More health, less stealth….

Emerging Access and Authentication Methods for Healthcare

Medical records are now, by and large, available in electronic form – in fact almost 8 in 10 of every physician uses EHR. Conveniently accessing them in a secure and compliant way is the challenge that everyone involved in the Healthcare industry faces. In 2015 the top three healthcare breaches resulted in over 100,000 million compromised records. While full disclosure of these attacks is not fully released, the key for criminals is often stolen credentials whether that be a user, administrator, or someone else with privileged system access. These attacks show bravado and hit the major headlines. Alongside the big hacks, there is a growing rash of small crimes at healthcare facilities like stolen medications, illicitly written prescriptions and theft of targeted individual health care records. For example, in a Cleveland Clinic, four nurses are being accused of stealing patient medications such as Oxycodone (a pain opioid sought after by drug addicts.)

Implementing strong access and authentication controls is the next step healthcare organizations must take to comply with the HIPAA and harden the attack surface from both sophisticated criminals and petty staffer criminal alike. Healthcare organizations are still standardizing on the right approach – let’s take a closer look at some of the technologies that are currently in use and explore them from a security and hackers perspective.

RFID (Radio Frequency Identification)

You may have one and not even know it. RFID technologies make up the majority of the market, most white access badges that you swipe to gain access to a door or potentially a computer have sophisticated micro circuitry built in.  Some of the amazing things that you might not know about RFID are:

  • There is no battery! The circuitry is powered by the energy it receives from the antenna when it is near a card reader.
  • Some RFID chips can contain up to 1K of data, that doesn’t sound like a lot but that is enough to hold your name, address, social security number and perhaps your last transaction.
  • RFID chips can be so small they may be imperceptible, Hitachi has a chip that is 15 x 0.15 millimeters in size and 7.5 micrometers thick. That is thinner and smaller than a human hair.

The good news for security professionals at healthcare organizations is there are many choices and uses for RFID technology.  Cards and readers purchased in mass quantities drive the price down and provide a homogeneous system that may be easy to administer as it becomes part of the onboarding and provisioning process. In addition to door access for staff, RFID cards can be given to patients on check in so that they have another form of identification. The bad news is that hackers are after consistent well-documented systems and they like hacking esoteric data transmissions like the ones that RFIDs use.  Using inexpensive parts that are on my workbench like an Arduino Microcontroller, a criminal could create a system to capture the transmission and essentially clone the data on a card then pose as an insider.

BioMetrics

There seem to be an ever-growing array of BioMetric devices like vein readers, heartbeat, iris readers, facial recognition and fingerprint readers.  When implemented properly a live biometric, that is a biometric device that samples both unique physical characteristic and liveliness (pulse for example) is almost always a positive match, in fact, fingerprint reading is used at border control in the US and other countries.   There are hacking demonstrations with molded gummy worm fingers, scotch tape finger lifts and even the supposed cutting off a finger.  Those attacks are on the far end of a practical hack as it is not repeatable or easy for a criminal.  The hurdles that biometrics face are:

  • Near 100% Match – This is a good news as we truly want valid users however skin abrasions, irregular vital signs, and aging are just some factors that make the current set of bio-metrics sometimes create false positives.
  • Processing Time – There are several steps to the fingerprint and biometric authentication process. Reading, evaluating the match then validating with an authentication service can take up to a second.  The process is not instantaneous – I can enter my password faster on my iPhone than I can get a positive fingerprint match.  Doctors and nurses patients simply don’t have the seconds to spare.
  • Convenience – Taking off gloves, staring at a face or retinal reader is simply not an option when staff is serving potentially hundreds of patients a day.

As the technology and processing improve, I think we will see a resurgence in BioMetric in healthcare but for now my local clinic has decommissioned the vein reader.

Bluetooth

Bluetooth technology is becoming ubiquitous. It is being built into almost all devices – some estimate that it will 90% of mobile devices by 2018.  Bluetooth is still emerging in the healthcare market which is dominated by RFID, however, there are advantages to Bluetooth over RFID cards:

  • Contactless – Bluetooth low energy relies on proximity rather than on physical contact.  While this might not seem like a huge advantage in a high traffic critical situation such as an emergency room, seconds count.  In addition, systems that require contact such as a card swipe or tap require maintenance to clean the contact.
  • BYOD Cost – For smaller clinics and organizations that are cost conscious using employee devices as a method of authentication may be the way to go as they will not incur the expense and management of cards and proprietary readers.  In fact, a Bluetooth reader can be purchased for as low as little as $4 compared with $100 card readers.
  • BYOD Convenience – Many organizations recognize an added convenience factor in using their employee, partners and customers mobile devices as a method of authentication.  Individuals are comfortable and interested in using their phones as access devices.  Administrators can quickly change access controls just-in-time for access to different applications, workstations and physical locations rather than have to restripe cards.

On the hacker side, Bluetooth signals just like RFID can be cloned however combined with OTP (One Time Password) for another layer of authentication criminals could be thwarted.

I contacted Jim Gerkin Identity Director from NovaCoast and he mentioned that we may see an uptick in small and mid-sized clinics using authentication devices in 2017.  They are looking for cost effective and open standard systems based on FIDO standards.  Bluetooth has the potential to meet requirements from a cost and security perspective again if OTP is used in conjunction.

The good news is that Micro Focus’s Advanced Authentication works with multiple types of authentication methods whether it be legacy systems, RFID, BioMetric and now Bluetooth.  In addition Micro Focus is part of the FIDO alliance which ensures a standardized approach.   I look forward to evaluating emerging authentication technologies in 2017 that may use DNA, speech recognition and other Nano-technology – watch this space!

Ice Phishing, Whaling, and Social Engineering

Introduction

According to the 1960’s song, “It’s the Most Wonderful Time of the Year”. But it’s also the time to be on the lookout for a cyber-attack posing as an email with the best wishes of corporate executives. In 2016, a fake phishing email sent by JPMorgan was able to dupe 20% of its staff into opening and clicking on a simulated malware link.

There She Blows!

The latest attacks are based on “whaling”—a refined kind of phishing attack in which hackers use spoofed or similar-sounding domain names to make it look like the emails they send are from your CFO or CEO. In fact, Whaling is becoming a big enough issue that it’s landed on the radar of the FBI.

Trawling the Network

Whaling hasn’t quite overshadowed regular old phishing, though. A 2016 report by PhishMe states that over 93% of phishing emails are now ransomware. And almost half of those surveyed by endpoint protection company SentinelOne state that their organization has suffered a ransomware attack in the last 12 months. If it’s not ransomware, it’s hackers looking to put other types of malicious code on corporate or public networks or to gain access to passwords belonging to employees or other users. Alarming new types of ransomware, such as Samas or Samsam, will toast your organization just by opening the email—no click required. The dangers are very, very real.

But while it may be impossible to prevent employees from opening phishing emails or clicking on a link, there are ways to create an inoculated environment filled with cyber-hygiene to mitigate the effects of an attack.

Don’t Get Caught

As levels of sophistication of the cyber attacks continue to increase, vigilance is key. Here are a few best practices to keep in mind:

  • Take offline backups of critical information for recovery from ransomware. While “snap copying” live volumes is trendy, you could be snapping ransomware-encrypted files.
  • Implement the security protocol of “least privilege” for all users to minimize access to critical systems and data. Be sure to collect and correlate user entitlements to enforce least privilege.
  • Limit the use of “mapped” drives, which can be encrypted by ransomware. Use secure systems designed for file sharing
  • Implement multi-factor authentication in case user credentials are compromised without forgetting to include strong authentication for your  mainframe systems.
  • Speaking of mainframes, often the locale of some of the most sensitive data in the corporation, ensure that the terminal emulator being used:
    • Is certified on whatever desktop operating system is in use
    • Implements the latest security standards
    • Is configured so that macros can only be run from trusted locations and cannot be used as a point of attack.
  • Ensure that you have a single point of control for all of your identity, access, and security settings, but don’t forget to monitor the people who manage it.
  • If employees use intelligent personal devices such as smartphones and tablets, think about implementing an endpoint management system, which can be remotely disabled (and the device wiped), in case it is lost or compromised.

Conclusion

Good corporate governance and awareness can help prevent  users from clicking on phishing emails, but a more robust approach needs to ensure that IT  can mitigate the risks if they do.

The helpful hints above should hopefully serve to get you through the holidays and provide even a sensible resolution for 2017.

FT Cyber Security Summit 2016

David Mount reports back from the FT Cyber Security Summit 2016 in London, and shares his thoughts on Cyber Security in the enlightening blog. Read on

FT

Last month I was fortunate to be able to carve some time out of my diary to attend the Financial Times Cyber Security Summit in London. The event promised a strong line-up of cyber-security heavyweights – and I mean that in the knowledge and experience sense, rather than in Trump’s view of a cyber-crime protagonist.

The sentiment was clear – the good guys are still losing to the bad guys, and it doesn’t look like it’s going to change any time soon. Nausicaa Delfas, Director of Specialist Supervision at the UK’s Financial Conduct Authority shared some interesting, if unsurprising numbers. Over the past few years, they have seen the number of reported cyber-attacks on financial institutions steadily rise – 5 in 2014, 27 in 2015, and 75 so far in 2016. The pessimist (or perhaps realist) in me makes me think that we’re facing ever increasing armies of cyber-criminals who are better organised, better skilled and better funded than the average target; the optimist in me tries to think that we’re actually getting better at spotting the attacks earlier, and thus able to respond more effectively than before.

IAS blog 2

Whatever the reasons, it’s evident that the good guys will only become truly effective in their mission through effective sharing of information. Indeed, the great military strategist Sun Tzu proclaimed “if you know your enemy and know yourself, you need not fear the results of a hundred battles”. There’s no room for egos in cyber-security. Attacks happen, and one major bank highlighted the empathetic sentiment they received from their customers if they announce they are suffering a cyber-attack such as DDOS.

So let’s not perpetuate the myth that all cyber-attacks are perpetrated by socially awkward teenagers in their bedrooms. Some indeed are, and often as a result of frankly inexcusable and embarrassing approaches to information security. However, many are not. We must change our approach and find the ways to allow cyber-security professionals to truly come together as a team, rather than acting as a loosely grouped collection of skilled individuals. Thankfully, we’re starting to see some initiatives take shape in this space, and during the event there was optimism regarding the UK Government-led National Cyber Security Centre, but much more work is needed on cyber information sharing platforms to provide open, timely access to rich information such as threats, attack vectors and indicators of compromise. As basketball coach John Wooden said – “failure isn’t fatal. But failure to change might be” – a prophecy to the cyber threats of today or tomorrow perhaps?

IAS 3

Vom Chaos zur Ordnung – was unaufgeräumte Kinderzimmer mit dem Berechtigungsmanagement zu tun haben

Die ungeliebte Aufgabe, Ordnung zu schaffen, gibt es nicht nur in Kinderzimmern. Auch in Unternehmen wird das „Aufräumen“ zum Beispiel in Bezug auf den Wildwuchs bei den Verzeichnisdiensten und im Berechtigungsmanagement eher als lästige und vor allem zeitraubende Pflicht angesehen. Die Folgen sind fatal und hoch riskant, denn unzulässige Berechtigungen oder verwaiste Konten bieten große Angriffsflächen für Datensabotage und -diebstahl. Götz Walecki zeigt mit seinem Blog Lösungen auf, wie man mittels Standardsoftware effizient innerhalb der der IT aufräumen kann.

Sommerzeit ist Ferienzeit –6 ½ Wochen bleiben die Schulen geschlossen und der Nachwuchs tobt sich angesichts des chronisch schlechten Wetters in diesem Sommer schonungslos in den Kinderzimmern aus. Hinter verschlossenen Türen, werden dann die Kisten mit Playmobil, Lego und diversen Puzzeln herausgekramt, umgestülpt und der Boden ist innerhalb kürzestes Zeit gänzlich mit Spielsachen bedeckt. Mit Schildern an den Zimmertüren wie „Sperrgebiet für Eltern“ oder „Zutritt verboten“ will der Nachwuchs die Eltern vor dem Betreten des Zimmers abhalten, denn auf den unweigerlich folgenden Satz „Jetzt räum doch mal dein Zimmer auf“ haben sie überhaupt keine Lust. Jeder von uns kennt diesen Satz nur allzu gut – sei es aus eigenen Kindheitstagen oder weil man ihn als seufzende Kapitulationserklärung gegenüber den eigenen Kindern selbst abgegeben hat. In aller Regel jedoch, vermutlich ebenfalls vertraut, zeigt dieser Satz ziemlich wenig Wirkung – das geliebte beziehungsweise ungeliebte Chaos bleibt. Doch die ungeliebte Aufgabe, Ordnung zu schaffen, gibt es nicht nur in Kinderzimmern. Auch in Unternehmen wird das „Aufräumen“ zum Beispiel in Bezug auf den Wildwuchs bei den Verzeichnisdiensten und im Berechtigungsmanagement eher als lästige und vor allem zeitraubende Pflicht angesehen. Viele Unternehmen pflegen die Zugangsberechtigungen für ihre Beschäftigten oft mehr schlecht als recht; nicht selten herrscht beim Thema Rechteverwaltung ein großes Durcheinander. Die Folgen sind unzulässige Berechtigungen oder verwaiste Konten. Aber gerade in einer Zeit, in der kompromittierte privilegierte Benutzerkonten das Einfallstor für Datensabotage oder -diebstahl sind, müssen Unternehmen dafür sorgen diese Angriffsflächen zu reduzieren, Risiken zu minimieren und Gegenmaßnahmen schnell einzuleiten. Hierfür werden intelligente Analysewerkzeuge benötigt auf deren Basis die richtigen Entscheidungen getroffen werden können.

Wie kann mittels Standardsoftware innerhalb der IT aufgeräumt werden?

Bei den Maßnahmen zur Prävention sollten Unternehmen daher Ihren Blick auf die Vereinfachung und Automatisierung von sogenannten Zugriffszertifizierungsprozessen richten, um Identity Governance Initiativen im Unternehmen zu etablieren. Die immer weiter zunehmende Digitalisierung mit all den unterschiedlichen Zugriffsmöglichkeiten auf sensible Daten und Systeme, sowie die Flexibilisierung der Arbeitsorganisation durch eine engere Einbindung von Partnern und Dienstleistern, schaffen einen unübersichtlichen Flickenteppich an Berechtigungen, der manuell kaum noch zu kontrollieren und zu überwachen ist.

Ordnung2

Die Analyse der Accounts und Berechtigungen, sowie eine Optimierung zum Beispiel im Bereich der Verzeichnisdienste, hilft Unternehmen nicht nur Sicherheitsrisiken, die beispielsweise durch verwaiste oder mit übermäßigen Berechtigungen ausgestattete Benutzerkonten entstehen, zu reduzieren, sondern trägt auch zu Kostenreduzierung bei. Denn jeder Nutzer zu viel kostet Geld und Sicherheit. Geschäftsleitung und Führungskräften benötigen Tools, die relevante Informationen bereitstellen, um Entscheidungen zu treffen, die das Risiko von Datenverlust reduzieren, Zugriffsberechtigungen auf das Nötigste beschränken und somit den an Unternehmen gestellten Anforderungen zur Datensicherheit genügen. Micro Focus bietet mit Access Review 2.0 eine flexible Lösung für diese Aufgabenstellung in puncto Attestierung und Rezertifizierung von Konten, Zugriffsrechten und Business Rollen.

Der Rezertifizierungsprozess ist dabei sehr anpassungsfähig und wird durch die Fokussierung auf Ausnahmen deutlich vereinfacht. Berichtsfunktionen mit vorkonfigurierten Berichten zu Berechtigungen, Zertifizierungsstatus, Anfragen/Genehmigungen und Regelverstößen, sowie Unterstützung für automatisierte Kampagnen ermöglichen eine deutliche Effizienzsteigerung der Governance und helfen bei der Kostenreduktion z.B. durch Identifikation und anschließender Entfernung verwaister Konten. Mit der Micro Focus Lösung sind Kunden in der Lage, jenseits der Verwaltung von Benutzerkonten den Benutzerzugriff auf programmatische, wiederhol- und nachweisbare Art und Weise tatsächlich zu regeln und somit die Angriffsfläche nachhaltig zu reduzieren.

Götz Walecki

Manager Systems Engineering

LV7A5495_1(1)

Move beyond weak mainframe passwords with advanced multifactor authentication

Flexibility is the key when it comes to multifactor authentication and you can also use these same methods to authorize access to your host systems as well. You can set up different authentication requirements for different types of users and manage everything from a central console. David Fletcher provides more insight in his blog….

More and more companies are moving to multifactor authentication. Almost everyone agrees that multifactor authentication is the best way to provide the strongest level of authentication (who you are). This technology is taking hold in many industries, and for the most part it’s working pretty well. Now ask yourself “How can I use multifactor authentication to authorize access to my host systems?”

thumb

Complex and Expensive?

Wow—things just got really complicated and expensive. Think about who is accessing your host systems today. Employees all over the world with different devices and different access needs. Business partners who need access but don’t have your same systems and devices. What about customers who are actually updating their own data via web services on your host systems? The level of complexity that comes with implementing multifactor authentication for enterprise applications is hard enough. Now throw in the mainframe and it’s enough to keep anyone from moving in that direction.

But what if there was a flexible and manageable way to use multifactor authentication for host applications? Because Micro Focus is the expert in securing and managing access to your host systems, we have developed new capabilities to make implementing and managing multifactor authentication flexible and affordable. You can even use the same products for implementing multifactor authentication for your enterprise applications and authorizing access to your host systems.

Affordable and Flexible:

The key to making multifactor authentication affordable and flexible is having a system that supports many different ways of authenticating. Such a system could support whatever methods of authentication are right for your users and your budget.

There are many different ways that a user can be authenticated. You can take advantage of the fact that most (if not all) employees or partners have a cell phone. No need for costly devices to increase security to your systems. What if you could let a partner choose between answering three security questions or using a fingerprint for authenticating or a combination of questions and cell phone?

Flexibility is the key when it comes to multifactor authentication. Now you can also use these same methods to authorize access to your host systems as well. You can set up different authentication requirements for different types of users and manage everything from a central console.

Micro Focus® Advanced Authentication, combined with Host Access Management and Security Server (MSS) and one or more of our terminal emulation clients, provide up to 14 different methods of authentication to authorize access to host systems. As new technologies emerge, you can count on Micro Focus to stay ahead of the game so that when you are ready to make a move, we are too.

To learn more about enabling multifactor authentication to authorize access to your host systems, contact your Micro Focus sales representative today.

Originally published here

Are Your Ex-Employees Insider Threats?

Ron La Pedis reports back from the 2016 RSA Security Conference in San Francisco . If your Ex-Employees are threats to your cyber security what can be done about it?

2016 RSA Security Conference in San Francisco

I was intrigued by Session HUM-R03F at the 2016 RSA Security Conference in San Francisco. At first I thought that the HUM session names meant that the conference organizers finally put together a security comedy track that I could kick back and enjoy.  But after reading the session description, I determined that that the topic was not only no laughing matter, but it hit very close to home.

A long time ago, I was a networking engineer for a mainframe vendor and was reading some system logs to diagnose a problem. I saw a lot of remote logins from one particular account coming in late at night so I looked her up so that I could ask her manager what she might be doing. It turned out that not only did she not work at my organization any longer, she had gone to a competitor.

By reading other logs and matching timestamps, I determined that she was downloading source code for the products that she had worked on previously. When I reported this to my manager, he went to HR and got a list of employees that had been terminated over the past few months and asked me to see if their accounts were still active. To a one, they were – and that’s when A) we discovered that IT was not part of the staff termination process; and B) I started my security career.

lapenispic

Times have changed since then (at most organizations anyway), and IT is included in termination notifications so that the laptop and any USB sticks come back and system access can be disabled for terminated employees.

But sending an email to IT may not remove the insider threat of a terminated employee for many reasons:

  1. Lack of centralized access tracking
  2. Access to cloud accounts such as Salesforce.com and Google Docs
  3. Access to shared, and thus anonymous, privileged accounts such as root
  4. Company- or employee- initiated termination with notice

The first two issues are easily solved by implementing user-centric role-based tools and single sign on (SSO) while the third can be solved through the use of a privileged account control solution. The fourth issue of an employee who knows that they will be leaving your organization will take a hybrid approach.

Let’s take a look back at session HUM-R03F for some details. This session was presented by Dawn Cappelli, Vice President, Information Risk Management and Susan Schmitt, Senior Vice President, Human Resources, both of Rockwell Automation. Their task was to manage the technical and human aspects of insider threats due to reductions in force, outsourcing, global cultural and communication issues, termination for cause and other disciplinary issues.

Their premise is that the human threat to your organization’s information cannot be mitigated unless your IT and HR teams, people managers, processes, and technical tools are people-focused. The main issue is that while it’s impossible to sift through millions of security events, you can use a risk-based approach to filter out the noise and display only the specific events that can point to a threat.

Is an employee acting out of the ordinary? Do you believe that they might be preparing to trash your systems or data, or are they planning to take something with them when they leave? If they do leave, can you tell if and what they may have taken with them?

In a 2013 whitepaper sponsored by Symantec and researched by The Ponemon Institute (disclosure, I am a Fellow of The Ponemon Institute), half of the 3,317 surveyed individuals in six countries say they have taken information, and 40 percent say that they will use it in their new jobs. A study by the Software Engineering Institute says that 50% of insiders who steal IP do it within 1 month of leaving the company, 70% within 2 months, and over 80% take information within 3 months prior to their departure date.

Like the Ponemon study, the analysis shows that organizations can reduce their risk of insider theft of IP through increased review of departing insiders’ actions during a relatively small window of time prior to their departure – if you have the partnerships and tools to do so and you use them before the employee walks out the door.

What can be done?

Many organizations are already running some of these tools, starting with a Security information and event manager (SIEM). But unless you have solutions for identity management, user activity and change monitoring, privileged account management, and data loss prevention (DLP), your SIEM will force you to try to locate a needle in a haystack. Why are these additional products so important?

Identity management enforces real-time identity and access management through policies that do not require human intervention—constant, consistent reconciliation against what role an employee is in and what he or she can access. An access review tool will let you collect then slice and dice user account information based on attributes such as groups, entitlements or high-risk applications. By integrating access review with your identity manager you can automate revocation for a closed-loop approach to user access.

A user activity and change monitoring solution enables your cyber security professionals to detect and respond to potential breaches in real time. This system can provide intelligent alerting of unauthorized configuration changes to systems and applications, or access and changes to critical files, all linked to a specific user account.

Privileged account management locks down named or shared administrator and root accounts and helps customers demonstrate that they are in control over who can access their environment with privileged entitlements. It helps them automatically track who is accessing which account, on which system and at what time. Additionally, intelligent, real-time keystroke or screen video logging will tell you exactly what they did with that account.

One way to protect privileged entitlements is to allow users to “check out” a password from a secure password vault for a specific period of time, then check it back in when they are done with it. Because Micro Focus Privileged Account Manager supports real-time keystroke logging, the session can be automatically terminated and the user’s access revoked if they are caught performing a risky activity, such as accessing restricted data or stopping a service.

Auditors can view recorded keystrokes and if an event requires further analysis, a workflow process escalates the event to the appropriate managers who can take immediate action.

Data loss prevention managers are available with various feature sets. Depending on the solution(s) that you install, a DLP can watch which files are being accessed or to where they are being moved, prevent the attachment of removable media on servers, desktops, and laptops, or can manage or prevent the copying of files to removable media, email, or cloud services.

Summary

Your IT and HR teams, people managers, and processes need to be partners. You need to be aware of changes in your employees’ behavior that could signal that they are about to sabotage systems or download confidential information. And while IT can respond to breaches, it cannot be their responsibility to allow or deny access; that should be up to your line of business managers – which means that you need access management tools in place that allow policies to be set by GUI and not by unintelligible strings of technospeak. Those tools better be in place before an employee who wants to harm your organization starts planning their exit.


LaPenis

 

 

 

 

Ron LaPedis

Global Sales Enablement Specialist

Feelin’ Locky, Punk?

Ransomware, malware that locks away your data until you pay to get it back, is spreading like a rash and affects both businesses and consumers. Simon Puleo lifts the lid on Locky and delivers some timely advice.

What is Ransomware?

Ransomware, malware that locks away your data until you pay to get it back, is spreading like a rash and affects both businesses and consumers.  The FBI has identified that ransomware is on the rise, affecting not only PCs but smartphones as well.  The Verizon 2016 Data Breach Investigations Report listed Ransonmware in it’s number two spot for Crimeware, and realized the biggest jump in reported attacks.  While first seen as a semi-sophisticated crime against hospitals and financial institutions, this nefarious crime is quickly becoming commonplace in all types of organizations and at targeted individuals. 

“Why is Ransomware new?” an IT Manager asked me, “isn’t this just a throwback to other malware schemes?” 

I replied with one word, “Bitcoin.”

While ransomware has been around for a while, it’s becoming more prevalent because Bitcoin (BTC) has made it easier than ever for the bad guys to get paid. Because it is anonymous, Bitcoin enables the criminal to receive his or her payment without the scrutiny of law enforcement, the government, or Visa or MasterCard for that matter.   In short, criminals use BTC as another tool to receive funds without easily being tracked.

Bitcoin started showing financial traction back in 2013 and not coincidentally, that is around the same time that the CryptoLocker virus started asking for payment in that manner.

As of May 3,2016, one of the latest ransomware creations is called Locky which Microsoft regards a “severe threat.”

locky

Locky

While “Locky” sounds like a cute character from one of the shows my kids watch on TV, it will cause more pain and headache then a teething toddler. After it is downloaded, Locky encrypts all of your files including photos, documents and videos using AES strong encryption (the type of encryption the FBI uses). When it’s done, it pops up a screen demanding payment in Bitcoin in return for the encryption key to unencrypt and retrieve your data.

Obviously no one is going to download and run ransomware on purpose, are they? You might be surprised. The criminals behind Locky get you to download and run it yourself by sending it to you in a phishing email. The targeted user is part of a social engineering  scheme, the criminals are on the hunt for users in accounting who often receive invoices from vendors.  The user:

  1. Receives an email with an invoice attached asking for review.
  2. The invoice emails are socially engineered addressed to the company and asking for payment.
  3. The curios user launches the attached Word document, and is prompted to “Run Macros”
  4. A set of malicious executables is installed on the target machine that will begin to encrypt data.

And Locky won’t just attack your local files, it will attempt to encrypt all network and storage devices too! When it’s done, you may see a screen like the below:

screenshot

Protecting your organization

Antivirus tools provide a measure of protection by identifying harmful macros, however motivated hackers will find a way past antivirus. But you can take destiny into your own hands by following the below best practices:

Awareness is the place to start. Educate your users about Ransomware and cyber security best practices.   Start a campaign to ensure that all users are aware of the dangers of phishing and how to avoid being a victim. Several companies make software that sends simulated phishing messages, tracks responses, and trains users how to not be fooled by them.

Take control and monitor user access and change with Micro Focus Sentinel and Change Guardian.  These solutions help security teams quickly identify threats before they cause damage with real-time integrity monitoring and analysis of security events as they occur. Rapidly spot file changes and new extensions like .locky that are out of the ordinary and take action with intelligence.

Enforce least privilege for your most sensitive data and systems.  Micro Focus Privileged Identity Management solutions ensure the right users have access to the right systems at the right times.  Trojans and malware like Locky typically need elevated rights to execute, you can stop them by simply not letting them start.  Protect the integrity of your critical systems by limiting use and monitoring who has access to what files during designated time periods.

Finally ensure you have a disaster recovery plan in place which includes keeping offline copies of critical data in both physical and virtual environments.   Micro Focus PlateSpin technology offers solutions that can quickly restore workloads to their original location or to a new location while the original is being repaired.

Put the right measures in place to create awareness, monitor user activity, enforce least privilege and create a disaster recovery plan.  Be vigilant and use great technology to protect you and your organization.

Rockin’ Role-Based Security – Least Privilege

With over 40,000 attendees, 500 exhibitors, and hundreds of sessions, this year’s RSA Security Conference was the place to be for anyone interested in keeping their networks, systems, and information safe from threats, including insider threats; which in turn got me thinking about least privilege.

The “between a rock and a hard place” discussion at this year’s RSA Security Conference was the battle between Apple and the FBI to unlock an iPhone that was used by one of the San Bernardino shooters. But with over 40,000 attendees, 500 exhibitors, and hundreds of sessions, other topics were discussed as well.

RonLaPenisImage

According to a survey done at the conference by Bromium, 70% of a sampling of attendees stated that users are their biggest security headache. This jives with previous surveys; which means that users were, are, and probably will continue to be one of the biggest security holes that organizations face.

Whether the “user” is an actual employee (the insider threat) or a cyber criminal who’s appropriated the credentials of an employee (making a guest appearance as the insider threat) is immaterial. Employees are our biggest threat, not only because they can maliciously or unintentionally cause data breaches, but because they are not equipped to deal with the tactics of cybercriminals, who covet their credentials – especially those of insiders with privilege. In either case, your employee is still a threat to your organization. So how do you eliminate threats from your users? You can’t!

IAS blog 2

Just like you cannot stop a hurricane, you cannot eliminate cyber threats. But just as you can harden buildings and build surge barriers to protect against hurricane damage, you can use appropriate user management and access controls to prevent or mitigate a breach caused by a cyber threat.

Let me postulate that the best way to prevent a breach is to not allow the actor (or threat) to access the information that they are targeting. In plain English, this means least privilege. Rather than giving your employees access to everything and anything, use proper access controls and user management to lock down your employees so that they can only access the systems and information that they specifically need to perform their jobs. You are not eliminating the threat, but rather are trying to minimize it through compartmentalization. For example, marketing people don’t need access to your finances, so lock them out. Similarly, programmers should never be granted access to production systems except in extreme circumstances. And have you even considered time- or location- based access? When should your employees have access to key information and where should they be sitting when they are allowed to access it? Should I be able to download the plans for a new product after hours from a country different from my office?

When an employee changes roles, ensure that their access changes with them – without a time lag which could give them to attack. Using an Identity Lifecycle Manager (ILM) tied to your HR database would be a good way to ensure proper initial provisioning along with ongoing access maintenance. An employee’s access lifecycle needs to stay congruent with their HR lifecycle. If your ILM also includes an analytics engine that can pop up nonsensical or out-of-the-ordinary access grants, so much the better.

But you cannot just buy an ILM and tell your board that your work is done. An ILM is useless unless you know what each role should be allowed to access. And that means working with your business units to define the roles within them.

Don’t accept that departments need dozens to hundreds of roles; that just means someone is being lazy. Nor do you want too few roles, forcing the system into a large number individual access grants. Like Goldilocks and her three bears, there is a “just right” which you will need to work out.

This is where access risk scoring might help you out. A risk score provides a means for determining or calculating risk for users, applications, business roles, or permissions. If the risk is low, perhaps you don’t need to create another role that manages access to a specific resource. But if the risk is high and you have to split the user population, then another role might be needed.

Finally, you want to combine least privilege with automated role changes, policy-based access, and change monitoring. This powerful combination can help to ensure that users don’t have access to what they shouldn’t and allow you to determine if someone is doing something out of the ordinary with something that they can access. By combining user activity and change monitoring you can watch how users (especially privileged users like sysadmins) use the rights they’ve been granted. It helps you spot and address unauthorized activity with concise, easy-to-read alerts that provide the “who, what, when and where” of unauthorized activity.

LaPenis

 

 

 

Ron LaPedis

Global Sales Enablement Specialist

This post was originally published on the NetIQ Cool Solutions blog site on April 21 2016

Alles Wolke 7 oder doch eher Wolkenbruch? – Cloud Computing ist Realität, hybride Lösungen sind die Konsequenz

Cloud Computing rückt 2016 in Fokus vieler deutscher mittelständischer Unternehmen. Verständlich denn, getragen von der digitalen Transformation sorgt Cloud Computing für die Optimierung der Kapitalbasis, indem sich ausgewählte IT-Kosten von einem Investitions- hin zu einem Betriebskostenmodell verlagern. Doch wie sieht es mit Sicherheitsrisiken und der Durchsetzung von Compliance dabei aus? Sind die Daten in der Cloud wirklich sicher und wo liegen sie und wer kontrolliert sie? Christoph Stoica erläutert im neuen Blogbeitrag, welche Aspekte aus der IT-Security Sicht beachtet werden sollten.

Wenn man einen Blick in den aktuellen Cloud Monitor 2015 der Bitkom wirft, dann ist es keine Frage mehr : Cloud Computing ist jetzt auch bei den deutschen mittelständischen Unternehmen angekommen und die Anpassung geht mit großen Schritten voran.  Einer der maßgeblichen Treiber für die gestiegene Akzeptanz der Cloud in Deutschland ist die digitale Transformation.  Auf Basis von neuen Technologien und Applikationen werden Produkte, Services und Prozesse umgestaltet, so dass sich Unternehmen nach und nach zu einer vollständig vernetzten digitalen Organisation wandeln. Wer jetzt denkt, dies alles sei Zukunftsmusik und gehöre nicht auf die Agenda der  TOP-Prioritäten, dem sei gesagt : weit gefehlt!

Schon jetzt bewegen wir uns mit einer Höchstgeschwindigkeit in eine voll vernetzte Welt.  Immer mehr Menschen verfügen über mobile Endgeräte, hinterlassen digitale Spuren in sozialen Netzwerken, tragen Wearables  die  ihre persönlichen Daten – ob freiwillig oder nicht – senden und für Unternehmen verfügbar machen. Maschinen und Gegenstände sind über  Sensoren und SIM-Karten jederzeit digital ansprechbar, was zu veränderten und erweiterten Wertschöpfungsketten führt.  Die Vielzahl der so gesammelten Daten stellt für Unternehmen  einen  wichtigen Rohstoff dar, der, durch geschickte Analytics Tools richtig genutzt, den entscheidenden Wettbewerbsvorteil verschaffen kann. Es stellt sich also nicht die Frage, ob die digitale Transformation erfolgt, sondern vielmehr wie schnell die Unternehmensführung die entsprechende Weichenstellung in der IT-Infrastruktur vornimmt.

Die digitale Transformation erfordert skalierbare Infrastrukturen – sowohl technisch als auch hinsichtlich der internationalen Reichweite. Cloud Dienste, ob public oder private, mit ihren Merkmalen wie Agilität,  Anpassungsfähigkeit, Flexibilität und  Reaktivität sind hierfür bestens dafür geschaffen. Doch wie sieht es mit den Sicherheitsrisiken und der Durchsetzung von Compliance dabei aus? Sind die Daten in der Cloud sicher? Wo genau liegen meine Daten und wer kontrolliert sie? Auch wenn nach dem kürzlich gefallenen Safe Harbor Urteil „Big Player“ wie Amazon Web Services, Profitbricks, Salesforce und Microsoft nun ihre Rechenzentren in Deutschland oder zumindest an einen EU Standort verlagern, löst das immer noch nicht alle Sicherheitsfragen. Reicht ein Zugriffsmanagement basierend auf einer einfachen Authentifizierung mittels Benutzername und Passwort angesichts der größeren Angriffsfläche noch aus?

dataprotection

Benutzernamen und Passwörter lassen sich heutzutage leicht überlisten, das neue Zaubermittel heißt  Multi-Faktor Authentifizierung. Eine  erweiterte Authentifizierungsmethode unter Nutzung zusätzlicher Faktoren ermöglicht  eine schnelle und präzise Identifikation. Unterschiedliche Benutzer oder Situationen erfordern unterschiedliche Authentifizierungen, die verwendete Methode muss zur  Rolle als auch zum Kontext des Benutzers passen und natürlich der Risikoeinstufung der angeforderten Informationen gerecht werden. Nicht jede Interaktion birgt dasselbe Risiko für ein Unternehmen. Einige Interaktionen stellen eine größere Gefahr dar. Bei einer risikobehafteten Interaktion wird eine strengere Authentifizierung benötigt, die beispielsweise durch eine zusätzliche Information (die nur dem Benutzer bekannt ist), die zusätzliche Verifizierung der Identität über getrennte Kanäle – man spricht von Out of Band – oder andere Elemente gewährleistet wird.

Jedoch kann die Verwendung und Verwaltung solcher mehrstufiger Authentifizierungsverfahren kostspielig und unübersichtlich werden. Micro Focus bietet mit Advanced Authentication eine Lösung zur zentralen Verwaltung aller Authentifizierungsverfahren – ob für Ihre Mitarbeiter, Lieferanten oder Geräte.

Christoph

 

 

 

 

Christoph Stoica

Regional General Manager DACH

Micro Focus

Ist das Know How der Schweiz wirklich noch sicher? Cyberkriminalität kennt keine Grenzen!

Das Gefühl von Sicherheit prägt das Image der Schweiz genauso wie eine attraktive Wirtschaftszone mit einer innovativen und leistungsstarken Wirtschaft. Doch wie sicher ist die Schweiz, wenn es um das Thema Cyber Kriminalität geht? Warum sollten Cyber Mafia und professionellen Hacker gerade die Schweiz verschonen und warum schätzen binnenwirtschaftlich orientierte Unternehmen diese Risiken eher niedrig ein? Lesen in dem Blog, welche Aspekte für eine strategischere Sichtweise auf die Informationssicherheit wichtig sind.

Die Schweiz als „sicherer Hafen” – kaum ein anderes Sinnbild hebt die Vorzüge des Alpenstaates inmitten Europas besser hervor.  Die soziale, politische und wirtschaftliche Kontinuität  gilt noch immer als Garant für die wichtigsten Erfolgsfaktoren des Landes im internationalen Wettbewerb .

Das Gefühl von Sicherheit prägt das Image der Schweiz genauso wie eine attraktive Wirtschaftszone mit einer  innovativen und leistungsstarken Wirtschaft. Doch wie  sicher ist die Schweiz, wenn es um das Thema Cyber Kriminalität geht? Die Schweizer neigen auch aufgrund des allgemeinen Sicherheitsgefühls hier eher zu denken: „Uns passiert das nicht!“ Doch warum sollten die Cyber Mafia und professionellen Hacker gerade die Schweiz verschonen? Besonders die Schweizer Wirtschaft angeführt von einem modernen Finanzdienstleistungssektor über eine innovative Fertigungsindustrie, die vor allem High-Tech und wissensbasierte Erzeugnisse produziert bis hin zu den Qualitätsprodukten mit dem Siegel „swiss made“ rückt mehr und mehr in den Fokus solcher Cyber Kriminellen. Es sind diese Markenzeichen, die in einer stark vernetzten Welt vermehrt unter Druck geraten, wenn die Geheimnisse erfolgreicher Innovation gestohlen werden.

Wirtschaftsspionage und Datendiebstahl sind gemäß einer Studie der Uni Fribourg die größten Sicherheitsrisiken und die Spionage ist ein besonders lukratives Geschäft: Vertrauliche Informationen können an Konkurrenten verkauft werden oder die gehackte Firma wird erpresst. Die KPMG Schweiz schätzt in ihrer Studie «Clarity on Cyber Security» vom 6. Mai 2015,  allein in der Schweiz den jährlichen  Schaden auf mindestens 200 Millionen Franken. Doch die hier genannte Zahl ist wohl nur die „Spitze des Matterhorn“, denn zum einen melden viele geschädigte Schweizer Firmen Angriffe überhaupt nicht und gerade kleinere und mittlere Firmen bemerken oftmals gar nicht, dass sie Opfer geworden sind. Wenn man jetzt bedenkt, dass etwa 99 % aller Firmen in der Schweiz, die die wertvollen Produkte oder Erfindungen hervorbringen, dem Bereich der kleinen und mittleren Unternehmen zuzuordnen ist, dann wird schnell klar, dass gerade die KMU’s in Bezug auf eine Verbesserung des IT-Sicherheitsniveaus besonders gefordert sind. Im Zuge der globalen Vernetzung kann das Versenden einer einfachen Email schon ausreichen, um wertvolles Wissen in falsche Hände geraten zu lassen. Auch der zunehmende Einsatz mobiler Endgeräte sowohl im privaten als auch professionellen Umfeld stellt aufgrund der vielfältigen Schwachstellen eine Herausforderung für die IT-Sicherheitsverantwortlichen der Unternehmen dar.

Bewertung von Gefahrenbereichen ist essenziell für die Gewährleistung von IT-Sicherheit

Um Geschäfts- und Kundendaten vor dem Zugriff durch professionelle Cyberkriminelle abzusichern, reicht eine, alleine auf Compliance fokussierte Perspektive nicht mehr aus. Vielmehr ist ein risikobasierter Ansatz notwendig, der die Sicht auf die Beziehung zwischen Werten, Bedrohungen, Schwachstellen und Maßnahmen schärft.  Darüber hinaus wird es bei der Risikobewertung immer wichtiger zu wissen, wo erzeugte Daten gelagert und wie sie aggregiert werden.

Bedenkt man nun noch, dass aktuell die meisten aller Netzwerkangriffe auf gestohlenen oder schwachen Passwörtern basieren, sollte ein Multi-Faktor-Authentifizierungsverfahren ein zentraler Bestandteil einer umfassenden Sicherheitsstrategie sein. Derartige Verfahren sind in der Lage Angriffe wie Identitätsdiebstähle zu begrenzen. Bei der Auswahl des für Sie passendenden  Multi-Faktor-Authentifizierungsverfahren empfiehlt es sich, vielfältige Fragen zu berücksichtigen :

  • Kann ich neue Anforderungen an mein Geschäft adressieren, wie Cloud und mobile Devices?
  • Wie kann ich Authentifizierungsmethoden an meinen Geschäftsrisiken und den Anforderungen meiner Benutzer ausrichten?
  • Kann ich all meine Benutzer und Endpunkte zentral verwalten und steuern?
  • Wer kontrolliert meine Authentifizierungsdaten?
  • Wie kann ich zusätzliche Sicherheitsstufen integrieren, um mich noch stärker vor Bedrohungen zu schützen?
  • Und wie halte ich all das praktisch und kostengünstig?

Mehr denn je sind Lösungen für das Authentifizierungsmanagement gefragt,  die einfache Umsetzung, Automatisierung, reduzierte TCO und große Auswahlmöglichkeiten bieten.

TomHofmann

 

 

 

Thomas Hofmann

Systems Engineer – Micro Focus Switzerland

Beyond QWERTY: What is the best authentication method?

Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Rik Peters investigates in this fascinating blog.

Our last blog discussed why passwords are not enough to preserve data and system integrity.

If you need further proof, check out this list of the most popular passwords of last year. You can probably guess that ‘123456’ and ‘password’ figure pretty high up the list – first and second respectively – but there are plenty of blatantly obvious and equally hackable alternatives.

The list for 2014 and 2013 has exactly the same suggestions in identical positions. Clearly organizations cannot rely on their people to maintain IT security. So – what are the alternatives? This blog attempts to establish the best authentication method.

The key word is ‘attempts’. In an ideal world, I would just give you the definitive answer. Everyone’s data would be safe, the hackers would be foiled and everything would be rosy. But life isn’t like that and there really is no such thing as “the best authentication method”. Certainly not as a catch-all solution that works for everyone.

IAS 3

Case-specific authentication

The right authentication method differs for each use case, organization, user and even geographical location. To illustrate the problem of trying to apply a general rule to a diverse spread of user scenarios, I have created some generic use cases and offer some insight in what kind of authentication method would fit. But before we get to the hypothetical, let’s look at the reality.

Organizations today are an increasingly complex IT environment. Besides maintaining the supporting IT infrastructure they face new challenges, such as the Cloud and incorporating hybrid solutions. Add in the security issues of home working and contractor access and it is clear why the ‘password problem’ is pretty difficult to solve. Many authentication solutions only solve a specific part of the puzzle, as these scenarios illustrate.

  • We use remote access solutions like RSA and Vasco for remote access. We authenticate using hard or soft tokens to access the corporate VPN environment.
  • We are using on-premise solutions, including HID Smartcards or DigitalPersona biometrics to solve the password problem for employees.
  • We use Cloud solutions such as DUO and Symantec to help solve the federated authentication issue for protecting Cloud-based applications, including Salesforce and MS Office 365. These tend to use SMS or phone based authentication methods.

For some users it is perfectly normal to carry different tokens for their Cloud applications and VPN access and a smartcard for their corporate desktops – and to need strong authentication in three different systems.

Multiple passwords, more problems

These organizations can all maintain multiple solutions to solve the same password problem. This means a lot of work, cost and frustration for administrators and users alike; users need multiple authentication devices for the various environments while admins must maintain users in different systems.

So, back to our original question. What authentication fits best in which situation? Let’s try to define some use cases and match them with the three different authentication solutions.

  1. Remote access
  2. Desktop access
  3. Cloud access

So what authentication methods provide the best fit? Let’s start with the first.

Remote access
Users of corporate or home workstations need access to the company VPN. The best authentication method would not require software to be installed on the host workstation or connected to the workstation. So this would be a smartphone, tokens or email model.

Desktop access
Authentication through a controlled environment on a company workstation. The organization controls what software runs on the devices and specifies the use of specific hardware, typically cards, biometrics, smartphones and hardtokens. Organizations with a BYOD policy typically share the same authentication practices as those using remote access.

Cloud access
Users tend to work on any device when accessing Cloud-based applications. These can be desktop, laptop, tablet or smartphone. Authentication methods requiring drivers or pre-installed software are a no-go here. Smartphones, tokens or email are fine.

So, while authentication methods vary between use cases, they are very alike for remote and Cloud-based access. Why are these methods not used in desktop access? Simply ease of use. Users find typing in an extra One-Time-Password every time they unlock their desktop too time-consuming. A fingerprint or smartcard is easier and faster.

IAS blog 2

Multiple challenges, single solution

So we need different software solutions for each use case, right? Not any more. The Micro Focus Advanced Authentication solution supports authentication methods for every use case. Users register their authentication devices through a single enrolment portal and administrators manage all the users and methods in a single admin interface. Certain groups, such as administrative users, should and can use stronger authentication than others.

So a multi-level problem really can have one solution. Clearly, IT environments are only going to become more complex and none of us know what the next innovation will bring. What is clear, though, is that any organization hiding their sensitive business data behind QWERTY may not be around to see it.