Privacy Teams Helped Navigate the Pivot to Work-from-Home

Privacy Teams Helped Navigate the Pivot to Work-from-Home

Annual Cisco privacy study also reports that 90% of organizations say their customers won’t buy from them if they are not clear about data policy practices.

New research from Cisco found that most organizations over the past year turned to their privacy teams to help navigate and guide their shift to remote work in response to the COVID-19 pandemic.

“What we found was that roughly two years ago most companies barely had a privacy team; it was tucked away in a legal office,” says Robert Waitman, director of data privacy at Cisco. “But with the shift to remote work because of the pandemic, privacy has become more important, mainly because employees were uncomfortable with the privacy of the tools available and the need for companies to provide a safe workplace.”

The Cisco 2021 Data Privacy Benchmark Study, released ahead of Data Privacy Day on Jan. 28, found that privacy budgets doubled in 2020 to an average of $2.4 million. Overall return on investment was down slightly compared to 2019, but remained healthy with 35% of organizations reporting benefits at least two times their investments.

Here’s a snapshot of the ROI companies reaped from privacy investment:

  • Built customer trust (76%): Respondents say customers better understand what’s happening with their data and what the process is in the event of a breach;
  • Mitigated security losses (74%): Organizations spent less time and money responding to a breach.
  • Achieved operational efficiencies (74%): Data privacy controls resulted in more efficient operations. 
  • Reduced sales delays (68%): Customers now spend less time trying to figure out their privacy policies, which resulted in shorter and more efficient sales cycles.

“We found at Cisco that customers took up a lot of our time asking about how their data was used, which would slow down the sales cycle,” Waitman says. “We found that clear privacy policies streamline the sales cycle and also create transparency with the customers.”

Stacy Scott, managing director in Kroll’s Cyber Risk practice, says that companies were caught off-guard by the pandemic and had some business-critical questions to grapple with around data privacy, so it makes sense that companies leaned on their corporate privacy teams.

“This generation has never been through a pandemic, so there were a lot of questions to ask, such as: What type of privacy program we should set up? How do we keep employee data safe? And do we need to have monthly drive-bys at the homes of employees to pick up sensitive documents?” Scott says.

The rapid shift to more ecommerce also raised the privacy team’s profile.

“Individuals are doing more with ecommerce and companies are interacting more with their customers online and also doing more online trade shows and conferences,” Scott says. “All of this raised questions on how companies were going to keep all those communications and data private. And as people shifted their activities, the bad threat actors followed, which also put pressure on remote access systems and essential services, increasing privacy concerns.”

Consumer-Driven Privacy Movement

Consumers have also played a large role in the move by companies to take privacy seriously. According to the Cisco benchmark report, a top concern of individuals over the past few years has been the lack of transparency when it comes to what data gets being collected and how it’s used. Businesses and governments have not always been so clear on this front, and even when they strive for transparency, the complexity of the analytics, algorithms, insights, and inferences are often too complex for the general public to understand.

Waitman says many consumers have taken matters into their own hands: nearly one-third already have stopped buying from a company over their data policies or practices. Companies are increasingly recognizing this challenge, and 90% of organizations in this year’s benchmark survey say that their customers will not buy from them if they are not clear about data practices and protection.

Privacy legislation has also played an important role in offering assurances that governments and organizations are being held accountable for how they manage their data. More than 130 countries now have omnibus privacy legislation and the vast majority of them have been passed in the past few years. Among respondents to the benchmark survey, 79% say privacy regulations have had a positive impact, 16% were neutral, and only 5% said that privacy laws have a negative impact.

Another sign from the benchmark survey that privacy’s profile has risen: 93% of organizations now report at least one privacy metric to the board, with 14% reporting five or more privacy metrics. Among the most reported metrics are privacy program audit findings (36%), privacy impact assessments (32%), and data breaches (31%).

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

More Insights

Original Article

Mimecast: Recent Certificate Compromise Tied to SolarWinds Attacks

Mimecast: Recent Certificate Compromise Tied to SolarWinds Attacks

Yet another security firm hit in the sweeping attack campaign believed to be out of Russia.

Email security provider Mimecast today confirmed that the recently revealed compromise of a Mimecast-issued certificate for some of its products indeed stemmed from the SolarWinds attack campaign.

Mimecast earlier this month disclosed that an attacker had compromised a certificate provided to certain customers to authenticate Mimecast products to Microsoft 365 Exchange Web Services. The security vendor, which first learned of the breach from Microsoft, recommended that its affected customers delete the existing connection in their Microsoft 365 tenant and set up a new certificate-based connection with newly issued keys.

“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor,” Mimecast said in blog post today.

“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” the company said.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Original Article

BEC Scammers Find New Ways to Navigate Microsoft 365

BEC Scammers Find New Ways to Navigate Microsoft 365

Their techniques made use of out-of-office replies and automatic responses during the 2020 holiday season, researchers report.

Business email compromise (BEC) scammers targeted victims’ out-of-office replies and read receipts during the 2020 holiday season, when many took time off work and automatic replies were more prevalent, researchers report.

Attackers targeted victims by redirecting their own Microsoft 365 out-of-office messages back to them, Abnormal Security noticed. A scammer would write an extortion email and manipulate the email headers (“Reply-To”). If the target has an out-of-office reply turned on, the alert can be redirected to a second target within the organization — not back to the attacker, researchers report. 

“Even though the original extortion email was auto-remediated, the manipulated email header triggered an Out of Office reply to a second target that includes the text of the extortion,” they write in a blog post. 

Similarly, in a “read receipts” attack, the scammer would write an extortion email and change the email headers (“Disposition-Notification-To”) so the target would receive a read receipt notification from Microsoft 365 instead of the attacker. The manipulated email header would trigger a read-receipt notification back to the target, which includes the text of the extortion. 

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Original Article

Cartoon Caption Winner: Before I Go …

Cartoon Caption Winner: Before I Go …

And the winner of The Edge’s January cartoon caption contest is …

Our January 2021 has come to a close. Congratulations goes to The Edge reader Jonathan Boyett for his winning “Before I Go…” caption. Boyet is an IT auditor at Phillips 66. A $25 Amazon gift card is on its way.

Second-place winner, and recipient of a $10 Amazon gift card, is Bruce Lightsey, database manager at State of Mississippi Dept of ITS.

Thanks to everyone for their contributions. A new contest will be posted next week.

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron’s, and The Wall Street Journal.
Web site: … View Full Bio

Recommended Reading:

More Insights

Original Article

Fighting the Rapid Rise of Cyber Warfare in a Changing World

Fighting the Rapid Rise of Cyber Warfare in a Changing World

Global cyber warfare is a grim reality, but strong public-private relationships and security frameworks can safeguard people, institutions, and businesses.

Security experts have learned many lessons from 2016 about how cyber warfare not only impacts elections but also has the potential to disrupt everything from energy and education to government services and military operations. Whether it is nations such as China, Russia, Iran, and North Korea, guerrilla groups, or rogue actors, the danger grows as our dependency on digital tools continues to rise.

There are a host of reasons for nation-states and international organizations to engage in cyber warfare with the goal of causing physical or economic harm. They may want to gain a competitive advantage by stealing strategic business plans; cause catastrophic damage with a tactical strike on a local utility; access data from state and local governments to disrupt crucial industries such as the military, aviation, and education; or lock up hospital information systems to hurt patient care.

Addressing these dangers is imperative for the public and private sectors, as evidenced by recent high-profile attacks, presumably by Russia, that impacted multiple government agencies and corporations. When cybersecurity firm FireEye discovered aggressors had made off with the company’s red-team tools designed to find vulnerabilities, it immediately set off an investigation. The company uncovered a critical vulnerability in SolarWinds’ Orion software. Because this software is used by many public agencies, it became frighteningly clear that a vast breach of US government networks had also occurred. This attack against corporations’ and government networks is now known as Sunburst.

Build Strong Ties to Fortify Against Dangerous Attacks
All of these examples point to the increasing sophistication and frequency of cyber threats directed at the government and corporate sectors. To stand a chance against these attacks, it is clear that a more robust collaboration is required between these two groups.

  • Government agencies are not typically transparent due to concerns about national security, but intelligence exchanges help all stakeholders open conversations regarding threats and attacks to broaden the collective knowledge. For instance, while the SolarWinds damage is likely widespread, it could have gone much further if FireEye had not discovered and immediately shared it with government agencies and law enforcement.
  • The corporate world could learn from the government when it comes to cyber-awareness and security training conducted for federal employees. Additionally, government standards like the Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series can help nongovernmental organizations further enhance security.
  • On the flip side, the government can take a lesson from the private sector on how to react and adapt more quickly. A recent survey of government cybersecurity professionals found that 65% of respondents thought the pace of cybersecurity change was too slow compared with enterprise organizations, and 81% believed that collaboration with the private sector could hasten security processes.
  • Both sectors should explore how privacy-enhancing techniques could be used to develop more productive partnerships. Technologies such as cryptographic algorithms and data-masking techniques are increasingly used in banks to detect financial crimes through information sharing and analysis but without disclosing sensitive data.

Minimize Risk by Prioritizing Key Security Functions
Building strong public-private relationships is an important step in addressing cyber warfare. But without the right security framework in place, agencies and businesses will continue to operate at risk. Here are some key priorities:

  • Follow a DevSecOps approach when developing applications by having security in mind from the start and building security auditing and compliance into standard continuous integration/continuous development (CI/CD) processes.
  • Use best practices for application security found in the Open Web Application Security Project (OWASP) and its top 10 list of the most impactful web application security risks, including tips for logging and monitoring solutions to reduce response time.
  • Improve network security against man-in-the-middle attacks, wardriving, and other network attacks by educating employees on the risks of public Wi-Fi, requiring a virtual private network (VPN) for sensitive resources, and strengthening network authentication.
  • Identify and remedy code-injection vulnerabilities by regularly scanning code during development using tools like Burp Suite, OWASP ZAP, and other code-analysis tools in your build pipeline.
  • Secure vulnerable VPNs with aggressive patching and authentication. This is especially important for government agencies that are accustomed to fully closed networks but with remote work are subjected to the same security issues as commercial businesses.
  • Hire the best teams for the job. Cybersecurity is a multidiscipline practice, and building a solid framework requires advanced- to expert-level knowledge in each area, including application development and networking.

Plan for the Worst
Organizations can follow every protocol yet a breach can still occur, making developing a crisis response plan just as urgent as cybersecurity. In 2016, the average time that organizations needed to identify a breach was 191 days, and it took an average of 70 days to contain the breach. A crisis response plan requires logging and monitoring solutions that can respond to a breach more quickly. A response team should include forensic analysts, legal professionals, and potentially the public relations department to build a plan for consistently responding to incidents.

Global cyber warfare is a grim reality, and attacks will continue to escalate and get more sophisticated. There is no way to combat them completely, but building partnerships, identifying the right tools and technologies, employing teams that are up to the challenge, and creating a solid crisis plan will put the private and public sector in a better position, helping safeguard people, institutions, and businesses around the world.

Patrick Walsh is a Senior Vice President at SkillStorm, where he is responsible for the company’s technology training initiatives including developing coursework and curriculum and leading its immersive talent development program. View Full Bio

Recommended Reading:

More Insights

Original Article

Learn SAML: The Language You Don’t Know You’re Already Speaking

Learn SAML: The Language You Don’t Know You’re Already Speaking

Security Assertion Markup Language, a protocol most people use daily to log into applications, makes authentication easier for both admins and users. Here’s what you need to know about SAML (and what it has to do with “GoldenSAML”).

Security Assertion Markup Language (SAML): You may have heard of it. You’ve likely used it at least once today to log into a website portal or enterprise application. But what is SAML? How does it work? And why do you need to know about it?

What Is SAML?
SAML is an XML-based standard used to authenticate into Web applications like Box, Microsoft 365, Salesforce, and Gmail for Business. The protocol handles federation, identity management, and single sign-on (SSO). Identity federation enables user identities to be stored across apps and businesses; with SAML, these apps and businesses can trust each other’s users.

What Problem Does It Solve?
Most apps have a database or Lightweight Directory Access Protocol (LDAP) to hold users’ profile data and credentials, along with any additional data needed to verify a user. When someone signs in, this data store validates the credentials and logs them in. However, when a person has to log into multiple apps and each requires different credentials, it becomes an issue – for users who have to remember all their credentials, and for the admins who maintain and revoke them. Enter SAML.

SAML streamlines the authentication process for signing into SAML-supported websites and applications, and it’s the most popular underlying protocol for Web-based SSO. An organization, or service provider (SP), has one login page and can configure any Web app supporting SAML so its users only have to authenticate once to log into all its Web apps (more on this process later).

The protocol has recently made headlines due to the “Golden SAML” attack vector, which was leveraged in the SolarWinds security incident. This technique enables the attacker to gain access to any service or asset that uses the SAML authentication standard. Its use in the wild underscores the importance of following best practices for privileged access management.

A need for a standard like SAML emerged in the late 1990s with the proliferation of merchant websites, says Thomas Hardjono, CTO of Connection Science and Engineering at the Massachusetts Institute of Technology and chair of OASIS Security Services, where the SAML protocol was developed. Each merchant wanted to own the authentication of each customer, which led to the issue of people maintaining usernames and passwords for dozens of accounts. 

“The whole password problem is a 30-year-old problem,” Hardjono says. “The idea of SAML was, could we create a special entity, called the identity provider, that would essentially be the authentication entity?” 

Who Are These Identity Providers?
An identity provider (IdP) is tasked with verifying users’ identities and communicating with the SP to log them in so they can access more resources with fewer logins. There are several IdPs in today’s market: Okta, OneLogin, Microsoft Active Directory Federation Services, Duo Access Gateway, and Ping Identity are a few popular ones. SAML was needed to express that the IdP authenticated a user.

Hardjono calls the interaction among SP, IdP, and user “a triangular flow or relationship.” Read on for more details on how this relationship works.

How Does SAML Work?
SAML works by allowing SPs, or applications, to delegate their authentication to a separate, dedicated service, or IdP.

SPs are configured to trust specific IdPs in the federation process. It doesn’t matter to the AP how the IdP checks a user’s identity; it only cares that the user is verified. The user only needs one username and password, which is managed by the identity provider.

John Maguire, senior software engineer at Duo Security, puts this into the context of logging into a conference call. An employee clicks the link to log into a Webex meeting. When they land on the Webex page, they’re going to look up which IdP is used to authenticate — something the business has preconfigured, he adds.

Webex then redirects the user to their IdP, along with a message asking to authenticate them. The IdP has several methods for doing this: It could check a user’s credentials and account status, the device used to access the application, or the network a user is on. It could invoke multifactor authentication. The user’s employer configures the steps taken to verify their identity.

“Those all go into determination of either what level of authentication it should use — just first factor, first factor and second factor, [and] whether it should let you authenticate at all,” Maguire adds. If an IdP notices the location is off, for example, it may deny a user’s authentication. 

The IdP verifies this data and creates a message, or SAML assertion, which validates a user’s identity and attributes, and uses cryptographic signing to prove their authenticity. The IdP then sends this data via browser redirects to Webex, which validates the signature and checks the user’s identifying data before authenticating them into the application.

“All of this communication is actually passed back and forth using the user’s browser,” adds Jamie Pringle, also a senior software engineer with Duo Security. “The two sides never directly talk to each other.” 

Oftentimes there will be multiple SPs configured to one IdP. In these cases, an authenticated user may see a dashboard with other service providers they can access for the following six hours — or however long the session is configured to last.

There are two types of workflows for SAML-based authentication. In an SP-initiated process, a user tries to log into a service provider’s Web portal. Instead of requesting credentials, the site will redirect to its IdP with a SAML request for authentication. In an IdP-initiated process, the user logs into the IdP and is authenticated and then sent to the SP with a SAML assertion. Some SPs don’t support an SP-initiated process. In this case, an IdP-initiated workflow is the only option.

How Do Businesses and Admins Benefit from SAML?
Since it was first developed, SAML has become the standard for Web-based single sign-on. It quickly caught on among businesses, who internally began to use the protocol for employees.

“As access management started gaining more relevance, because more and more companies were accessing applications outside their network … SAML became very important to the corporation and to the people who need to provide SSO,” says Michael Kelley, senior research director in Gartner’s Secure Business Enablement Group.

The benefits are clear for both users and admins. Individuals don’t have to enter credentials into the application itself and undergo a more secure login process overall, explains Aaron Parecki, senior security strategist at Okta. Once they’re authenticated, they can transfer back and forth between apps without the hurdle of logging in several times.

“This is a great way to have a more secure experience as a user because you only ever enter your credentials into the server that has your credentials — the place where the account lives,” he says. “If you want to log into an application, you don’t have to trust that the application is going to handle your credentials properly.”

(Continued on page 2 of 2)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio


1 of 2


Recommended Reading:

More Insights

Original Article

Mainframe Security Automation Is Not a Luxury

Mainframe Security Automation Is Not a Luxury

As cyber threats grow, even the most securable platform is vulnerable and requires adaptive autonomous protection.

Business and IT leaders alike realize cybersecurity threats are constantly evolving in today’s digital economy. This even applies to the most securable platform, the mainframe. Sixty-three percent of mainframe executives and practitioners cited security and compliance as their top priority for the platform, according to the recent BMC Annual Mainframe Survey. This wasn’t surprising, as current cybersecurity approaches are often hampered by alert fatigue, complex environments with manual workflows, and a general lack of mainframe security expertise.

The Overlooked Mainframe
Visibility is an ongoing concern with Web-based, mobile, and customer-facing systems that seem most vulnerable to attack. However, CSOs could be overlooking opportunities hackers have to compromise their most mature enterprise platform: the mainframe.

A workhorse handling over 30 billion transactions daily, the mainframe powers the back end of applications enabling everyday activities such as online credit card transactions, mobile banking, and a wide variety of account inquiries from account balances to order and shipment delivery. In short, this is a “must not fail” system in the digital economy.

Ironically, the mainframe’s reputation of reliability, stability, and security could be the reason cybersecurity teams are unknowingly neglecting it. This became apparent in research from Forrester: While 88% of mainframe organizations say they are confident they’d be aware of a malicious user, almost half admit to at least one or more incident of someone gaining unauthenticated mainframe access. With more than 1,500 exposed records and data breaches in the US alone in 2019, one questions if their security strategies are effectively ramping up — especially with increases in mainframe workloads spurred on by COVID-19.  

Mainframe Security Challenges
Security on the mainframe presents a challenge for business executives and IT security professionals. For executives, security is a priority, but many may be unaware of the need to secure mainframes after so many years of solid performance. For technologists, staffing and skills shortages specific to mainframes are more of a concern. Security teams facing challenges ranging from too many false positives to unpatched vulnerabilities are already overwhelmed. Complexity caused by a lack of security integration across multiple platforms is only adding to their burdens.

If an enterprise relies on the mainframe as a key piece of a larger transaction processing system, it is potentially exposing huge volumes of data when its security status is not certain. So despite its reputation, mainframe security cannot be assumed in this era of increasing threats. IT security leaders must know for a fact that their entire infrastructure is secure.

One big threat to mainframe security is credential theft. Much like as any other system, credentials on the mainframe can be leveraged by an attacker. Let’s say you have an active user profile with elevated privileges but that person has left the company. This former privileged user could exploit the system unknowingly or maliciously. Remote connections into a mainframe could also allow attackers to leverage weak security controls or vulnerabilities to gain access via a back door. Of course, there’s also the human factor: a successful phishing attempt that enables a keylogger to gain credentials and access the mainframe.

Mainframe Resurgence Demands Sophisticated Security
Mainframe security is increasingly important now because the platform is experiencing unprecedented growth some 55 years after its introduction. According to Allied Market Research, “the global mainframe market size was valued at $2,094.12 million in 2017, and is projected to reach $2,906.61 million by 2025, registering a CAGR of 4.3% from 2018 to 2025.”

Mainframes continue to power businesses across industries despite a misinformed perception that the world’s businesses run mostly on cloud. According to Forrester Consulting research, “64 percent of enterprises surveyed will run more than half of their critical applications on the [mainframe] platform within the next year, up from 57 percent this year, and 72 percent of customer-facing applications at these enterprises are completely or very reliant on mainframe processing.”

Savvy business leaders today also recognize the connection between the mainframe and application development. According to a survey by Vanson Bourne, 47% of 400 IT leaders said the mainframe is running more business-critical apps than ever before.

A Smarter Approach to Security
All this renewed attention on mainframe emphasizes the need for adaptive security for the platform. Adaptive cybersecurity is the evolution of security functions that automatically sense, detect, react, and respond to access requests, authentication needs, as well as internal and external threats. It learns, evolves, and adapts to any threat, mitigating risk while meeting compliance requirements.

This approach can ease the top concerns of mainframe organizations: data protection, improving security detection and response, and reducing endpoint security risks (from the previously mentioned Forrester study, conducted in May 2020 during the peak of the pandemic).

Artificial intelligence and automation can mitigate the mainframe security conundrum by applying machine learning, predictive analytics, pattern analysis, and data correlation to security threat identification and mitigation. This pervasive strategy is a vital step on one’s journey to become an autonomous digital enterprise, where technology works in service of security needs, freeing up staff from mundane tasks, allowing them to focus instead on driving business agility.

For enterprise security teams without mainframe expertise, automation is embedded with intelligence to detect and respond to, for instance, anomalous behavior indicative of a security event and communicate the incident to staff perhaps not as well-versed in mainframes. Depending on the event, security automation on the mainframe could also take action to prevent the threat from spreading and protect the larger computing environment.

Automated detection and response technologies provide the visibility into the mainframe that some security operations centers do not yet have, either because they have mistakenly overlooked the platform as secure enough or because they don’t have the expertise in-house. Integrating mainframe security data with security incident and event management (SIEM) systems in real time also enables teams to fully incorporate the mainframe into an adaptive enterprise security strategy. Notice that I said real time. I draw your attention to that as I often meet executives who will tell me they integrate mainframe event data with their SIEM, but I later learn that they do so in a batch format once a day or week. Unfortunately, this can allow an attacker to operate unnoticed for hours or even days.

Business and IT leaders recognize the importance of enterprise security protections and now they must extend the significant efforts to the mainframe to avoid a brand-destroying breach. Without enough trained staff, CSOs can invest in technologies to augment the mainframe security brain trust and enable automation to do some of the work needed to protect the enterprise and the business.

As SVP and General Manager of ZSolutions at BMC Software, John leads the R&D, Product Management and Solutions Marketing teams to innovate the mainframe to meet the needs of today’s evolving digital economy. John has over 25 years of management experience at BMC alone and, … View Full Bio

Recommended Reading:

More Insights

Original Article

Startup Offers Free Version of its ‘Passwordless’ Technology

Startup Offers Free Version of its ‘Passwordless’ Technology

Beyond Identity co-founders hope to move the needle in eliminating the need for passwords, but experts say killing passwords altogether won’t be easy.

A startup with the goal of eradicating passwords and led by Netscape founder Jim Clark and broadband network pioneer Tom Jermoluk today released a free version of its service that authenticates and authorizes users without the use of passwords.

The free version of Beyond Identity’s service includes support from the company during business hours and deployment to an unlimited number of users or customers. Beyond’s technology, based on X.509 for asymmetric key cryptography and TLS for encrypted communications, makes the endpoint device its own certificate authority. 

The user’s private keys, which are stored locally on the device’s protected secure enclave section of memory, authenticate and authorize the user via Beyond’s cloud-based service.

Password management headaches and credential theft have long been one of the biggest challenges to organizations, and layering passwords with multifactor authentication (MFA) and other protections has become the norm. But as the recent SolarWinds attack believed to be out of Russia demonstrated, attackers can bypass MFA in order to capture or set up credentials inside their targets.

Jermoluk, CEO of Beyond Identity, says the global pandemic and subsequent rush to send employees to work from home helped drive the decision to offer the startup’s core technology for free to organizations. Cyberattacks rose last year, he notes, many of which targeted vulnerable and valuable credentials of work-from-home employees.

“This lets us contribute to companies who are having this [password security] problem today with their remote workforce,” he says, and allows them to use it “forever,” without the need to sign up for Beyond Identity’s paid service.

“This is a piece of technology that solves a lot of problems, especially for SMBs [small and midsize businesses],” says Jermoluk. They don’t need to manage any certificates or purchase any additional products to run it, he adds. “If you have Okta single sign-on, [for instance], you can turn [Beyond’s service] on in 10 minutes,” he says.

The passwordless authentication technology piece of its identity platform service is now available at no cost for organizations to connect to their single sign-on apps to eliminate passwords, and for website or app providers to offer visitors or customers to their site or apps.

Even so, Jermoluk emphasizes that the free version is not its “full-on product,” but it does allow organizations to remove passwords and the associate risks that the aging authentication model brings. He says the goal is to usher in the passwordless era, where credentials aren’t so easily and readily targeted and used to breach organizations and steal data.

Richard Stiennon, chief research analyst at IT-Harvest, says Beyond Identity’s freebie offering makes sense and jibes with the co-founders’ roots.

“The audacity of releasing a free product makes me take a breath: It reminds me of Netscape back in the halcyon days of the Internet bubble,” he notes, in a nod to Clark’s doing the same with the early Web browser. “This move should not have been a surprise. Also, it is what is required when there are so many identity solutions out there — 309 by my count.”

Beyond Identity’s advanced, or paid-tier, service includes authentication features that drill down on a device’s security posture details and data; continuous authentication and risk policy enforcement; integration with mobile device management and endpoint detection and response (EDR) tools; integration with identity management, security, and compliance tools; compliance reporting features; and 24/7 support.

Cloud-based data platform provider Snowflake recently rolled out Beyond Identity’s full product service to its thousands of employees for its business applications, including Gmail, Slack, and Salesforce. The company has no on-premise servers: Its IT environment is mainly Microsoft Azure and AWS, as well as SaaS apps, notes Mario Duarte, vice president of security at Snowflake.

Beyond Identity’s passwordless service replaced Snowflake’s password management tool and integrates with its Okta IDP. “It sits in front of Okta, and [Beyond Identity] takes care of authentication,” Duarte says. Okta trusts Beyond Identity to confirm the user logging in is who they say they are, he adds.

Snowflake has requested that Beyond Identity add a couple of new features, including one that allows them to sign code.

When a programmer writes code and uploads it to Github or another code repository, Beyond Identity would allow that person to “sign” the code to authenticate it came from that programmer, he notes. Duarte says he thinks Beyond Identity will add that feature sometime in the first quarter of this year.

Whether Beyond Identity’s freemium offer helps move the needle toward eradicating passwords is unclear. Security experts say passwords aren’t likely to die anytime soon.

The company plans to add a consumer-level service that e-commerce or other organizations, such as gaming, insurance, or medical practices, can offer to their clients and customers, where there’s no single sign-on like Okta sitting in the middle, Jermoluk says. “So anyone delivering a service function or app can offer a passwordless credential system,” he says.

Meanwhile, Beyond Identity recently a $75 million Series B funding round, bringing its total investment to $105 million.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Recommended Reading:

More Insights

Original Article

Critical Vulns Discovered in Vendor Implementations of Key OT Protocol

Critical Vulns Discovered in Vendor Implementations of Key OT Protocol

Flaws allow denial-of-service attacks and other malicious activity, Claroty says.

Researchers from Claroty this week disclosed multiple critical vulnerabilities in vendor implementations of the Open Platform Communications (OPC) network protocol that is widely used in operational technology (OT) networks.

The flaws affect products from three vendors whose technologies are also being used as third-party components in multiple other white-label products running the OPC protocol. Claroty privately reported its vulnerability discoveries to the three vendors in 2020. The products have since been patched, prompting Claroty to publicly disclose the issue for the first time this week.

In a blog post, the vendor described the security issues as exposing organizations using the vulnerable products to distributed denial-of-service attacks, remote code execution, and leaks and theft of sensitive data.

“Many commercial [industrial control system] products use the OPC protocol for the secure exchange of information between devices across an operational technology network,” says Uri Katz, protocol researcher at Claroty.

The protocol ensures interoperability between proprietary industrial control systems and is a critical piece of an OT network. Vulnerabilities in vendor implementations of the OPC protocol can have serious implications for the reliability and availability of devices, Katz says.

“OPC is a crucial part of many OT networks, and even creating denial-of-service conditions on OPC servers could critically impact OT processes,” he adds. According to Katz, all of the vulnerabilities that Claroty discovered are trivial to exploit for attackers familiar with how the OPC protocol works.

Claroty, an OT security company, discovered the security bugs while conducting a broad vulnerability analysis of the OPC protocol in 2020. The company decided to investigate the protocol because of its wide use in industrial control system and OT environments. The analysis unearthed critical security issues in OPC implementations from three vendors: Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell.

Claroty discovered two vulnerabilities in Softing’s OPC library. One of them was a buffer-overflow issue (CVE-2020-14524) that, if exploited, could cause the server to crash. The other was a resource consumption bug (CVE-2020-14522) that gave attackers a way to trigger denial-of-service conditions against a server running the vulnerable protocol.

Calorty’s analysis uncovered three security issues in Kepware products, ThingWorx Kepware Edge and KEPServerEX OPC Servers. Two of them were buffer overflow issues (CVE-2020-27265 and CVE-2020-27263), while the third was what is known as a use-after-free vulnerability (CVE-2020-27267). Two of the now-patched flaws allowed an unauthenticated attacker to run malicious code remotely on a vulnerable system.

Claroty found four critical vulnerabilities in the MatrikonOPC Tunneller by Matrikon Honeywell. The four flaws were a heap overflow remote code execution issue (CVE-2020-27297) that could allow for DDoS attacks; a heap out-of-bounds (OOB) memory issue (CVE-2020-27299) that could lead to information leaks, and two DDoS flaws (CVE-2020-27274 and CVE-2020-27295).

According to Katz, the OOB vulnerability is the most serious because it resides in functionality used by various products by multiple vendors. US-CERT and others have urged organizations running vulnerable products from each of the three vendors to upgrade to the latest versions of the software in each case to mitigate exposure to the newly disclosed threats.

Claroty’s report comes amid suggestions of growing enterprise interest in OT security, an area that has been somewhat overlooked because of misconceived perceptions about the environment being air-gapped — and therefore immune to attacks. According to a new report by Research and Markets, the global OT security market will grow to $18.3 billion over the next two years as organizations rush to address gaps in their OT environments.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Original Article

SonicWall Is Latest Security Vendor to Disclose Cyberattack

SonicWall Is Latest Security Vendor to Disclose Cyberattack

The network security firm is investigating a coordinated campaign in which attackers exploited vulnerabilities in SonicWall’s products.

Network security firm SonicWall is investigating a coordinated attack in which attackers allegedly exploited vulnerabilities in the company’s products to breach its internal network. It’s the latest in a string of security vendors to become a target for attackers.

In a statement published Jan. 22, SonicWall officials wrote they detected an attack “by highly sophisticated threat actors exploiting probably zero-day vulnerabilities on certain SonicWall secure remote access products.” 

As of Jan. 23, the company has confirmed its SonicWall Firewalls, NetExtender VPN Client, Secure Mobile Access (SMA) 1000 Series, and SonicWave Access Points were not affected in the recent attack. The SMA 100 Series, used to provide employees with remote access to internal resources, is under investigation but “may be used safely in common deployment use cases.” 

Current SMA 100 series users may continue to use NetExtender for remote access, a use case the company has determined is not susceptible to exploitation. Admins for the SMA 100 series are advised to create specific access rules while investigation of the vulnerability is underway. SonicWall suggests using a firewall to allow only SSL-VPN connections to the SMA from known IP addresses, or to configure whitelist access on the SMA itself. The company also urges implementing multifactor authentication on all SonicWall SMA, Firewall, and MySonicWall accounts. 

A Concerning Trend
SonicWall is the latest IT security vendor to confirm a breach in recent weeks. Others include Microsoft, FireEye, and Malwarebytes, all of which disclosed cyberattacks related to the massive SolarWinds attack campaign targeting major US government agencies and businesses. Attackers also attempted to breach CrowdStrike; however, their efforts were not successful.

“There is an undeniable trend of security companies disclosing more breaches publicly over the last several months,” says Allie Mellen, Forrester analyst covering security and risk. “That said, I wouldn’t rush to judgement and assume this is due to an uptick in targeted attacks against security companies specifically.”

She suspects the increase in reported attacks can be linked to some companies changing their approach to breach disclosure. Over time, more security firms have chosen to speak publicly about the attacks they face — sometimes due to regulatory compliance, sometimes to warn the community of a new threat.

“Disclosures that are timely, transparent, and technically accurate can result in praise and respect from the community and can be an opportunity for companies to highlight their security practices,” Mellen says.

While breach disclosures are growing common, it’s worth noting that security vendors are an appealing attacker target, notes Brandon Hoffman, CISO at Netenrich. That’s a concern, he says, because security practitioners need tools they can depend on for detection and defense. By targeting the tools meant to detect cyberattacks, adversaries stand to gain an advantage. 

And they don’t have to succeed to make an impact, he notes.

“To a degree, it is less important that these attacks are successful, but at a minimum eroding confidence in the tools,” Hoffman explains. Whether this erosion serves as a distraction to key security functions or forces security practitioners to refocus their efforts remains to be seen. 

The abuse of trust is a recurring theme in all of these recent breach disclosures, says Tim Wade, technical director of Vectra’s CTO Team. Trust must be constantly reassessed. Vendors have long been lucrative attacker targets both because they enable further malicious activity, and because they allow attackers to bypass legacy security measures to achieve their goals.

Vendor Breaches Put Spotlight on Third-Party Risk
Disclosures like these put security teams in a tough position, Hoffman says. While a reliance on safe and functional tooling is critical to their job, security tools are appealing targets because they require a deep level of trust from an integration perspective. 

He suggests that third-party risk assessments need to be “increased with vigilance.” A business may need to perform its own validation of vendor tools outside a questionnaire of security protocols, he adds. Organizations lack an easy way to streamline this process and effectively perform these assessments, he adds.

“You can’t have security until you have some kind of fundamental standards that everybody agrees on and operates from,” says Tanner Johnson, senior cybersecurity analyst at Omdia. Like Hoffman, he points to a need for the development of more secure standards and protocols to strengthen the security infrastructure businesses depend on.

Johnson suggests organizations diversify their security portfolios so as to prevent vendor lock-in. More and more vendors are promising a “single pane of glass” through which practitioners can manage their infosec needs; however, relying on one vendor could drive risk when a breach occurs. If there’s a compromise, the business has no vendor that may not be part of the attack.

“Investing all your eggs in one basket is convenient but not secure,” he adds. 

These disclosures should also remind security pros to vet the vendors they work with, Mellen says. Third-party security reviews, including the evaluation of third-party penetration tests and timelines to remediate flaws, are essential to reducing third-party risk.

As for the vendors, they must be in touch with customers “immediately following a breach,” she adds. They should clearly explain what happened, what product or service was affected, ways to mitigate damage, and a timeline for remediation. How the vendor responds can make a big difference.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Original Article