Day 3: Industries LIVE!
Thursday, December 5th | 10a.m. – 4p.m. PT

Day 1: GenAI LIVE!
Tuesday, December 3rd | 11a.m. – 5p.m. PT

Day 2: Security LIVE!
Wednesday, December 4th | 11a.m. – 5p.m. PT

The post Live Stream: AWS Partners LIVE! appeared first on eSecurity Planet.

Foster City, CA, Feb. 06, 2019 — eSecurityPlanet.com, a top online resource for IT security professionals and vendors, released its 2019 State of IT Security survey. This year’s results highlight an emerging gulf between companies ready to meet the growing perimeter and insider threats to their security, and those that aren’t, where one in three companies are still unprepared.

Driven by fear of data breaches and new privacy regulations, such as Europe’s General Data Protection Regulation (GDPR), this year’s survey finds that large enterprises are spending aggressively on IT security measures. The majority of surveyed spenders (69 percent) were identified as mid-sized to very large organizations.

IT spending is up across the board, with 54 percent of companies planning to increase their IT security spending this year and 30 percent aiming to increase their spending by 10 to 20 percent or more. The survey also finds that IT security staff hiring is up as well, with 57 percent of respondents saying their organizations are planning to hire security staff in the next 12 months.

With increased spending and attention being focused on enhancing IT security, the survey surprisingly reveals that many companies still find themselves at high risk, with a third of companies identified as being largely unprepared for cybersecurity attacks.

“Because data breaches occur on such a frequent basis, on the surface there seems to be a general disillusionment about the state of cybersecurity,” explains Sean Michael Kerner, senior security editor for eSecurityPlanet.com. “Yes, there are companies out there that are not where they need to be in terms of being secure, however, the 2019 State of IT Security survey paints an optimistic picture. Many of the findings point to the fact that more and more organizations are proactive about their cybersecurity challenges, instead of waiting for the next breach to occur.”

The survey report also provides other key insights, including:

• Spending priorities: Network access control (NAC), web gateways and data loss prevention (DLP) are top IT security spending priorities, revealing a need for security teams to balance external and internal threats.
• Security tools that inspire the most and least amount of trust: Network access controls topped the list of security technologies that users have the most confidence in, followed by DNS filtering, anti-virus technology, and web gateways. IT security pros have the least amount of confidence in phishing simulation products, followed by breach and attack simulation.
• The demand for emerging technologies: The survey shows mixed results on demand, with deception technology being the most likely to be adopted over the next twelve months. The demand for other emerging technologies, such as security orchestration and automation and response (SOAR) is low.
• Cybersecurity preparedness: The survey looks at how readiness compares to company size and guidance on how to be more prepared for threats.

To view the report and methodology please visit eSecurityPlanet.com’s 2019 State of IT Security Survey here.

eSecurityPlanet.com is owned and operated by QuinStreet, Inc. (Nasdaq: QNST), a pioneer in delivering online marketplace solutions to match searchers with brands in digital media. QuinStreet is committed to providing consumers and businesses with the information and tools they need to research, find and select the products and brands that meet their needs. eSecurityPlanet.com is a member of the company’s expert research and publishing division.

About eSecurityPlanet.com

eSecurityPlanet.com is an online resource for IT security professionals and vendors, featuring internet security news, expert analysis, technical tutorials, product reviews, and buying guides. Since 2000, eSecurityPlanet.com has delivered actionable insights into the latest tools and techniques for securing enterprises against the ever-changing cyber threat landscape. Led by an experienced editorial team, eSecurityPlanet.com offers readers both strategic and practical expertise to secure their networks and data.

Website: https://www.esecurityplanet.com

Twitter: @eSecurityP

Facebook: https://www.facebook.com/eSecurityPlanetcom-201643516537315

Rick Judge
eSecurityPlanet.com
415-429-5652
QuinStreet@libertycomms.com

The post Majority of Businesses Plan to Accelerate IT Security Spending and Hiring appeared first on eSecurity Planet.

The post Endpoint Detection and Response Selection Tool appeared first on eSecurity Planet.

SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", OWNER="root", GROUP="plugdev", MODE:="0660"

udevadm control --reload-rules

 udevadm info -n /dev/usb/hiddev0 -a

pamu2fcfg -u > /etc/u2f_key_mapping_file

auth       sufficient pam_u2f.so authfile=/etc/u2f_key_mapping_file cue

The post Considerations for Adding FIDO U2F to Your Security Protocol appeared first on eSecurity Planet.

By Ryan O’Leary, WhiteHat Security

If your company develops web applications, I hope you aren’t the nervous sort when I tell you that your website is most likely being targeted for hacking as you read this. If you’re a security manager, it really shouldn’t come as a surprise, though. Web apps are the most exploited means of illicit entry by hackers.

The Verizon 2016 Data Breach Investigations Report says that web application attacks represented 40 percent of all data breaches in 2015. The total global cost of data breaches today is $360 billion and, according to the Ponemon Institute, the average total cost of a single breach is $4 million.

I tell you this not to ruin your sleep but rather to let you know you that there is a solution: hire a good-guy hacker to find vulnerabilities before the bad guys do, and then have your developers fix them.

You and your customers will be spared what could be truly enormous losses. The best way to discover your application vulnerabilities is to hack yourself.

Hiring an Ethical Hacker

However, hiring a competent, ethical hacker on your own isn’t the easiest thing to do, because supplies are limited. And you have to be sure they are reputable. After all, hackers are trained in the dark arts, so you need to be confident that not only are they skilled but also that they won’t use what they find on your website for nefarious purposes. At the very least, they need to pass a stringent background check, like any security employee.

Ethical hackers are an unusual breed. They have the same skills as bad-guy hackers, but they choose to use those skills for good. And they’re up against a formidable array of troublemakers:

• Hacktivists, whose motivation may be politics, exposing wrongdoing or exacting revenge
• Organized crime hackers, who want to steal your money, data and computing resources
• Nation-state and terrorist hackers, driven by politics or religion

How Does an Ethical Hacker Think?

When I hire potential application security engineers, I look for a certain mindset: “How can I break something?” The hacker personality likes to figure out how something works and then try to reverse engineer or otherwise subvert it. It’s a point of view you can’t teach.

I remember once we had a group of hacker applicants in the lobby and one of them whiled away his time figuring out how to hack the lobby soda machine. He was successful — and then he put the soda can back, because he wasn’t after a free Coke; he just wanted to see if he could do it. I didn’t have any hesitancy in picking that guy to hire.

The other vital quality I look for is the drive to learn new things, because being a successful hacker is all about keeping up to date with the latest trends. And there is always something new coming along. Right now potential vulnerabilities include:

• Information leakage
• Predictable resource location
• Directory indexing
• Insufficient transport layer protection
• Zero-day vulnerabilities such as POODLE, HeartBleed, Shellshock and Java

And there are many potential ways that cybercriminals can exploit those vulnerabilities, such as:

• Cross-site scripting
• Filter evasion for XSS
• Social engineering
• Content spoofing
• URL redirector abuse

Where to Find an Ethical Hacker

One place to look for good-guy hacker hiring recommendations is a local chapter meeting of the Open Web Application Security Project. Find one, attend and make friends; the application security community is a small but tight-knit and helpful group. There are also companies that will provide safe, certified experts as well as software tools to hunt down the vulnerabilities in your websites and apps.

When the security expert arrives, you’ll tell him or her your priorities and he or she will get to work, most likely vetting your flagship website first. Once you find out where the vulnerabilities lie — and there always are some, in my experience — you’ll develop a plan to fix them. And remember, bugs and vulnerabilities may be lumped together as “defects,” but vulnerabilities –with their greater potential for disaster — should get first priority in the repair queue.

Emphasis on Application Security

Going forward, you need to make AppSec an embedded part of the development process. It’s much cheaper to fix vulnerabilities in development than in QA. Among other things, that means security and development must become a tightly bonded team.

You may find your developers initially resist or resent the security expert’s involvement. Developers are all about speed of release and quality of code, and they may have little or no security training or mind set. They often view security experts as roadblocks.

The solution is a companywide emphasis on security and secure coding training for the developers. It’s true that security testing will slow down the development process a little, particularly at first before people get used to it. But eventually security is just seen as another part of QA, with everyone striving toward the same goal: a secure product.

Sometimes security managers or their leadership are leery of employing their own good-guy hacker, because they don’t want to know the bad news. It’s like staying away from the doctor to avoid hearing that you have medical problems. That’s human nature, maybe, but not wise. The hacker mindset, however, is an invaluable addition both to the security team and to the DevOps team the hacker (hopefully) collaborates with.

Remember, each vulnerability you eliminate is one less chance of being hacked. Corny or not, “knowledge is power.” The more you know, the more you can prevent your organization from experiencing a potentially devastating breach. A good-guy hacker could make the world of difference in your security posture.

Ryan O’Leary is vice president of the Threat Research Center at WhiteHat Security. WhiteHat Security combines technology and human intelligence to deliver solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and websites.

The post How to Hire an Ethical Hacker appeared first on eSecurity Planet.

By Alan Hall, Blue Coat (now part of Symantec)

With the cost of a breach up 29 percent from 2013 — and continuing to rise — according to a recent Ponemon report, enterprise leaders are under mounting pressure to implement security solutions that are effective in detecting threats in this evolving cybersecurity landscape. While organizations generally accept that prevention alone is not enough, data breaches often still go undetected for weeks, months and even years.

Organizations need to know which alarms matter to their organization in order to effectively conduct incident response. Signature-based systems and network management tools are often seen as the traditional approach to organizational security, but these solutions can no longer be the only means for detecting a breach and stopping it before it causes significant harm.

Anomaly detection, which is about enabling proactive incident response by giving security teams the ability to track down potential risks before a simple breach or unusual behavior escalates into a devastating event, is growing in popularity.

Organizations must consider a number of factors when evaluating incident response solutions. Here are four key considerations organizations should keep in mind as they evaluate the best way to prevent a breach, as well as limit the damage when a breach occurs.

Don’t Rely on Manual Monitoring Processes

Incident response teams often take a manual approach to security monitoring, tasking team members with monitoring dashboards and identifying simple anomalies. However, this process can be extremely time consuming. It is also prone to human error, due to emotions and judgment, leading to ineffective and inaccurate results.

Additionally, a single metric will likely not indicate an advanced attack. And, while multiple metrics may well identify an advanced attack, humans ultimately can’t hold enough related items in their memory.

Do Consider Impact of Shadow IT

While network security was previously contained to the applications vetted and implemented by the IT department, shadow IT and bring-your-own-device (BYOD) practices have made the business environment much more complex. The network perimeter has exponentially expanded, with IT and incident response teams now having to worry about employees working from multiple devices (such as smartphones, laptops and tablets), connecting to multiple networks (office Ethernets, home broadband and VPNs) and using hundreds of applications (enterprise, consumer, productivity or social) that reside across corporate data centers and cloud service providers.

The expanding perimeter introduces countless new endpoints that requires security teams to think differently about their approach to threat detection and prevention.

Don’t Follow the Rules

In an attempt to automate some of the manual work involved in anomaly detection, companies often rely heavily on rules and thresholds. However, this approach comes with its own unique set of challenges. For example, thresholds and rules are ineffective and of little use on periodic data.

Additionally, the alerts this approach generates can create a lot of unnecessary noise that distracts the attention of security information and incident response teams.

Do Establish a Baseline of Normal Behavior

Every organization is unique and constantly changing; often moments after a baseline is determined, it can become inaccurate due to changes to the network environment or user behavior. By establishing a dynamic, automated baseline for normal behavior — often by leveraging packet capture and network forensics recordings — organizations can identify what normal network and cloud application activity looks like, so they can then identify abnormal activity.

Wrapping up: One Approach Does Not Fit All

These dos and don’ts offer some best practices to consider when implementing an incident response solution leveraging anomaly detection, but it is important to remember that the industry standards for anomaly detection are still evolving. The most important thing for organizations to keep in mind is that they must identify the best solution to meet the needs of their data, activity, patterns and ultimately threats.

Alan Hall is the director of Product Marketing for Network Forensics and Incident Response at Blue Coat, now part of Symantec. He joined Blue Coat through the acquisition of Solera Networks, a leader in security analytics and threat visibility solutions. At Solera Networks, he was responsible for corporate and product marketing as the company grew from a security innovator to a recognized leader in security analytics and subsequent acquisition by Blue Coat. Alan has over 20 years experience with networking and security technology leaders, and he has a BS degree from Brigham Young University and MBA from Utah State University.

The post 2 Do’s and 2 Don’ts of Incident Response and Anomaly Detection appeared first on eSecurity Planet.

By Aleksey Gavrilenko, Itransition

Approaches to security issues change constantly, along with evolving threats. One approach is to implement OAuth, an open authorization standard that provides secure access to server resources. OAuth is a broad topic with hundreds of articles covering dozens of its aspects. This particular article will help you create a secure authorization server using OAuth 2.0 in .NET to use for your mobile clients and web applications.

What is OAuth?

OAuth is an open standard in authorization that allows delegating access to remote resources without sharing the owner’s credentials. Instead of credentials, OAuth introduces tokens generated by the authorization server and accepted by the resource owner.

In OAuth 1.0, each registered client was given a client secret and the token was provided in response to an authentication request signed by the client secret. That produced a secure implementation even in the case of communicating through an insecure channel, because the secret itself was only used to sign the request and was not passed across the network.

OAuth 2.0 is a more straightforward protocol passing the client secret with every authentication request. Therefore, this protocol is not backward compatible with OAuth 1.0. Moreover, it is deemed less secure because it relies solely on the SSL/TLS layer. One of OAuth contributors, Eran Hammer, even said that OAuth 2.0 may become “the road to hell,” because:

“… OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result in a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.”

Despite this opinion, making a secure implementation of OAuth 2.0 is not that hard, because there are frameworks supporting it and best practices listed. SSL itself is a very reliable protocol that is impossible to compromise when proper certificate checks are thoroughly performed.

Of course, if you are using OAuth 1.0, then continue to use it; there is no point in migrating to OAuth 2.0. But if you are developing a new mobile or an Angular web application (and often mobile and web applications come together, sharing the same server), then OAuth 2.0 will be a better choice. It already has some built-in support in the OWIN framework for .NET that can be easily extended to create different clients and use different security settings.

Implementing OAuth 2.0 in OWIN

OWIN is a .NET framework for building ASP.NET Web API applications. It offers its own implementation of OAuth 2.0 protocol where two major OAuth terms (clients and refresh tokens) are not strictly defined and need to be implemented separately. On the one hand, it adds some complexity — because each developer needs to decide how to implement them exactly — and, on the other hand, it adds the extensibility and new opportunities.

The exact implementation with code snippets can be found in tutorials across the web and in open source projects at GitHub; and therefore it is out of scope of the current article. In particular, Taiseer Joudeh, a Microsoft consultant, has written an article with a step-by-step description of the exact implementation.

From my own experience, it’s best to use the following techniques when implementing and using an OAuth 2.0 authorization server:

1. Always use SSL. OAuth 2.0 security depends solely on SSL and using OAuth 2.0 without it is just like sending a password in a plaintext across an insecure Wi-Fi connection.
2. Always check the SSL certificate to protect from the man-in-the-middle attacks. For web applications, the browser does that job and warns the user if the certificate is not to be trusted. For mobile applications, the application itself should check the certificate for validity.
3. Do not store client secrets in the database in plaintext; store the hashed value instead. You may choose not to store client secrets at all (which is an acceptable solution if the authentication relies solely on passwords), but keeping them in plaintext will pose a security threat if they become critical in the future.
4. Always use refresh tokens and make access tokens short-lived. Using refresh tokens will give you the following three benefits:

• They can be used to avoid access tokens living forever and not forcing the user to re-enter credentials at the same time. As a bonus, for web applications they can be used to imitate session expiration. When the user is idle for some time, both the access and the refresh token will expire and the user will be forced to re-login.
• They are revocable. When the user changes the password, the token can be revoked and the user will be forced to re-login on all mobile devices. This is very important because a device may be stolen and having a logged-in session on it will pose a significant security threat.
• They can be used for updating access token content. Normally, access tokens are validated without a roundtrip to the database. This makes it faster to process, but user roles (that are cached in claims) may not be easily updated or, even more importantly, revoked if access token expiration takes a long time. Refresh tokens are of great help here because they shorten the access tokens’ life.

OWIN Implementation of OAuth 2.0 Offers Flexibility

Also, current OWIN implementation of OAuth 2.0 is flexible enough to be altered to fit particular business needs:

1. If there is a background service that needs to act as any user, it can be integrated seamlessly into the authentication process in the following way:

• Alter the clients table by adding a PasswordRequired column.
• Handle the case when the password is not required in the source code.
• Create a new client in the clients table and use it for the background service. Always secure the secret for this client as it will act like the master password. (Never store this secret in plaintext.)

• Alter the clients table by adding an AllowedRoles column.
• Implement additional checks for the user role to the authentication code.
• Dedicate different rows in the client’s table for each application. Remember that the authorization checks in the server API must be implemented in any case.

Remember, No Authentication Method Is Perfect

There is no ideal way to protect users from attacks when using applications, and even OAuth 2.0 has advantages and flaws exposed in implementations. By avoiding implementation mistakes and using the methods described in the article above, developers can help users stay more secure without breaking the seamless interaction with the app.

Aleksey Gavrilenko is a senior developer at Itransition and is the technical lead for a large ASP.NET project on automating key project document management and control procedures for leading engineering and utilities companies in the U.S. and around world. He received a master’s degree in computer science from Belarusian State University. His areas of interest are .NET, enterprise content management, performance tuning, and software design and architecture.

The post 5 Tips on Using OAuth 2.0 for Secure Authorization appeared first on eSecurity Planet.

By Jeremy Moskowitz, PolicyPak Software

In the case of your typical Windows domain network, it is “traditional wisdom” that only Microsoft DNS must be used with Active Directory for internal DNS resolution. Many times this is because:

• It’s convenient to use the in-box solution
• The myth that Active Directory requires Microsoft DNS to function properly
• Others are doing Active Directory-integrated DNS, and therefore that way must be the only way to do it

There are some advantages of utilizing Active Directory-integrated DNS for your DNS zone besides the mere convenience of the in-box wizard. The primary benefits are Active Directory replication will take care of DNS zone replication automatically, and all DNS servers are writable

This reduces the necessity to configure and allot for separate DNS zone transfer traffic. Other benefits include secure updates and DHCP integration, but these features are available in third-party solutions as well.

Do You Really Need Microsoft DNS

Active Directory-Integrated DNS is an option but not required.

It is simply a myth that Microsoft DNS is required for Active Directory. In fact, Microsoft even published a KB article dispelling this myth many years ago. The key point is iterated multiple times in multiple ways among Microsoft’s documentation surrounding Active Directory and DNS.

This can be found in the full Microsoft Technet article here: https://technet.microsoft.com/en-us/library/cc755717(v=ws.10).aspx

Note that this article refers to BIND (Berkeley Internet Domain Name) type servers. But to be clear and specific, as the quote states: You can use other DNS servers with Active Directory, and they don’t need to be specifically BIND. The third-party DNS server you choose simply needs to support Active Directory and some rudimentary RFC standards governing DNS communication that most non-Microsoft DNS servers support.

Other articles which clearly reference Active Directory interoperability with non-Microsoft DNS servers are:

Interoperability with Other DNS Servers: https://technet.microsoft.com/en-us/library/cc959268.aspx

Verifying your Basic DNS Configuration [With non-Microsoft DNS]: https://technet.microsoft.com/en-us/library/cc959303.aspx

Linux to Windows Migration (Configuring Berkeley Internet Name Domain (BIND) to Support Active Directory): https://technet.microsoft.com/en-us/library/dd316373.aspx

Another place you can see that Microsoft-specific DNS is optional is in the Domain Controller promotion process. If you are creating an AD Forest for the first time, the wizard does not require you to select DNS. Notice how the wizard will allow you to continue with the DC promotion process despite not choosing to install the Microsoft built-in DNS server component as is shown in the screenshot below.

The Case for Non-Microsoft DNS

Active Directory administrators naturally want Active Directory to perform at its highest capabilities. The key activities that Active Directory and its domain controllers should be performing are:

• Authentication
• Authorization
• Accounting (logging)

Everything else that Active Directory and its DC are tasked with doing will take away from these critical aspects. By integrating DNS into your DCs, you are giving it a task which would necessarily take away from these critical activities.

Additionally, your DNS servers should be especially protected and especially secure. In the case of an attack on DNS, like a DDoS (distributed denial of service) attack (akin to SQL Slammer and attacks like those, but expressly for DNS), a Microsoft Active Directory-integrated DNS could have issues since it would be tasked with the DNS and the critical activities described above.

So what is the incentive to not utilize the convenience of exclusively utilizing Microsoft DNS servers?

Here is a list of some of the value-added features offered by third-party DNS solutions available today:

• Proactive automated adaptive behavior protection from DNS attacks, malware and data exfiltration through customized DNS firewall security
• Utilize DNS and DHCP features that are unavailable from Microsoft in-box solutions such as Identity Mapping (linking IP addresses to users)
• Intelligently resolve queries and direct traffic according to geographic location
• Increased logging to help determine where issues and attacks are originating
• Utilizing a single solution for external and internal DNS (aka “single view”)
• Operating system-agnostic way to manage DNS
• Increased security by reducing admin privilege usage
• Increased granularity for control of dynamic DNS updates via IP-based access-control, as opposed to the Microsoft’s three-level approach of “none,” “secure only” (i.e., AD-integrated clients (GSS-TSIG)) or “secure and insecure” (i.e., anyone, no TSIG or IP-based authentication required)

Conclusions on Non-Microsoft DNS

Microsoft has always conceded that any compliant DNS solution will work alongside Active Directory. In short, there is no imperative to use Microsoft DNS with Active Directory. And real Active Directory customers are working just fine with this configuration.

Getting started with non-Microsoft DNS doesn’t have to be hard. Like anything, it’s a process, but that process doesn’t have to be particularly difficult.

If you’re interested in non-Microsoft DNS because of some of the items you’ve read here today, then you should investigate the features and functions you need and start a trial with non-Microsoft DNS.

It’s my hope you have a new perspective on where non-Microsoft DNS can help you out.

Jeremy Moskowitz is one of less than a dozen Group Policy MVPs worldwide, is the most-published author on Group Policy and a prolific Group Policy speaker worldwide. He’s also the founder of GPanswers.com and PolicyPak software. Since becoming one of the world’s first MCSEs, he has performed Active Directory desktop implementations for some of the nation’s largest organizations.

Jeremy has spoken at just about every existing Windows conference about AD and Group Policy, including Microsoft TechEd, Microsoft Ignite, Microsoft Management Summit, WinConnections and TechMentor.

The post Must You Use Microsoft’s In-Box DNS? appeared first on eSecurity Planet.

Sekhar Sarukkai, Skyhigh Networks

“If we had computers that knew everything there was to know about things — using data they gathered without any help from us — we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best.”

When technology pioneer Kevin Ashton first explained this idea in 1999, a concept he termed the Internet of Things, a scenario like your fridge anticipating your grocery needs and even ordering for you would have seemed preposterous. After all, the full capabilities of the internet hadn’t been unlocked yet, the cloud as we know it hadn’t been born and unrelated devices had little or no ability to communicate wirelessly.

Today, of course, nobody would dispute the statement that Ashton made in 1999 in the RFID Journal: “The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more so.”

But just as IoT promises to transform our world, the future doesn’t bode well for IoT security.

The recent rash of ransomware attacks is just one example of how bad actors are taking advantage of security vulnerabilities to compromise both individuals and organizations. The emerging integration of IoT into the world of business, along with the evolution of ransomware, creates the perfect storm for a cybersecurity arms race.

The State of IoT

There may be some time before Ashton’s belief — that the Internet of Things may change the world more than the internet — is fully realized. But we are starting to see the beginning of a revolution.

At its core, IoT refers to a growing network of devices and other objects (“things”) to communicate with each other and with the internet. The devices, which have IP addresses, are typically embedded with sensors that can identify parameters like location and temperature and transmit data to a server or another device.

In the business world, IoT could mean anything from improving transportation logistics and supply chain effectiveness, to automating inventory management and maximizing resource management.

Airbus, for example, equips its technicians on aircraft assembly lines with smart tools and wearable technology to help improve quality and productivity. UPS analyzes data captured by sensors in its 80,000-vehicle fleet to reduce fuel consumption and idling time and to improve route efficiency.

We are seeing only the beginning of how companies are capitalizing on IoT’s ability to coordinate machine-to-machine, people-to-people and people-to-machine communication in order to innovate how they do business.

Gartner estimates that the number of connected “things” will reach 6.4 billion in 2016, with an astounding 5.5 million new things becoming connected every day. By 2020, Gartner’s prediction puts IoT at 20.8 billion in the consumer and business sectors, while Cisco estimates an even more robust 50 billion.

Ransomware a Growing Threat

The Institute of Critical Infrastructure Technology (ICIT) expects 2016 to be “the year ransomware will wreak havoc on America’s critical infrastructure community,” with new attacks becoming common “while unattended vulnerabilities that were silently exploited in 2015 will enable invisible adversaries to capitalize upon positions that they have previously laid claim.”

As the ICIT explains it, ransomware’s effectiveness is due to the fact that the cybersecurity field is not well prepared for it. Ransomware can often bypass controls in place, and response by law enforcement is minimal. For organizations that are under attack, it’s a crippling experience, as we saw in the case of Hollywood Presbyterian Center, which had to redirect its patients to other providers.

Although some debate the ethical question of whether ransomware victims should pay or not, many of those under attack simply have no choice. FBI estimates that the losses from CryptoWall-related incidents alone  cost victims more than $18 million between April 2014 and June 2015, and that’s just based on known cases. The Cyber Threat Alliance estimates the global losses from Cryptowall to be around $325 million since CryptoWall was first deployed in January 2015, with more than 400,000 attempted infections identified.

Evidence of the growing sophistication of the hackers has been mounting. McAfee Labs, for example, saw a rise in ransomware samples in the second quarter of 2015 — to more than 4 million, compared to 1.5 million just the previous quarter.

Ransomware Meets IoT

HP estimated in 2014 that 70 percent of most commonly used IoT devices were vulnerable to attacks, while International Data Corporation says that by 2017, 90 percent of organizations will have a breach related to IoT.

Since anything that has an IP address and is connected to the internet can be hacked, HP’s estimate is especially troubling — but not surprising. Barbie dolls that can be used to steal user credentials. Security cameras sending unencrypted video that can be intercepted.  HVAC systems that can be used remotely to gain access inside a network. Reports abound of vulnerabilities being discovered in one smart device or another.

We’ve already seen examples where these threats are not simply vulnerabilities that “could be” exploited. Last year, an attack on Virginia State Police’s fleet rendered state troopers powerless as they lost control of their cars. Also last year, hackers took control of a Jeep that was driving on a highway at 70 mph. Luckily, white hats were the “culprits” in both those scenarios as they were controlled demonstrations.

While it’s true that  these kinds of attacks would require elaborate and lengthy planning, it’s only a matter of time before these kinds of headlines are made by black hats instead.

Let’s throw ransomware into this scenario. Imagine coming home to a message on your fridge that says you must pay a quarter of a bitcoin to remove the malware that has shut if off. Or imagine the app that controls your smart thermostat demanding payment if you want your temperature to drop below 120 degrees. Sure, these are benign examples — but what if this could happen to every single internet-connected object in your house?

And what if it weren’t just basic electronics or appliances being “hijacked?” Let’s say a hacker remotely takes control over your WiFi-enabled rifle or disables your child’s insulin pump unless you pay up.

Are those scenarios scary? Of course. Far-fetched? Not really, considering that those vulnerabilities actually do exist and that ransomware is rapidly evolving and becoming more sophisticated, including the emergence of new trends such as ransomware-as-a-service.

‘IoT Only as Secure as Its Network’

As EY pointed out in its “Cybersecurity and the Internet of Things” white paper: “The security of the ‘thing’ is only as secure as the network in which it resides: this includes the people, processes and technologies involved in its development and delivery.”

What complicates this — in addition to the huge number of endpoints and their lack of security — is the fact that IoT integrates not only disparate devices but also communication protocols, carrier networks and apps. Then, add to that another layer — the cloud, which has its own security challenges.

Unfortunately, many security professionals still focus largely on defending only the network and the data. As the Internet of Things becomes more embedded into business functions, that approach is no longer enough. IoT is not only a disruptive force in how organizations do business; it’s also a paradigm shift for cybersecurity. This is especially true as the IoT industy grows exponentially, attracting more and more attention from bad actors — just as networks, the cloud and endpoints have done.

A good first step: Examine IoT devices for security vulnerabilities and take steps to address them before the devices are installed.

As the march toward the Internet of Things continues, fueling a new type of economy, every sector will have to confront these new security challenges. It’s only a matter of time before security vendors and hackers are engaged in a full-blown arms race.

Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He brings more than 20 years of experience in enterprise networking, security and cloud services development to the company.

The post Ransomware and the Internet of Things: A Growing Threat appeared first on eSecurity Planet.

By John Bruce, Resilient

This is the decade of response. It’s officially arrived. After decades of focusing on preventing and detecting cyberattacks, security leaders are finally treating how they respond to cyber threats with equal priority.

As the frequency, sophistication and volume of cyber threats continue to increase, organizations need the ability to respond to and mitigate them quickly. In fact, they can’t afford not to. According to a recent study by IBM, the average consolidated cost of a data breach increased by 23 percent since 2013, costing businesses an average of $3.8 million per breach.

The good news is that effective incident response (IR) plans can minimize the impact of security incidents when they happen. IR plans require extensive documentation, testing and validation before they can be considered reliable, however. And they need to be continuously reviewed and updated to keep up with an organization’s individual needs.

To create, assess and improve your incident response plan, follow these five steps:

Determine if There Really Is an Incident

An effective incident response plan should include clear guidelines for when and how a security incident is declared. Often, security incidents emerge as merely a set of disparate indicators.

Define the criteria for a major and minor incident type, and outline the required procedures to follow after each type of incident. Standardize severity level assessments across your entire organization, and include definitions of appropriate response times. By establishing a dispute resolution process, harmful communication conflicts can be avoided during security incidents.

Establish Incident Response Roles and Responsibilities

If you’ve concluded that an incident has occurred and follow-up is required, knowing who is responsible for each step of an incident response plan is critical.

Roles, responsibilities and authority levels for all response team members should be determined well in advance of an incident. The team should also continually have access to any supporting resources or materials they may need. Some incidents may require support from other departments, like legal, HR, communications or executive leadership. Make sure you’ve identified these departments and discussed your IR plan with them ahead of time.

Test and Improve the Incident Response Plan

One of the most important steps in maintaining an effective IR plan is taking a step back and evaluating how a security incident unfolded.

• Could the response team have done anything better?
• Was detection and analysis of the incident effective?
• Was the threat contained and eradicated in a timely manner?
• Was information successfully shared across the organization during the incident?

After considering these questions, you’ll be able to better assess your response team’s decision-making skills. You can also better evaluate if and how roles and responsibilities need to be adjusted to strengthen security. Make sure all departments — not just the response team — are involved in this post-incident evaluation process. Better coordination and understanding of incident management skills requires consensus across multiple departments.

Plan and Practice Internal Communications

It’s critical to review and test your internal communication plan before a security incident occurs. Practicing the communication chain saves precious time when an event escalates. Time is of the essence, and communication networks tend to be the first resource to break down during security incidents.

Make sure every response team member has identified and contacted their alternate, as well as their counterpart in the business and information technology teams. Remember to keep communication records for any third-party vendors your organization works with, as well as their emergency contact procedures. Lastly, establish a protocol for identifying a crisis command center, if needed.

It’s also important to consider the communication with the correct people outside your immediate organization in the event of a security incident. When should an event involve other departments? Then identify who those contacts are across the organization and how you will engage with them.

Also, assign someone within your organization to handle all media communications, and make sure your support team or help desk prepares an automated message to prevent its staff from becoming overwhelmed during an incident.

Understand Impact of Security Incidents

Given the number of high-profile data breaches and the growing threat of identity theft, consumers are especially sensitive about their personal data being put in danger. Organizations need to understand exactly what is at risk in any and all security incidents, and how that can have a negative impact on their business and reputation.

Even minor security incidents can cripple organizations when you consider the costs associated with data loss: tarnished brand reputation, customer abandonment, legal fees and cyber security repair. Estimate the costs of extended loss of business, and determine where the greatest impacts would be.

Cyberattacks are an unfortunate reality. As long as organizations have something valuable to protect, security incidents will be a part of doing business.

But cyber security incidents don’t have to be disastrous; organizations can manage them, quickly return to normal operations and continue to thrive in the face of growing cyber threats. The key: Prepare and provision your incident response plan today, before an incident occurs.

John Bruce is CEO and co-founder of Resilient, an IBM company. He was previously chairman and CEO of Quickcomm, an Inc. 500 international company acquired by Vodafone; president and CEO of Authentica, a leader in file security and management acquired by EMC; and an original member of the executive team at Counterpane, a managed security services provider acquired by British Telecom. His formative years were spent with Symantec, where he held a number of executive leadership roles in Europe and the U.S.

The post 5 Steps to a Better Incident Response Plan appeared first on eSecurity Planet.