VTech to embed data breach acceptance in its Terms and Conditions

Following the data breach of toy maker, VTech, last year, the company is now trying to embed data breach acceptance in its Terms and Conditions. More than 6.3 million children’s accounts were affected by last year’s breach, which gave the perpetrator access to photos and chat logs. VTech’s new terms and conditions state that parents must assume responsibility for future breaches.


Commenting on this, David Gibson, VP of strategy and market development at Varonis, said:

“Protecting customer, partner and employee data is a business requirement. Imagine if all the medical history questionnaires you fill out at the doctor’s office had a big warning on top, “If someone steals the information you provide here, it’s your problem.”  Or a store saying, “feel free to use your credit card, but we’re not responsible if someone figures out how to steal the number from our systems.” Would you still do business with them? Shouldn’t digital information about children be treated with at least the same care? It’s possible that VTech may have run afoul of the US’s COPPA laws for protecting children’s data. The larger point is that consumers should expect reasonable data security without having to be personally liable.”



Investigations underway on suspected hacktivist dumping of over 10,000 DOJ/DHS employees

News broke overnight that contact details for more than 10,000 employees of the Departments of Justice and Homeland Security was dumped onto the web Sunday and Monday by anonymous pro-Palestinian hackers. Although the breach was confirmed by a Department of Justice spokesperson, the severity of the hack is so far being played down, with the Departments saying that there is no evidence personal data like dates of birth or social security numbers were compromised.

David Gibson, VP of Strategy and Market Development at Varonis shared the following thoughts with @DFMag.

“The playbook is a cliché — phish an employee, steal their credentials, scan the local disk and network drives, download interesting files, repeat. All organisations need to expect and prepare for this. Employees usually have access to important data – they need it to do their jobs. A single compromised employee account means an attacker can access that same important data, too. The more data the employee has access to, the bigger the risk — and unfortunately, most employees have access to far more data than they need to do their jobs. Even additional preventive defenses can be circumvented with a little social engineering.  Organisations must start watching and analysing how employees use data and systems to bolster their detective capabilities – think of it like credit card fraud detection for your data. Unusual file and email access should be red flags — good analytics can help spot these attacks before it’s too late.”



Don’t Fall Out With Your IT Person – Three-Quarters Have Seen Your Secrets At Work

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by Unified Security Management™ leader AlienVault™.

The research, which surveyed the attitudes of more than 600 IT professionals into how they are treated, found that many are being called in to help get their colleagues out of embarrassing situations at the office.

Almost all the respondents (95%) said that they have fixed a user or executive’s personal computer issue during their work hours. In addition, over three-quarters (77%) said that they had seen and kept secret potentially embarrassing information relating to their colleagues’ or executives’ use of company-owned IT resources.

The study highlights that very high levels of trust and responsibility are being placed on IT professionals over the course of their working lives.

Javvad Malik, security advocate at AlienVault, explains: “IT professionals are the superheroes of modern organizations. They are the people we call when things go wrong and who will drop everything to come and help us out if a problem occurs. But they are also the ones we trust with our secrets at work. If you click on a link that you shouldn’t have, or download a potentially dangerous file, then they are the people you’ll call. Some IT pros also have access to emails and data that has been quarantined due to its sensitive content. This gives them a clear vantage point into your private affairs, so it’s very important that you trust them. 

“Working in IT is a 24-hour-a-day career and the boundaries of the job often become blurred – be they the hours worked, or the actual work that needs to be done. Often working in isolation, IT teams are still considered to be supporting players in many workplaces, yet the responsibility being placed on them is huge.  In the event of a cyber attack, network outage or other major issue, they will typically drop everything to fix the problem at hand.”

But despite the responsibilities of the job, most of the IT professionals surveyed said that they love their jobs. The largest group of respondents (36%) reported being happy or very happy at work, while 32% felt unhappy and 31% were neutral. This could be because trust between employees is often cited as an important part of employee engagement that helps to create a sense of happiness and loyalty within the workplace.[1] 

A separate report into employee retention among IT professionals, also conducted by AlienVault, found that happiness at work was the main reason that people chose to stay in their jobs. In this study, which polled the views of over 130 IT professionals, happiness at work was cited by 65% of respondents as the reason they stay in their jobs – considerably more than those who cited convenience (19%) and money (13%).

Malik offers further observations on this angle: “Much research and many column inches have been used to discuss the skills gap in IT security and the problems of retaining good staff. But many CISOs and Security Operations Centre managers say that trusting team members and empowering them to make decisions is a good way to retain their loyalty.

“In our experience, the number one factor that influences employee commitment is the manager-employee relationship. Sticking up for people is the most recognizable difference I have seen between good and bad bosses. Environments where people are quick to be thrown under the bus usually have higher churn.”


[1] Nancy Lockwood, Leveraging Employee Engagement for Competitive Advantage



Backdoor malware targets Skype

Researchers from Palo Alto Networks have discovered a new back door malware that targets Skype and can capture video, audio and chat messages as well as files. T9000 is being targeted at a variety of businesses  and uses a multi-stage installation process to evade detection.

Tim Erlin, Director of Security and Risk Strategy for Tripwire says, “As Skype becomes more and more of a tool for business, it’s no surprise that criminals are targeting it. Users may think of Skype as a valuable channel for exchanging information, but that user value translates into profit for cyber attackers. If data is the new currency, then conduits like Skype are the proverbial not-so-armored cars of the data economy. Users should note that this malware has to ask permission to access Skype, so it’s easy to thwart by just saying no.”



Biometrics: Physical Attributes vs. Behavioural Patterns – The Privacy Debate

By Robert Capps, vice president of business development at NuData Security

Account takeovers are increasingly affecting a growing population of online user accounts due to a confluence of threats, such as weak consumer password practices, frequent mass data breaches and brute force attacks against web properties. The scope, scale and frequency of these online attacks against user accounts has demonstrated time and again that companies can no longer rely upon authentication methods based on static elements that can and will be stolen, traded and sold to the highest bidder in underground markets.

These trends have recently led organisations to consider the use of human biometric characteristics to supplement standard, but weak, single factor authentication schemes that have historically relied on a shared secret, such as a password, to validate that the rightful owner of an online account is the one who is accessing it.  As these organisations investigate advanced authentication methods, they face an environment where the term “biometrics” has become an industry buzzword that encompasses a number of human second-factor solutions from “selfie” based facial recognition, to fingerprint and iris scans, behavioural patterns, voice – even the human heartbeat.

As such technology is increasingly proposed and used in online and offline transactions; the use of biometric factors is rapidly becoming an area of concern from a data privacy and security perspective. 

When most people who do not live and breathe online security hear the word “biometrics”, they immediately think of Tom Cruise in Mission Impossible, using physical attributes such fingerprints, handprints, retinal scans, voice print and facial recognition to secure access to some highly protected asset or location. For some reason, they don’t generally link the use of these elements to facilitate a secure login to an ecommerce, banking, or social media website.

While the use of these physical biometric factors has been a boon for physical security, where the person to be authenticated is physically presenting themselves for enrollment and subsequent authentication – many factors quickly loose effectiveness in an online world, where the user is physically enrolling and authenticating themselves through a consumer grade device that they own and control.

There are several factors companies must consider before relying on physical biometric technology to authenticate users in an online environment. The first consideration is that using only one physical biometric data point to authenticate a user at the time of login, is essentially the same as adding a static second password – albeit one that can never be changed if compromised.  

Perhaps the most significant issue with relying on physical biometrics for online authentication is that they can be captured, and in some cases reused. Let’s take a fingerprint as an example – use of such a physical biometric attribute is akin to when an employee was caught writing a password on a Post-It note, but instead of it being pasted on their computer screen, they simply leave a copy behind everywhere they go.  Humans leave behind biometric traces with every glass they pick up, every piece of gum they discard and every camera that records their image.

Unlike passwords or credit card numbers, a person’s physical biometric attributes can never be changed, resulting in privacy and identity concerns if a high quality reproduction of a biometric element were to be obtained by a malicious actor. Just this past September, 5.6 million fingerprints were stolen from the office of Personnel Management. From a security perspective, there are several possible use cases where compromised biometric data, like that of the OPM, can be used to access accounts without the user being present. Using the infamous gummy bear attack against a newly released product with embedded fingerprint scanning, for example, was a variation on a well-known physical hack for in-person fingerprint scanners dating back to 2002.

Alarmingly, as authentication of high value transactions is increasingly moving to multi-factor authentication using some form of physical biometric, there is a real potential for criminals to shift their focus to obtain the biometric identifier, with violence. For this reason alone, many companies are steering well clear of utilising physical. 

With this in mind, not all biometric factors have the same risk of impersonation or lack of effectiveness when used to authenticate online interactions.

A much less invasive, and more consumer friendly technique, leverages signals generated by the way in which a human interacts with the world around them. When taken in aggregate, such behavioural signals are highly effective at identifying repeat good users, are self-enrolling, and are tolerant of changes in the patterns presented as a users’ behaviour naturally changes over their lifetime.

For an example of how behavioural data is useful in identifying a legitimate account holder, think about how you use your Smartphone to interact with a website or application. Do you realise that you have a unique way of holding your mobile device that’s different from other people, if only slightly?  Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or thumbs to type? How hard do you press on the screen when you hit each key?

This method, dubbed “behavioural biometrics”, aggregates hundreds of these human and interaction signals, creating a unique signature for each authentic user.

Using these subtle signals and unique signatures, organisations can easily identify when the account owner is not the one attempting to authenticate, even if the correct login and password is used in conjunction with the authentic account holder’s computer or mobile device.

Unlike physical biometrics, behavioural signals that make up a behavioural biometric profile cannot be stolen, duplicated, or reused – so they have no value to criminals. In the event that a high fidelity copy of an authentic user interaction was made, the mere attempt to replay the past interaction would in itself, be an anomaly that is out of pattern for any human user.

Collecting behavioural biometric data is non-invasive to the consumer, as they do not have to enter, enroll in, or provide any additional information to a website or application. They simply keep doing what they are used to doing, interacting with the sites and services as they always have. As human and interaction signals are collected, instead of physical biometric characteristics, it is far more privacy-friendly, than some physical biometrics.

As organisations consider layering additional authentication technology and methods to secure their users’ accounts, they must select methods that reduce friction for their good users, reduce risk to the organisation or the consumer, and are sensitive to the privacy concerns of their users – all the while making the reuse of compromised authentication and identity information nearly impossible.
With appropriate protections in place, online businesses can continue as usual, and with great confidence – even in the face of frequent data breaches and poor consumer security habits.



A New Design for Cloud Security

By Russell Spitler, Vice President, Product Strategy, AlienVault

A recent survey by AlienVault found that 90% of organizations are still concerned about security risks in the cloud. It’s clear that these concerns are holding many people back from full cloud adoption – but is this justified? In truth, it’s mostly a matter of perspective and planning. The cloud is not an inherently insecure environment, but it has a different security model which needs to be thought through carefully. It is, however, a new environment, and one which requires a careful analysis of the responsibilities and a clear understanding of the different parties involved. But approached in the right way, the cloud has the potential to be far more secure than the traditional data center environment.

It’s important to clarify terminology when discussing the cloud, because key terms can mean different things to different people, so confusion can set in right from the outset. Our dialogue related to this is topic is often confused and leads to an early disconnect at best or a fundamental misunderstanding at worst. The confusion related to security in the cloud causes hesitance to leverage the various form of cloud services to their fullest potential. To be very explicit, “cloud security” can mean three very different things:

A SaaS (software as a service) offering that provides a security service
An offering that helps you monitor SaaS services (note that this has no bearing on its delivery form – SaaS, on premise software or appliance)
The set of tools/features required to secure an IaaS (infrastructure as a service) environment.

Understanding these three variants of ‘cloud security’ is important to then realize the promise and the risk of your own use of the cloud.

The risk we run with the cloud largely depends on the nature of our use. However, since cloud services have proven to be viral in nature most organizations make use of both SaaS as well as IaaS whether or not it is inline with corporate policy. Recent research has shown SaaS offerings being leveraged as points of data ex-filtration and used as command and control (C&C) channels. This is an ingenious way to side-step traditional perimeter based detection technologies. By leveraging a SaaS service in an attack, the controls traditionally used to detect large-scale data loss and C&C traffic are rendered useless as the malicious activity now blends with the benign. This integration of SaaS into the methods used by attackers is a sure sign of widespread cloud adoption. In a similar vein there has been research published about attacks targeting IaaS environments and leveraging components of the IaaS service as a mechanism for privilege escalation or to pivot in the environment. This again reflects an increased understanding of the nature of IaaS by attackers and increases the responsibility of users to properly monitor and secure such environments.

Even with a current understanding of the risks related to use of IaaS and SaaS we need to remind ourselves of the potential for causalities. Attackers target and leverage these services because that is where our data is stored. An attacker who is targeting us will not simply stop if we are not using the cloud; they will simply leverage other techniques when attacking us. A similar point can be made for broad-based attacks. If the broad based attacks we face today only targeted cloud environments we might have a case against using such environments. However, at this point the majority of broad-based attacks still target traditional environments. Thus, avoiding the use of the cloud is not an action that will make us inherently more secure. Just as with the adoption of any other technology, we must understand the cost and weigh it against the benefits of use.

When working with cloud providers it is important to establish what responsibilities you retain for security and what is managed by the provider. Dependent on the nature of the service, the line of responsibility shifts. For IaaS providers, the customer is responsible for the operating system up; however, for SaaS providers, the customer is responsible for privileged users. This has a major impact on the security controls we implement to shore up our end of the bargain. With IaaS providers, we need to start at the OS level and take full advantage of the automation and configuration tools provided. Beautifully segmented networks with fully encrypted network connections and hardened systems are now scriptable features of our data centers. With both IaaS and SaaS providers, we need to take a close eye to the administrative audit logs to monitor privileged user access and ensure appropriate use of the features in the environment. Automated analysis and monitoring of these logs is critical to identify the difference between a devop engineer spinning up a new server and an attacker taking advantage of compromised credentials.

To really take advantage of the cloud, we need to design a new strategy for cloud security. But by taking the time to understand both our own and our chosen cloud provider’s roles and responsibilities, the potential is limitless. It’s a new way of working and requires a new mindset, but can also reap significant rewards and benefits.



A Tsunami of malware

New research from Panda Security shows that cybercriminals were creating new malware samples at a rate of more than 230,000 a day in 2015. Craig Young, Cybersecurity Researcher at Tripwire told @DFMag:

“Looking at figures such as the ones reported by Panda, it is not hard to understand why anti-virus vendors have a hard time keeping up.  Twenty years ago it may have been sufficient to simply scan for known signatures of malicious software but in 2016 with a constant stream of new malware along with variations of old malware.  Effective security solutions now need to closely monitor the system for behavior associated with malicious programs such as manipulated DNS settings, new browser plugins, and new startup items. Recognizing and preventing such activities goes a long way toward defanging all but the most pernicious malware.

Unfortunately the data from Panda is a clear indication that crime does pay.  The malware industry has evolved into a complex criminal economy with a community of specialists ranging from programmers and translators to service providers and money mules.  Individual malware campaigns have been cited as bringing in revenue in the hundreds of millions of dollars per month attracting many unemployed or underemployed technical experts from around the globe. While this is an illegal enterprise in much of the world, some countries do not take action against malware distribution and allow virus writers to operate rather openly.”



IT Security staff seek interesting work over higher pay

IT security professionals are motivated by challenging and exciting work, rather than higher pay, according to a new report into IT employee retention from AlienVault.  

The skills gap in IT security has been well documented, and adds another dimension to the security threats facing online businesses. This latest report examines why IT security staff choose to leave their jobs, and what motivates them to stay where they are.  The findings include:

The highest number of respondents (40%) moved jobs to seek ‘more challenging and exciting work’ – more than those who sought higher pay (23%) and flexible working (17%)
Nearly two-thirds of those surveyed (65%) stay in their jobs because they are happy and content – considerably more than those who stay put for convenience (19%) and money (13%)

The report also contains advice from CISOs and Security Operations Centre managers about retaining good employees. This includes making the work meaningful, offering career progression opportunities and placing trust in team members by empowering them to make decisions.

A copy of the report can be found here



Top Five Enterprise Data Privacy Mistakes 

Global businesses are reevaluating their data privacy programs this year as new privacy regulations targeted at businesses take effect. The European General Data Protection Regulation is a new privacy regulation with fines as high as four percent of annual global revenue for companies that fail to safeguard data of EU citizens and residents.  In the U.S. 16 states recently introduced new, ACLU supported data privacy legislation. In spite of efforts to improve privacy protections many enterprises are not doing enough to protect consumer data.

“Data privacy day is a great opportunity for organizations to reevaluate their privacy program,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”  

According to Erlin, the top five data privacy mistakes businesses make are:

1.Failure to keep only essential consumer data: Many organizations keep a lot of customer data in case they need it “someday.” While this approach may seem prudent this data can easily become a major target for cyber attackers and, because it isn’t business critical, it may not receive the same protections as other, more sensitive data.

2.Failure to encrypt customer data: While there are some regulatory requirements for encrypting customer data, companies need to establish internal processes to keep data encrypted. Leaving customer data unencrypted makes it much easier for attackers to grab. 

3.Failure to secure access paths: Encrypting customer data is important, but it must be decrypted for use in an application at some point. Attackers will aim to compromise the applications that use customer data in order to get to that data. “Don’t worry, the data is encrypted,” is a dangerous mind set. 

4.Failure to patch known vulnerabilities: Security experts may be more interested in the technical analysis of the latest malware, but successful attacks are more likely to exploit thethree year old web server vulnerability that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.  

5. Failure to monitor and control simple misconfigurations: More than one of the breaches that have been in the headlines recently has been the result of a misconfigured database or server. If you’re not monitoring sever configurations for change, you have a blind spot in your security that attackers can leverage. 



New Data Security Survey Reveals Glaring Concerns Within UK Public Sector

As data breaches and data loss in the public sector escalates, implementing stringent data security safeguards is a key priority.   Towards the end of 2015, GovNewsDirect conducted the Public Sector Data and Information Security Survey. The objective of this survey was to allow public sector staff the opportunity to benchmark their organisations against others and explore specific areas of concern.
The survey received a fantastic response with over 600 individual completes. ?The results provide a detailed analysis of the challenges facing our public services. The survey found that:

65% had serious concerns regarding data security within their organization
‘Errors by Staff’ and ‘Simple Loss of Data’ were the greatest concerns.

‘Denial of Services by Hackers’ was of least concern to those surveyed.

55% of all security breaches originate from someone with access already.
Data loss can be malicious but more often than not, it is accidental or the result of human error.

All respondents were granted full anonymity in their report of their concerns surrounding their organisation’s data loss incidents and procedures.

Many additional comments are candid and disturbing. A significant number of staff commented on their organisation’s shortcomings with safeguarding public data, with one respondent stating that “We have no consistent or centralised reporting system, it is all ad-hoc” whilst another individual revealed that “We only review systems and processes after events/incidents.”

Some respondents confessed that management of data was hindered due to “…legacy infrastructure” and “old” or “basic systems.”

With the advent of the new EU legislation (GDPR), the public sector must be prepared for a more modern yet tougher data protection policy. There is now a pressing need for all organisations to implement data security safeguards or risk punitive fines.

The management of data access rights (who has access to data within any organisation at any one time) was a key focus of this survey, conducted in partnership with access rights management specialists, 8MAN.

Access rights affects all levels of management and a large number of respondents reported that access management left an organisation vulnerable to data loss, attacks or breaches.

The Public Sector Data and Information Security Survey provides a wealth of conclusions and analysis with compelling results. Over 1000 public service management professionals have already accessed the results report since its publication on Jan 14th 2016.