO: How this analyst targeted a phisher (Kaspersky Labs, Contrast Security, Aperio Systems, Exabeam, Arctic Wolf, TrapX Security, enSilo, Netskope, Fidelis Security) Ransomware will continue to increase, evolve, get stealthier and use automation to attack the cloud, medical devices like MRI machines pace makers, critical infrastructure and mission-critical servers. It is a superior “economic model” for cyber criminals, since organizations understand that it would cost a small fortune to shut down an entire operation, so they are more likely to give in to the extortion.“Ransomworms” will also rise – malware that not only encrypts files but leaves code in place to guarantee some repeat business.However, the unlikely “trust” relationship between ransomware victims and attackers – based on the assumption that payment will result in the return of data – will decline as a lesser grade of criminal enters the space. (Kaspersky, Contrast Security, Venafi) Government surveillance will increase and become more intrusive, through use of the kind of tracking and targeting tools used in advertising to monitor alleged activists and dissidents.In the wake of the conflict between Apple and the FBI, there will also be increased attacks on encryption by intelligence agencies, which will argue that encryption keys are necessary to find and confront terrorists. 2017 will be a pivotal year in the 25-plus-year debate about information, privacy, and security. Gentlemen, start your attack surfaces (Symantec, Black Duck) Modern cars, typically containing more than 100 million lines of code, are increasingly intelligent, automated, and most importantly, Internet-connected. But carmakers don't know exactly what software is inside their vehicles because it comes from third parties and almost certainly contains open-source components with security vulnerabilities – a target-rich environment for hackers.This will likely lead to a large-scale automobile hack, which could include cars held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering, or other threats. This will also lead to a legal battle over liability between the software vendor and auto manufacturer. (Datavisor) Fakers are already a problem – users who download your app, log in regularly and even make purchases might not be real. And with the decreased effectiveness of CAPTCHAs, SMS and email verification are also becoming an easy barrier to overcome for fraudsters opening fake accounts. This will get worse in 2017 as advertisers and ad platforms adopt more sophisticated tracking technology and fraudsters become more experienced at mimicking the behavior of real users.In response, there will be increased scrutiny on account openings, with demands for additional proof that a new account is legitimate. Skills gap? Use automation (Tufin, Juniper Networks) With the security skills gap approaching Grand Canyon dimensions, organizations will look to automation so skilled workers won’t have to waste time on manual, mundane responsibilities and regularly performed duties. This should give IT pros more time to focus on what really matters.Automation will also help the pros to do their jobs more effectively. They will receive fewer notifications with more relevance, relieving them of the manual task of hunting through a sea of alerts to find the truly malicious ones.
Dangerous Assumptions That Put Enterprises at Risk
The adage about what happens when people make assumptions is one that many in security would be wise to recall. Worse than making a donkey of themselves, security practitioners that make assumptions put the enterprise at risk.Andrey Pozhogin, cybersecurity expert at Kaspersky Lab, said thinking they’re protected from DDoS attacks is one of the most dangerous assumptions businesses make.A recent Kaspersky Lab survey found that 40 percent of organizations fail to put preventative measures in place because they think their Internet service provider will protect them.In addition to those that assume their ISPs are protecting them, the survey found an additional one-in-three (30 percent) think their data center or infrastructure partners will protect them. Pozhogin said, "While these organizations mostly protect businesses from large-scale or standard attacks, they will not suffice to protect against ‘smart’ attacks, like those using encryption or replicating user behavior."On the surface many of the assumptions people make don't seem too dangerous, but they can lead to a breach. The survey found that a third of organizations fail to take any type of preventative action because they think they won’t be affected by these attacks.In reality, Pozhogin said, "Any company can be targeted by a DDoS attack at any time, especially since these attacks are easy for cybercriminals to launch. It’s not a matter of if it will happen, but when it will happen."Making assumptions happens across the production lifecycle of a company, said Safebreach CTO & co-founder, Itzik Kotler. They make assumptions with everything from password policies to their security architecture. Depending on how a company states the complexity of its password policy, it could be handing out clues to hackers. "They assume that password complexity keeps them safer, but if they state that every password must begin with a digit and have five letters, they’re giving the hackers a hint about what should be the first key of a password," Kotler said.In the broader picture, many businesses make dangerous assumptions in the way they think about architecting their security. "There is this assumption that they must do this or that to be secure. For example, they assume that if everything is done over SSL that they are protected," Kotler said.What is most dangerous about that assumption is that they are not thinking about whether there are other ways around it, said Kotler. "What are all the other ways a hacker can try? They believe they are designing the best ways and those assumptions become poison."They assume their connection is secure, but in reality that’s not always going to be the case. "The idea that users are behind a firewall, so they are safe makes a company believe they are not at risk, but hackers will work around it," Kotler said.In addition to believing that their security solutions will protect them, many companies make the dangerous assumption that if they are compliant, they are secure, said Chris Camacho, Flashpoint's chief strategy officer."They think because they've invested in security, brought in a top consultant, and checked boxes, that they are secure, but they have done nothing to secure the operational network and overall security operations," Camacho said.Often when these companies incur an incident, they then ask why they didn’t detect it or get an alert or have any details. "Usually an organization was prepared to meet regulatory compliance, not security," he said.So what do enterprises need to do in order to avoid the potential harm that can come from making these assumptions?"Start by hiring the right people," said Camacho. "Yes they need security, policy, governance, and risk people, but they also need SOC managers, network admins, people for anything that was 'operations' in the past. It's about having the right team."A return to the basics will also allow them to see where they need to invest in their core network infrastructure. "Do they have a network firewall that hasn’t been updated? These need constant updates. Roles need to be updated. It’s so basic and trivial no one thinks of it until they have an incident," said Camacho.One assumption that larger enterprises often make is that if they invest in a lot of technology, they are going to be secure. "They forgot the basics," Camacho said. If they are not scanning the network to see what holes exist, they won't have awareness around what is happening. What might be one of the most dangerous assumptions that companies make is believing that the digital world is analogous to the physical world. It's not, said John Kindervag, vice president and principal analyst at Forrester Research."The idea that they are too small, and no one will ever want to hack them or they don’t have anything that anybody wants. These are some of the ideas that people don’t understand about the digital world," said Kindervag. A big assumption now is that geography actually matters in the world of data security, which Kindervag said is probably an idea out there that helps drive employment. "They can build data centers and hire people so that the data will never leave Germany. That’s not the way an internet router works. It doesn’t respect geographical borders."In order to best defend themselves against attacks, they need to both understand the digital world and eliminate trust. "The idea that people can be trusted is a dangerous assumption. As soon as you add trust to the mix, that actually creates a lot of problems," Kindervag said.Trust, in both people and solutions, doesn’t actually exist in the digital world. "We can have confidence in a system—allow a system to work in a different way, but we don’t want to be complacent. The big thing that we do is anthropomorphize the digital world," said Kindervag.Trying to liken the digital world to the analog world leads us to misunderstanding. The desire to identify the perpetrator of an attack is one example. This sense that knowing who did this matters is misguided, said Kindervag. "If it's a digital crime, they have choices. Investigate to figure out what happened or get back to work and get the systems up and running."After they get back up and running, there’s a lot of information that has already been lost. "To go back six months later and do forensics and hunting, that’s not ultimately helpful. If they find one attacker, they don’t find them all. If they find one threat, they don't find them all," said Kindervag.Protection, then, has to move closer to the assets they are trying to protect and away from trying to identify who committed the crime. Equate cybersecurity to the Secret Service, said Kindervag. "Come in really close and protect what needs to be protected. What data do we have, where is it, who has access to it at any given time?"Despite the potential for damage and loss that comes with making these assumptions, Kindervag said, "I’m always amazed at how well things work. Having watched it from its infancy, I’m amazed. Even the problems we have with cyber crime are pretty minimal and manageable problems."
What the Florida ruling on passwords actually means for security leaders
Right as we got ready to break for the holidays and a new year, the headlines in the tech world filled up this week with news that a Florida court ruled a defendant in a criminal case must turn over his password to unlock his phone.Wait. What?A few years ago, we touched on this topic in After this judge's ruling, do you finally see value in passwords? It was after a judge ruled authorities could use your fingerprint to unlock your smartphone. Based on the nuance of the situation, it built a strong case for the continued use of passwords.To make sense of what happened in Florida, I reached out to Shawn Tuma (LinkedIn, @shawnetuma), Cybersecurity & Data Privacy Partner, Scheef & Stone, L.L.P., to get his perspective. Initially, I was going to focus on exploring the implications of a decision in a state court. The concept was predicated on the notion that the judge got it wrong and this was an overreach.After all, don’t we have precedent to stand on?But then Shawn called me to share some excitement. Based on a more thorough review, he discovered that the Florida court dove into the core of the issue and considered carefully the opinion they issued.“It’s not for me to decide whether the court got it right or wrong. What matters is that the court did provide a well reasoned decision that looked at prior precedent and built on the rationale of that precedent.” First, it’s important to note the distinction between criminal and civil matters (read more here) in exploring why the 5th Amendment matters.Criminal versus Civil Cases and why the 5th Amendment MattersA criminal case is brought by the state. It requires a higher burden of proof, but can also carry a higher penalty.That also means criminal cases have different protections (from the state). This includes the 5th Amendment. Among other things, it protects us against self incrimination. And that matters when it comes to things we know versus things we have.As Shawn explained in After this judge's ruling, do you finally see value in passwords?Did you know the US legal system makes a distinction between something you have and something you know?If you lock a safe with a key, the authorities can obtain authorization to take the key (something you have) and open it. However, if you locked the safe using a combination (something you know), that information is protected under your Fifth Amendment right to avoid self-incrimination. What that means is that something you have, a key, can be taken and used against you. While something you know, a combination, can ultimately be compelled by a judge. Even then, you have rights -- and a decision -- to comply or not.Traditionally, this means that while the state can compel you to provide a physical key -- and now a biometric -- to unlock a safe or other device, it cannot require you to divulge a combination or password. That’s because revealing the password is akin to testifying against yourself.And the fifth amendment protects us against testifying against ourselves.What happened in FloridaYou can read the full opinion here for background on the circumstances of the case. The prosecutors looked at the underlying precedent to argue that supplying the passcode to the device is not actually testifying against yourself.The judge agreed.While most of the tech world lamented the mistaken nature of the court, Shawn Tuma read through the opinion and made an interesting discovery:"The Fifth Amendment privilege protects an accused from being compelled to testify against himself, or otherwise provide the state with evidence of a testimonial or communicative nature." (citing Schmerber v. California, 384 U.S. 757, 763 (1966))). "The word 'witness' in the constitutional text limits the relevant category of compelled incriminating communications to those that are 'testimonial' in character."Tuma notes the importance of understanding the phrase “‘testimonial’ in character.”"[I]n order to be testimonial, an accused's communication must itself, explicitly or implicitly, relate a factual assertion or disclose information. Only then is a person compelled to be a 'witness' against himself."Tuma explained that at point here is the concept of substantive value. The case then explores the three prongs of protecting from self-incrimination (an interesting read) and suggests:That is, "it is not enough that the compelled communication is sought for its content. The content itself must have testimonial significance."Tuma noted that this is the key point and reframes it as “Does the testimony go to evidence of elements of the charge - or just how you get to such evidence?” He continues by explaining, “it’s the difference between taking ‘testimonial’ from how it is communicated versus what is being communicated.”In the past, the protection centered simply on the how instead of exploring the substantive value of what was communicated. In this case, the prosecution successfully argued that what was as important.Tuma clarified the principle difference as ““The mind has to be extensively used in creating the response or relate him to the offense.”What it means for security leadersWhile the specifics and nuances of this case made the argument valid (at least for now), this clearly demonstrates how the law evolves. Even with the precedent previously set.As Shawn pointed out, “it's really a pretty easy approach to understanding law – each case builds on something else and usually there's only one or two lines in a case that really turn it one way or the other it's just a matter of figuring out where that is."When we ponder “How does the law adapt to new technology?”This is how.Tuma summarized the importance of this opinion by explaining, “the methodology that the court used provides a nice example of the evolution of law through the common law method -- which is how the law has traditionally adapted to address new issues."This is how we advance for better and for worse. It’s a lengthy process. We have a role in it, too. Make time to sit with your legal team to discuss the case and explore implications for your organization. Learn from their experience and offer your insights, too. This way we all get a bit better.What do you think? Did the court get it right? How do you see this evolving, and why? Sound off in the comments below or take it to twitter (@catalyst, @shawnetuma).
5 signs we're finally getting our act together on security
The high-water line in information security gets higher each year. Just as we think we’ve finally figured out how to defend against attacks, then attackers come up with something new and we are right back to trying to figure out what to do next.For example, ransomware has surged in the last year. Although that kind of malware has been around for years, the current model of encrypting user files to hold data hostage came about just recently. Infections quadrupled in 2016, with the FBI estimating an average of 4,000 attacks a day. A recent IBM survey of 600 business leaders in the United States found that one in two had experienced a ransomware attack in the workplace, and that companies paid the ransom 70 percent of the time. As a result, criminals are on track to make nearly $1 billion this year from ransomware, IBM X-Force said.And there’s been seemingly no end to hackers getting into corporate databases. Just ask Yahoo. Or the Democratic National Committee. Even the FBI was able to find a firm to hack into the Apple iPhone 5c, which for a while seemed unhackable.For IT and security professionals, this endless fire fighting gets exhausting. Old threats come back in new forms, and new attacks keep making the list of things to worry about even longer. Malicious word macros are back. Exploit kits still love Flash. SMS text messages with one-time codes for second-factor authentication proved hackable. It all makes you want to give up and curl up in a dark corner. But 2016 wasn’t all bad news for enterprise security, and there are some wins that give hope for a more secure future.1. We’re looking at passwords in a better lightAuthentication, especially how we use passwords, was a recurring theme with every data breach. Yes, password reuse is still a problem and weak passwords like “password1” and “123456” are still a thing, but we are seeing more people use password managers to secure their online accounts and fingerprint sensors to lock their physical devices. “Biometrics will no longer be seen as novel in 2017, but necessary,” said Daniel Ingevaldson, CTO of security company Easy Solutions.There are fingerprint sensors on the market today with security features including TLS 1.2 and 256-bit encryption, anti-spoofing technologies, live-or-dead detection, and match-in-sensor architectures, said Anthony Gioeli, a vice president at Synaptics’s biometrics division. Apple has had hardware-secured fingerprint sensors in its mobile devices for several years, and now in its newest MacBook Pro. Samsung and Google use similar technology in their latest smartphones. And Microsoft has built in support for biometrics in Windows 10 and beefed up the security in this year’s Windows 10 Anniversary Update.The National Institute of Standards and Technology is also tackling the problem. The draft version of the Digital Authentication Guideline document includes new guidance on password policies, such as allowing for longer passwords; allowing spaces and other characters; removing special character requirements (such as what combination of letters, numbers, and non-alphanumeric characters must be used); and doing away with password hints. NIST also said in the draft that sending unique passcodes via SMS messages should not be used as part of a two-factor authentication scheme, and that stronger authentication schemes should be adopted. Although the guidance is still in draft form and the official public comment period doesn’t start until early 2017, IT departments can use it to start thinking about how to improve authentication, such as rolling out multifactor authentication and changing password requirements.Another bonus: NIST’s Mary Theofanos said mandatory password changes don’t make sense, so IT departments can now work on alternative methods — and stop torturing users.2. We may finally be taking IoT security seriouslyLast year, we could see the ransomware wave coming. This year, it’s internet of things (IoT) security — or the extreme lack thereof — that is clearly on the horizon.The distributed denial-of-service (DDoS) attacks this fall, which spread through home security cameras, VCRs, and other connected devices, took down the internet and seemed to be the industry wakeup call that finally worked. Made up of compromised IoT devices, the Mirai botnet launched large attacks against French service provider OVH, the website of security blogger Brian Krebs, and networking company Dyn.The last time DDoS was the big story, it was about hacktivists and online pranksters targeting financial websites and other visible targets. This time, botnets are launching large, multivector attacks that can exceed 1 terabit per second — and interrupt internet access for millions. Security experts have been warning for some time about the millions of devices that are connected to the internet without even the most basic security features, so the Mirai attack shouldn’t have been a surprise. And with Mirai’s source code publicly available, it is safe to assume there are other IoT botnets waiting in the shadows to strike. With all these devices connecting to the internet, we are ripe for an IoT worm, said Lamar Bailey, senior director of security research and development at Tripwire. Fixing the problem will require a lot of coordination, creativity, and persistence, but perhaps people are actually seeing the risks.The silver lining is that the Mirai attack was a “fairly cheap lesson in what a compromised IoT [threat] would look like while there’s still time to do something about it,” said Geoff Webb, vice president of solution strategy at Micro Focus. But IoT vendors need to get serious about security fast — and consumers should avoid their products until they do.3. We’re getting other benefits on the coattails of new security technologyIt’s always a good sign when adopting something for security reasons winds up having other benefits. New protocols like Transport Layer Security (TLS) 1.3 and HTTP2 will make the web safer, but there are clear performance improvements as well. It’s very likely the uptick in adoption of TLS 1.3 and HTTP2 by web developers will be spurred by the increased speeds the protocols enable, said Ryan Kearny, CTO of networking company F5 Networks. “In 2017, the increase in web speed will spur rapid adoption of TLS 1.3 —- and that will, in turn, make the web more secure,” Kearny said.4. We’re getting more realistic about securitySecurity was one of those things people never really understood. TV shows and movies didn’t help, with slick graphics and fancy dramatizations of what hacking supposedly looks like. Then, along came the TV show “Mr. Robot,” and the show’s star, Rami Malek, winning an Emmy for his portrayal of Elliott Alderson. “Out of all the attempts that Hollywood has made to tell a compelling story using cyber as the backdrop, Mr. Robot is the most complete,” said Rick Howard, CSO of networking security company Palo Alto Networks.If nothing else, nonsecurity professionals now have a better understanding of just how bad things can get. It’s no longer just that one weak password, one link in an email, or that one old software application that hasn’t been updated. There is no need to oversensationalize the security issues in “Mr. Robot” — the reality is bad enough.That better understanding should help users understand why they need to pay more attention to at least security basics. And why they keep getting breach notices from the likes of Yahoo and Dailymotion.But it doesn’t help that there’s still a culture of silence about breaches among security pros and the companies they work for. No one likes to talk about their failures or to be a headline. But because no one is sharing what mistakes were made, the same breaches keep happening over and over.That’s why the formation of new Information Sharing and Analysis Centers (ISAC) is a positive — though small — development, a sign of realism creeping into the security professionals’ culture, too. Although existing ISAC and commercial information-sharing platforms are expanding to include more enterprises, they need to become even more widespread.Developers have plenty of places where they can post code snippets and get programming help. IT and security professionals should have forums where they can share their security stories, ask questions without judgment, and learn about what worked for their peers, said Jeannie Warner, a security strategist at WhiteHat Security. “The bad guys have Tor, Reddit, and other social networks to share information and tools. The good guys need to adopt theirs just as freely,” Warner said.It’s easy to see information security as a never-ending stream of attacks. Perhaps the most distressing thing about the year’s outages and breaches is the fact that there is an awful lot happening that IT doesn’t know about. Security experts frequently warn that just because there is no evidence of a breach doesn’t mean there isn’t a breach. That was definitely true at Yahoo: The internet company disclosed two gigantic breaches, but the scariest thing wasn’t the number of victims — it was the fact that they happened years ago and no one even suspected.“We went years with billions of records being sucked out from right under our noses and we didn’t even know it,” wrote security expert Troy Hunt. He called the current mindset “conscious incompetence,” where we know we have a big problem. That’s a better place to be than the previous stage, where the prevailing attitude was, “It won’t happen to me.”The big question is knowing where to go next. “How much more are we going to discover over the next year? Or not discover at all?” Hunt asked. If we’re finally getting real about security, and come out of the shadows, we should finally begin to make real progress.5. We may finally get security promises we can bank onAs consumers, we demand money back when we are not satisfied with a product’s performance or functionality. But IT typically doesn’t get that option with security products. Only 25 percent of U.S. IT security decisionmakers said their primary security vendor is willing to guarantee their product by covering the costs of a breach, including lawsuits and ransoms, according to a recent survey by endpoint security company SentinelOne. But most IT security professionals in the survey said they would like security vendors to offer a guarantee their products would deliver on their promises — and 88 percent claimed they would change providers if a competitor offered such a guarantee.“The industry has reached a tipping point, where security vendors will need to guarantee that their products will hold up against cyberattacks and assume responsibility if they fail to do so,” said Jeremiah Grossman, chief of security strategy at SentinelOne. “Customers are tired of paying additional fees to address security breaches, especially when they have already paid for security defenses in the first place.”There are now a handful of companies that offer security guarantees. SentinelOne’s guarantee covers $1,000 per endpoint, or $1 million per company payout, in the event of a successful ransomware infection after installing SentinelOne’s Endpoint Protection Platform. Cymmetria covers the costs incurred in notifying victims, hiring attorneys, bringing in digital forensics investigators, and repairing the damage in case of an advanced persistent threat gaining unauthorized access, moving laterally through the network, and stealing protected information from compromised systems in organizations that have deployed Cymmetria’s MazeRunner cyber-deception platform. Trusona and WhiteHat Security also have similar product guarantees.As we’ve seen over the past few months, even security products can have vulnerabilities. But in several of the cases, the mistakes seemed fairly basic, even avoidable — not at all at the level of what a security provider should be delivering. Providing product guarantees should wring out such sloppiness from security providers, because they’ll finally pay a real price for their own neglect. “It’s high time people in our industry started putting their money where their mouth is and taking responsibility for what they sell, assuring what they do works,” said Gadi Evron, Cymmetria’s CEO.
Meet the virtual CISO, the security expert plugging hospital staffing holes
In an industry where three out of four organizations are without a designated security person, healthcare leadership is getting creative with its staffing.While on the surface hiring a virtual chief information security officer who is primarily off-site seems risky, there are many benefits. Not the least of which: something is better than nothing.“A lot of organizations can’t get the funding for a full-time security person or they just can’t find a qualified person in their location,” said CynergisTek President and Chief Strategy Officer Mac McMillan. “Some hospitals are physically located where it’s very difficult to attract the talent to come there.” [Also: Webinar: Preventing and dealing with ransomware attacks]Hiring is not only part of it that’s problematic, either. “It’s the retention aspect. For the CISO, it’s not just getting a body, it’s getting someone with enough experience,” said Kurt Hagerman, CISO of security firm Armor. When CynergisTek first started to offer a virtual CISO role, in fact, it was because hospitals kept asking for the service. A lot of the push came from health systems in remote areas, locations where it’s difficult to recruit for the position or near Silicon Valley, where it’s tough to hang onto talent.The company created its service to meet the need. Security firms like Pivot Point Security, Adelia Risk, Synoptek and others are also providing the service to fill in these gaps.The offerings vary by need and the relationship. For example, McMillan said that there are times when the virtual CISO is in a strategic role, while other organizations use the CISO on-site part-time. Some situations call for more of a mentoring or advisory role.Others have people in the security role part time because they need someone with more experience who can work with leadership and sit-in during meetings or look at results of analytics with executives.“The virtual CISO can put a security program in place to educate and train the workforce to make sure these priorities are in place,” Hagerman said. The virtual CISO in actionMethodist Hospital of Southern California CIO Gary Russell struggled to find a CISO willing to work on just a part-time basis.“We’re a standalone hospital, not part of a system or a large organization, so keeping costs under control and limiting expenditures are crucial,” Russell said. “The CISO position tends to be expensive.”Russell said they ended up going with a virtual CISO from CynergisTek to provide a high level of expertise and more depth for the organization, while keeping down the costs.The virtual CISO reports to Russell and works remotely. A weekly call with Russell reviews any issues going on at Methodist. The CISO also keeps all policies and procedures for the hospital up-to-date.Methodist has security staff on site, but the CISO is charged with handling the big picture. For example, Russell said the hospital has 70 or 80 different security policies the CISO reviews and updates every two years to make sure it’s consistent with safety standards.There’s a solid integration between the CISO and the organization, which means the CISO can draw from CynergisTek’s pool of security professionals if there’s a problem too large to handle on their own.Another major asset is CynergisTek is in charge of auditing the hospital. Through an audit, if there’s an issue or concern, the CISO will instate necessary policies and procedures to address it.To Russell, the virtual CISO has been invaluable for meeting HIPAA requirements. For the last few years, in fact, Methodist has met requirements at 100 percent. Last year, the hospital tacked on the first evaluation with NIST standards that were met at 80 percent.Russell expects at the next audit coming up in July, the hospital will fare even better, due to the documentation issues addressed in its project plan.“While other organizations have a lot of technology people that work with apps and platforms, they don’t have the necessary policy development skills,” said Russell. “It’s where a lot of other organizations fall down. They have a lot of security components in place, but fail to bring the pieces together or provide documentation so they don’t get credit for those items.”Twitter: @JessieFDavisEmail the writer: