Get My Score

Trending in Security

analyst cloud security survey

What are your peers doing when it comes to cloud security?

Organizations continue to adopt cloud computing at a rapid pace to benefit from the promise of increased efficiency, better scalability, and improved agility.

While cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) continue to expand security services to protect their evolving cloud platforms, it is ultimately the customers’ responsibility to secure their data within these cloud environments.

The 2019 Cloud Security Report (download) highlights what is and what is not working for security operations teams in securing their cloud data, systems, and services in this shared responsibility model. The results are a continuation of past challenges: 

  • The top cloud security concerns of cybersecurity professionals are data loss and leakage

top cloud security concerns 

 

  • The most challenging cloud compliance process that is most challenging for IT professionals is monitoring for new vulnerabilities in cloud services that must be secured.  Following closely behind, as the second most challenging compliance process, is audit/risk assessments within the cloud environment.

 cloud compliance

 

  • The top two biggest operational security headaches teams are struggling with when trying to protect cloud workloads are compliance and lack of visibility into cloud security.

compliance is an operational cloud security concern 

 

Overall, the findings in this report emphasize that security teams must reassess their security posture and strategies, and address the shortcomings of legacy security tools to protect their evolving IT environments. This 2019 Cloud Security Report has been produced by Cybersecurity Insiders, the 400,000 member information security community, to explore how organizations are responding to the evolving security threats in the cloud.  Download the full report at https://www.cavirin.com/resources/2019-analyst-cloud-security-report

0
0
0
s2sdefault
tax preparer security

Security Tips to Get You Through April

Ok, what’s worse than having to file your taxes? Falling for a tax scam. The problem is that there are way too many ways to fall victim. However, instead of focusing on the individual and the various well-documented phone, email, and other social engineering scams, we’ll look at the real pot ‘o gold – independent tax preparers. Why buy a quart of milk when you can own the whole cow?

We’re not talking about the major brokerages, H&R Block, and other established firms.  The real risk is in compromising the corner tax preparer, in many cases doubling up as an accountant.  Much like the independent doctor or dentist (becoming harder to find, btw), these preparers have access to the most confidential of financial data for literally hundreds of customers, a gold mine for identity theft.

Members of the IRS Electronic Tax Administration Advisory Committee (ETAAC) in June noted that they believe “far fewer than half of the tax professionals are aware of their responsibilities under the FTC Safeguards rule and that even fewer professionals …have implemented required security practices.”

In a good year, preparers need to be on the lookout for spoofed sites, ransomware, and phishing, basic network hygiene, physical intrusions – it only takes one USB drive, and even dumpster divers.  They also need to head off scams where a hacker poses as a new client, possibly using stolen credentials.  But, 2019 is anything but a normal year!  

Between the government shutdown and changes in the tax law, many individuals are confused, stressed, and are delaying preparation, all falling on the shoulders of their preparers.  In the interest of time, they’ll use less secure channels for communication, leave confidential messages, and of course, be more at risk from others spoofing their preparer’s identity. 

As a preparer, be extra diligent as to any client or external email enclosures or links, any USB drives supplied with client data, and calls, said to be from clients, but possibly not, requesting confidential data.

On the IT side, it goes without saying to lock down your WiFi, encrypt all data as a last line of defense against data theft, and automatically assess for vulnerabilities and other security gaps based on industry best practices and patch as required.  This also applies if you are using cloud-based services. 

Scams involving SharePoint and other cloud-based accounts and documents are also in vogue this year, and with more clients apt to share documents via Google Docs, Box, Dropbox, or any one of a number of other services, the chance of a breach grows.

Finally, be on the lookout for any strange behavior when filing, when entering or reviewing data, or when downloading or uploading.  Anything out of the ordinary could indicate a breach, so stop, and pause.

A good IRS guide with links to best practices is here:

 

 

0
0
0
s2sdefault
pci compliance for restaurants

You keep a clean kitchen – how about your security posture?

You go into a restaurant, and, at least in California, the first thing you notice is the green ‘PASS’ in the window.  What does this imply?  That the restaurant has proper hygiene… that their kitchen is clean, their staff is trained in sanitary practices, and that if you order lamb from the menu, you actually get lamb, and not some mystery meat. 

 

 

Although I don't have all the information behind the restaurant scoring system, it's my understanding that the Health Inspector will calculate a score based on the violations observed, and provide a more detailed report to leadership on what areas need attention.  The inspections are routine with follow-ups as needed.  The same must apply for the restaurant’s cybersecurity posture if you want to avoid an upset stomach caused by a credit card breach, or if the owner doesn’t want his or her backend systems compromised, it's important to understand what areas of your backend payment systems need attention, that's why PCI audits take place. 

We all admit that this is a difficult time for many restaurant chains and individual proprietors.  Changing eating habits, delivery services, healthcare and staffing costs, the cost of raw goods and utilities, etc. etc.  But restaurants can’t cut back in securing their IT infrastructures in an environment where the number of breaches has gone up by 40% since 2016, and where the cost of the typical breach costs $50K or more.  A chain will probably survive, but an independent?  Who knows?  Unfortunately, according to Hospitality Technology’s 2017 Restaurant Technology Study, only 38% of restaurants have technology as a strategic priority.

PCI compliance or even EMV and P2PE are where the business in question has the processes in place to protect customer financial data.  The real problem is the PCI audit itself, every 3 or 6 months.   A hacker can set their eye on the company the day after the audit complete, potentially unidentified until the next audit.  And this is if the audit passes.  Many fail one or more audits, and according to a recent Verizon report, this group is 100% likely to be breached in the ensuing 12 months.  In fact, restaurants are many times less secure than the typical enterprise, in that their Linux, Windows, Android, and iOS POS terminals are in less secure environments.  These terminals are 40x more liable to either hardware or software compromise than the typical enterprise, and 90% of restaurant breaches are POS-driven.

We’ve seen this time and time again, and chances are you’ve had your own cards compromised one or more times.  How can we reverse this trend?  As the old saying goes, security is not a destination, but it is a continual journey.  If focused on PCI, you need to continually reassess your cybersecurity posture, either in your own IT environment or if you use public cloud services.  There are frameworks that outline best practices, and solutions that offer automated assessments.  They may not cause you to immediately pass PCI but will quickly identify your breach potential.  At the same time, other frameworks like ISO, SOC2, GDPR, NIST, and others will better ensure your cybersecurity posture.

In closing, though we’ve focused on restaurants, many of the same concerns apply to other hospitality verticals – casinos and gaming, hotels and resorts, cruise ships, and even traditional retail. 

0
0
0
s2sdefault
March Madness - Cybersecurity

How to Protect Your Organization During The NCAA Tournament and Beyond

 

According to the American Gaming Association, 47 million American’s will bet nearly $8.5 billion on the NCAA tournament, so it’s no wonder that every year there is a steep increase in cyber-activity around the event. IT teams must be on high alert to deal with the madness--from the phishing scams to the unassuming malware infected sites employees visit to catch part of the action—the employees' involvement in March Madness can easily open up an organization’s door to a cyberattack. With the threat looming, organizations spend months preparing for this time of year, and we compiled some of the best advice for protecting your organization during the NCAA Tournament and beyond.

  • Remind your employees about phishing attacks. Even if phishing attack education is part of your organization’s security training program, some of the offers made in these emails, especially during March Madness, can be very tantalizing and bring an employee’s guard down.

"Cybercriminals are well aware of the popularity of March Madness and are already preparing spear phishing emails to millions of college basketball fans, as well as non-basketball fans who are merely participating in the ever-popular office pools." 

Dan Lohrmann, CSO, Security Mentor 

    • Set up a few flat screen televisions for the event. Millions of employees stealthily watch the game from their laptops/computers/phones where malware can be camouflaged as streaming videos and network bandwidth is depleted; therefore, companies might want to set up a few flat screen televisions streaming the legitimate video feed, so employees can walk by and get the latest updates, satisfying their bracket interest, without putting their organization at risk and utilizing excessive bandwidth.

A Nielsen cross-platform study says in 2018 over 175 million fans engaged with the tournament across all networks and platforms.

www.forbes.com

      • Ensure that your security patches are up to date so you do not become an easy target of a cyberattack. This is an important one and one that slips through the cracks if automated enterprise patch management is not implemented. Automating routine tasks is key to protecting an organization from cybersecurity threats during an event like March Madness and day-to-day threats.

In 2017 Aberdeen found, if not automated, that in a $100 million company with 100 database instances, vendor patching over the course of one year is likely to be complex (with 440 patches required) and time-consuming (910 hours of disruption).

Aberdeen Group

      • Make sure that you are continually assessing the security posture of all managed cloud services and workloads by getting scored guidance to facilitate a prioritized response plan, so you can make informative and timely decisions when protecting your organization against cyber threats.

60% of organizations believe lack of visibility across all IT asset types constitutes a challenge to their cybersecurity posture.

Ponemon Institute

Although the last one might be a little tough, since the tournament is just underway, it’s one that should be considered as you evaluate your overall security posture for 2019 and beyond. At Cavirin, we do not believe that your cybersecurity posture should be driven by one event, or your IT team will be exhausted come tax season next month.

 

0
0
0
s2sdefault
Secure and Fast - 5G Security

Cavirin, Accedian, and Quali Enabling More Secure and Visible 5G Deployments

5G deployments introduce additional security and performance concerns, along with the need to effectively model the infrastructure before deployment. At the upcoming Mobile World Congress in Barcelona, Cavirin is pleased to be included within Accedian’s and Quali’s, ‘Secure and Fast,’ a solution that addresses these sometimes conflicting requirements and embraces DevSecOps.

Secure and Fast - 5G Security

First, consider the diverse 5G use cases, spanning high-bandwidth fixed connectivity, low-power remote sensor networks and even low-latency autonomous vehicles. In order to effectively validate these use cases, the network must be effectively modeled long before deployment, and one way to accomplish this is via what Quali terms ‘Environments-as-a Service,’ or EaaS. This modeling spans the network, content, data, and applications, ultimately positively impacting the Quality of Experience for 5G subscribers.

One way to look at it is a twin to the public or private cloud, where developers, testers, and ops interact with the environment from the perspective of management, monitoring, provisioning, and configuration as if they were operating on an actual deployment. This is then paired with Cavirin’s ‘CyberPosture Intelligence’ and Accedian’s ‘Complete Visibility.’ Note that these are only two of the potential DevOps automation tools, spanning security, coding, and load/performance, that could in the future add to the solution.

Secure and Fast - 5G Security

Cavirin’s role within Secure and Fast is to address the security challenges facing 5G rollouts, including general cybersecurity threats and data breaches, as well as more specific requirements such as addressing security vulnerabilities, regulatory compliance, and data privacy. This is paired with Accedian SkyLIGHT PVX, designed to address visibility challenges that include performance, application responsiveness, as well as workflow analytics and efficiency. Quali, as depicted in the figure below, effectively models various aspects of the proposed deployment, including the different tools, clouds, applications, networks, and finally, devices.

 

Secure and Fast - 5G Security

 

For the operator, Cavirin will deliver a security and compliance vulnerability score, while Accedian’s contribution is a network and application performance score.  These scores, coupled with Quali EaaS, will permit organizations to simplify application and cloud rollouts, automate and expedite deployment processes, validate cybersecurity postures, and gain visibility into resource usage and potential performance impacts.  The advantage is that this all takes place in a replicable and secure sandbox environment before going ‘live’ with any changes or updates. 

Benefits to both enterprises and service providers are many-fold, and include:

  • Faster delivery of physical, virtual and cloud infrastructure for new products and services
  • Real-time monitoring of application performance and transaction times across multi-cloud environments
  • Ability to pinpoint the root-causes of performance degradations
  • Comprehensive visibility into the impact of the overall system security posture
  • Risk-free, lab-as-a-service tests of SDN and 5G network slices 

Secure & Fast will be demonstrated at Mobile World Congress Feb 25-29 in Barcelona and during RSA March 4-8 in San Francisco--Read the press release. To book a meeting or to express interest in trialing this new solution, please visit accedian.com/secure-fast.  

 

0
0
0
s2sdefault
Cybersecurity and Homeland Security

The Damage A Second Shutdown Will Cause

Just over a month ago, we wrote about the potential impact of the government shutdown on our national cybersecurity posture--much like going off on vacation and forgetting to lock all the doors. And as expected, impacts were:

  • Externally visible, such as website TLS expirations and the associated security risks that come along with that.
  • Internally painful, including the inability to effectively respond to day-to-day threats and the vulnerabilities the agencies are still dealing with today.
  • Long term crippling, breaking down the confidence of mission-critical government employees and the belief that their careers are secure and that their actions are valued.
    • Some of the critical agencies caught up in the shutdown: the Cybersecurity and Infrastructure Security Agency, the U.S. Secret Service at DHS, the FBI and computer crime prosecutors at DoJ, and Commerce agencies (NIST, NTIA, and the NCCoE).

Even though the shutdown is over, many are still dealing with the financial impact and the potential windows it opened to future security threats.  Plus, some of those cybersecurity professionals who were considering a move to the private sector, are making their move.  Adding insult to injury, there have been multiple reports recently that many government agencies are in fact less secure than their civilian counterparts.

Yes, there are a number of initiatives underway to directly address the government skills shortage, and some proposals are on the table to expand the country’s artificial intelligence strategy to maintain and advance national security, but that’s for tomorrow.  What about today?

As of Feb 12th, it is still touch-and-go whether the government will be funded after Feb 15th.  Negotiations in Congress could still break down, or the resolution could be vetoed by the president.  So with our cybersecurity at risk, what immediate action should be taken to maintain our country’s CyberPosture? 

Irrespective of whether another shutdown occurs, the various government agencies need to take a step back and closely evaluate their security protocols. They need to identify critical systems and potential vulnerabilities and add them to the set of assets that are monitored and maintained 24x7, independent of what happens on Capitol Hill. During the January shutdown, it was reported that security operations, software patching, and penetration testing all suffered, opening many windows to cyber attacks. Moving forward, agencies must introduce any and all possible security automation to ‘keep the lights on’ so-to-speak in the event of a repeat shutdown.  

Check out the Cavirin whitepaper, Accelerating Responses to Security Gaps Through Automation, for those looking to minimize the risks due to change management delays and manual processes.

0
0
0
s2sdefault

© 2019 Cavirin Systems, Inc. All rights reserved.