Privileged identity theft can cripple your business

Privileged identity theft can cripple your business

By Csaba Krasznay, Security Evangelist at Balabit

It may come as a surprise that seven out of ten of the largest data breaches recently have all had one thing in common.

Privileged identity theft is on the rise; however, business leaders are failing to realise the devastating impact this can have on their business as well as what they can do to mitigate this invasive threat.

Although it can be hard to quantify the impact of breaches involving compromised credentials, the total amount of records stolen is believed to be in the billions. This includes sensitive information such as credit card details, user accounts, employee information, and health records amongst others. Attacks such as these are happening on a global scale, including the far-reaching Yahoo data breach and even the Swedish Transport Association breach, which saw the theft of classified information from third-party credentials. Organisations must take action before they too become victims of privileged identity theft.Privileged identity theft involves the theft or compromise of credentials providing access to privileged accounts within a business. This could mean stolen admin usernames and passwords through phishing methods, or the use of low-security passwords such as ‘admin’ or ‘password.’

How do credentials become compromised?

It’s widely accepted now that perimeters alone are not enough to keep data safe. We are now living more and more of our lives online and through public facing apps, BYOD, and hybrid IT networks the number of attack vectors has increased exponentially, and hackers can easily exploit these vulnerabilities.

External research

While there are examples of privileged users such as system administrators being exploited via social engineering tactics, attackers are far more likely to choose a softer target initially.

Employees tend to struggle with understanding security risks compared to IT personnel. This means they can become vulnerable to attackers. Once the credentials of user accounts have been compromised, the attackers will then turn their attentions to the privileged accounts, which are far more valuable. With the proliferation of information available to attackers from social networks, it’s unsurprising that attackers are able to craft convincing messages to manipulate users.

Gain a foothold – Attackers have several go to methods when it comes to gaining access to an IT environment. They can even use a combination of tactics to gain a foothold which makes it possible for them to perform internal reconnaissance. Both phishing and spear-phishing remain popular ways of gaining an in, despite the issue being a focus for IT teams. Intrusions often begin with an attempt to trick an unsuspecting user into accidentally giving away some information or performing an action to further the attacker’s motives.

This is usually carried out through an email or instant message. A phishing attempt will try to convince the user into sharing valuable information (such as a login credentials) or in some cases, to open a bogus document or click on a link which enables the attacker to download and install malware. Spear-phishing involves more targeted research gathering on the victim organisation. The attacker will often carry out this research and use it to craft a convincing email to dupe their target. Another way criminals can learn valuable information is by installing other types of malware on a user’s PC or device.

Attackers can then install software that can either allow them to take over the victim’s device or gather information such as credentials. A common way this is done is by installing a keylogger malware, which can record every keystroke and steal every password entered by a victim.

Internal reconnaissance- The next step in the process once an attacker has established themselves within the victim’s IT environment is to perform internal reconnaissance. During this period, they will attempt to gather as much information as possible about the IT environment in order to map out the network and systems they’re infiltrating. There are a number of network diagnostic tools which can help accomplish this, including ping, traceroute and netstat. DNS records and port scanners such as nmap can also yield very valuable information about the victim’s IT environment.

Privilege escalation – Once an attacker is armed with this knowledge about the network, they can move on to acquiring higher privileges with the ultimate aim to take over the domain controller. Pass-the-hash, SSH key acquisition, kernel and services exploits are three common techniques used to escalate privileges.

 What can you do to reduce the risk of privileged identity theft?

One of the quickest wins for organisations looking to alleviate the risk of privileged identity theft is to fix weak security practices. Here are a few ways your organisation can protect itself.

  1. Keep on top of privileged accounts – As IT environments grow, so do the number of administrative, service and other types of privileged accounts. It’s often the case that enterprises running networks with thousands of servers and network devices lack a comprehensive, up to date inventory of these assets.
  2. Limit access for each privileged account – Limit the access across the infrastructure of any privileged account to enforce a principle of least privilege. Every account should have the minimum rights needed to carry out their specific tasks. So, an account set up for administering an application should not have any system privileges beyond what is required to change the application’s configuration and to restart the application. It’s also important to avoid enabling accounts on systems where they are not needed.
  3. Remove unnecessary accounts and privileges where you can – Insufficient offboarding often creates a security gap where employees that have left the company or changed positions still have credentials. Deleting or updating these is essential to tie up any loose ends.
  4. Put a formal password policy in place – Companies with a well-developed security posture usually implement a formal password policy for privileged accounts. This policy should involve changing default passwords as mandatory and implementing stronger passwords. This should be obvious, but the sharing of passwords should also be strictly prohibited. These recommendations should go without saying, but companies who fail to take these steps are just making a hacker’s life easier.
  5. Avoid short cuts – Most employees accessing privileged accounts such as administrative accounts and service accounts are doing so in order to complete daily tasks. Naturally, a privileged users goal is to work as efficiently as possible, which can lead to taking risky shortcuts when it comes to security. This can be tackled with a strong, well-rounded, security awareness education programme.

The number of organisations falling prey to privileged identity theft is growing and it remains a popular attack vector. Fortunately, relatively simple process improvements along with the correct technologies such as session management and account analytics can help spot compromised privileged accounts before attackers are able to inflict any damage.

Navigating the Brave New World of Cybersecurity Investing

Great article from Kaiyleigh Kulp CNBC

Data breaches such as Equifax’s recent hacking scandal are a nightmare for hundreds of millions of consumers. They do, however, offer lucrative opportunities for niche investors and venture capitalists who are banking on the ability of new cybersecurity, artificial intelligence and data protection technologies to solve one of the world’s largest evolving problems.

“Security is one of the best near- to mid-term market segments to be in,” said venture capitalist Rick Grinnell, who began investing in early stage cybersecurity and artificial intelligence firms more than 15 years ago and now operates his own venture capital firm, Glasswing Ventures.

Jetta Productions/Blend Images | Getty Images
About 64 percent of Americans have experienced a data breach, according to Pew Research Center.

Venture capital firms invested $3.1 billion in nearly 300 cybersecurity startups in 2016, according to research firm CB Insights. Top-funded, privately held cyber companies now include Tanium, which has raised about $395 million to support its endpoint protection technology, and Lookout, which has raised about $281 million and secures smartphones. The two are each valued at more than $1 billion, CB Insights reports.

It’s no surprise money is pouring into the cybersecurity sector: About 64 percent of Americans have experienced a data breach, according to Pew Research Center. Around half of Americans do not trust the federal government or social media sites to protect their data, Pew found. The Identity Theft Resource Center has uncovered 1,120 data breaches to date this year, with some 171 million records exposed.

Yet, despite the flow of dollars into the industry — to the tune of about $90 billion — it’s growing somewhat “slowly,” at about 10 percent a year, Grinnell said.

To top it off, “the bad guys have more money to spend than the good guys,” said Vikram Phatak, CEO of NSS Labs in Austin, Texas. NSS Labs creates independent performance scorecards for security company products.

In fact, one of the biggest threats to cyber investors is that their technologies may be proven to have holes or be exploited. If they are, their value essentially becomes negative, said Grinnell at Glasswing Ventures.

That hasn’t stopped entrepreneurs from trying to create the holy grail that banks, health-care companies, credit bureaus and card issuers can rely on to protect sensitive personal data.

“Data is the new type of petrol … it’s an incredibly large space that has become more and more complicated,” said Sunil Madhu, CEO of Socure. The firm is a provider of digital identity verification predictive analytics technology that recently secured about $14 million in a series B round led by Commerce Ventures (raising about $27.5 million to date).

Socure’s revenues have grown 600 percent over last year, Madhu said, and its valuation is pegged at $55 million. Three of Madhu’s five ventures have been in cybersecurity.

Venture capital firms aren’t the only ones able to capitalize; individual investors also have a few publicly traded opportunities to gain diversified exposure to the sector, such as the ETFMG Prime Cyber Security ETF and First Trust Nasdaq Cybersecurity ETF. Both have performed well this year, with the former trading at about $30 per share, up from about $26 a year ago. The latter, meanwhile, is trading at about $22 per share, up from about $19 a year ago.

The Prime Cyber Security ETF “has proven itself to be a very popular ETF, and it’s a good tool for positioning in the cybersecurity space,” according to Erika Jensen, president of Respire Wealth Management. “That’s where we live now and there’s no doubt that there will always be a need for new technology and new protection.”

Cyber-knowledgeable and experienced investors are betting on individual companies with particular technologies — such as block-chain, which helps isolate and log data using cryptography — that they think will be revolutionary or that have a specific focus.

NSS Labs’ Phatak believes even big players such as Microsoft are currently undervalued based on the innovation they are making to secure data in the cloud. In the Advanced Endpoint Protection market, Symantec, McAfee and Sophos are good buys for their effectiveness, while the privately-held Cylance, an artificial intelligence based company, has about $250 million in revenue and may soon have an IPO, according to Phatak.

“All these companies with all of this funding are going to have to show profitability … it’s a market for lemons. Cybersecurity is one of the few industries where you don’t have solid metrics.”-Vikram Phatak, CEO of NSS Labs

Grinnell is bullish on network security innovator Palo Alto Networks. At about $147 per share, it has almost tripled in value in five years. The value of Proofpoint has increased about eightfold in that time to about $90 per share. The company offers information, email and digital risk protection services, among other cybersecurity products.

How long the cyber market will be on the up and up is hard to say, since there are now many firms and parts that aren’t quite yet working together to create a cohesive or uniform solution, said Michael Sury, a lecturer in finance at the University of Texas at Austin.

“The biggest issue that I hear today from these investors is that of standards,” he said. “Security protocols don’t yet have an industry-wide standard that companies can rely upon.

“This may mean that there will be first-mover advantages, or it could mean that the market is so fragmented that there will be many players,” Sury added.

3 sunny places to retire — on just your Social Security check

This can be good for investors because it creates plenty of consolidation opportunities, according to Grinnell at Glasswing Ventures. His past successful cyber-related exits were at five to 20 times their investment, one example being Resilient Systems, which was acquired by IBM last year for its innovative security operations and response platform (IBM itself has $2 billion in security revenue and hired 1,000 new security experts in 2015).

At the end of the day, there’s going to be reckoning, said Phatak of NSS Labs. “It won’t be in the next couple of years,” he said. “All these companies with all of this funding are going to have to show profitability … it’s a market for lemons.

“Cybersecurity is one of the few industries where you don’t have solid metrics.”

Scared of Cybercrime? You Should Be

Great article by guest writer Brent Cooper, Full Article Here:

It’s a scary time, and not just because Halloween’s been upon us.

Those in the cybersecurity world, like technology expert Dave Hatter (who is also the mayor of Fort Wright) have been sounding the alarm for years.

“Cybersecurity is a top issue for our entire community,” Hatter said. “We need to do more to protect ourselves. With a seemingly endless stream of increasingly sophisticated attacks, none of us feel safe at the moment.”

Consider these statistics.

  • 32 percent of companies said they were the victims of cybercrime in 2016.
  • 65 percent of professionals identified phishing and social engineering as the biggest security threat to their organization.
  • The average time attackers stay hidden on a network is over 140 days.
  • Ransomware attacks have risen 250 percent this year (much higher than previous predictions), while global ransomware damages are predicted to exceed $5 billion.

It’s a good time to remind ourselves that we need to enhance our processes and procedures, dedicate more resources to protecting ourselves, and continuously invest the time in education and training.

To do all this, we need more cybersecurity expertise. A joint report from Cybersecurity Ventures and Herjavec Group reported that there will be 3.5 million unfilled cybersecurity jobs by 2021.

Thankfully, our local universities understand how scary a time it is and are working hard to fill the gap.

Fittingly, “Who you gonna call?” was the rhetorical question posed by keynote speaker, Mikko Hypponen, at Northern Kentucky University’s recent Cybersecurity Symposium.

Hypponen, chief research officer for F-Secure, is a world-renowned cybercrime expert who is also an avid collector of retro arcade and pinball games, one of which is Ghostbusters themed. It was the challenge to the audience of 400-plus technologists, business leaders and attorneys who are responsible for risk management and mitigation in their diverse organizations.

These technologists understand their businesses are dependent on secure data.

Therefore, secure data was the theme throughout the symposium’s six tracks which included legal issues in privacy and security, information security, governance and compliance, risk management, mobile and computer forensics, cyberops and emerging topics.

The need for secure data in every organization is driving the rising demand for cybersecurity professionals who can detect, prevent, mitigate and articulate threat information.

This is an important goal of NKU’s College of Informatics – to teach students to use a unified approach to tackle these realities more effectively.

Education and awareness are key to reducing cybersecurity risks, and the evolution of hands-on education recently took a major leap forward with the college’s innovative new Cyber Threat Intelligence Laboratory.

Primarily a 24-student learning studio for NKU students, the lab will also serve as a demonstration room for tours and field trips, a learning lab for corporate training classes, a practice space for the NKU Cyber Defense Team, and an inviting location for K12 cybersecurity camps.

According to Jill Henry, executive director of NKU’s Center for Applied Informatics, “We are proud to be leading the charge on several fronts: we cultivate students who are agile thinkers; we push the boundaries to create cutting-edge collaboration spaces; and we bring leaders together to engage in thought-provoking dialogue to navigate the ever-changing global landscape.”

As we look back on National Cyber Security Awareness Month, I hope you’ll not only take a little time to enhance your security, I also hope you’ll support universities like NKU that are committed to improving our data security.

Together, we can make things a little less scary.

Brent Cooper is president and CEO of the Northern Kentucky Chamber of Commerce.

Top 10 Technology Trends to Expect in 2018:

Link to Full Article by David Welden:

Artificial intelligence will continue to dominate technology investments in 2018, along with cloud computing, the Internet of Things and customer-focused applications.

In their new report, “The Top 10 Technology Trends to Watch: 2018 To 2020 – Ten Trends Will Help You Maximize the Value of Business Technology,” Forrester Research analysts Brian Hopkins, Bobby Cameron, Ted Schadler and Rusty Warner offer their picks on the technology and business trends that will most shape the IT landscape.

Trend No. 1: IoT Shifts Computing Toward the Edge

“The growth of IoT aspirations and technologies has led to a host of technology innovations in edge devices, such as gateway servers, microdata centers, cloudlets, fog fabric nodes, intelligent routers and device firmware,” the authors write. “Firms in the vanguard of this trend will engage customers more quickly and squeeze new efficiencies out of processes. Exploiting computing power on the edge will give them an actual edge. CIOs must understand the extension of compute to the edge to find opportunities for competitive advantage.”

Trend No. 2: Distributed Trust Systems Challenge Centralized Authorities

“Blockchain, cryptocurrencies and distributed ledgers have captivated and frightened businesses in finance, logistics, and transaction settlement,” according to the authors. “These are ‘distributed trust systems’ — a system of methods, technologies, and tools that support a distributed, tamper-evident and reliable way to ensure transaction integrity, irrefutability and nonrepudiation. The rampant enthusiasm of the press has created a lot of hype; so has venture capital investment in startups like Blockstream, Circle, Digital Asset Holdings, and Ripple. Finally, emerging technologies like Ethereum and Hyperledger, the rise of consortia like R3 CEV and B3i, and the launch of blockchain practices by consultancies like Accenture and IBM have muddied the waters. Despite all this hype and confusion, Forrester believes that distributed trust systems are still in the dawning phase with a slow, 10-year development cycle.”

Trend No. 3: Automated Security Intelligence and Breach Response Unshackle S&R

“The era of manual risk and security management is ending,” the authors say. “Having long shied away from automation, security and risk (S&R) pros are just starting to embrace it to speed detection and response. Automated remediation is likely to follow. Security teams struggle with investigating incidents and responding to threats quickly. Security automation and orchestration (SAO) promises to transform the S&R role, unshackling the chief information security officer’s team from repetitive, manual tasks and giving analysts more time for higher-value work.”

Trend No. 4: Employee Experience Redefines Apps

“Firms that focus on improving employee experience (EX) yield better customer experience (CX) outcomes and outperform their competition over time,” the authors explain. “Effective EX delivers a personalized set of interactions, processes, and content that enables employees to succeed while enjoying their work experience. In the digital age, the workforce expects a technology-driven employee experience that reflects the level of innovation found in their consumer experiences. Currently, however, few firms focus on EX, and global employee engagement levels haven’t improved in Gallup’s 17 years of keeping track. This trend is changing things, however, as firms discover that employees and firms benefit from enriched, seamless, contextual CX.”

Trend No. 5: Software Learns To Learn

“AI technologies like speech analytics, deep-learning platforms and natural language generation have exploded onto the scene in the past 12 months after being nascent for many years,” the author say. “With improvements in AI, software systems that we used to have to program with rules are learning how to learn on their own. Firms will be able to automate and scale in a more efficient way because software will ultimately be able to learn and adapt rather than require programming. This is a profound change that CIOs must understand.”

Trend No. 6: Digital Employees Enter the White-Collar Workforce

“Automation will transform the workforce as technology advances result in humans increasingly working side by side with software robots in this awareness phase trend,” the authors say. “These robots don’t herald a gloomy future for jobs. As we showed in our report “The Future Of Jobs, 2027: Working Side By Side With Robots,” automation will replace some jobs and create others, with a net loss of 9.8 million US jobs by 2027 — while transforming at least 25 percent of the remaining jobs. Many enterprises, however, lack an integrated approach to mining the value of white-collar automation. Repeatable tasks that search, collate, update, access multiple systems, and make simple decisions provide today’s best targets for automation.”

Trend No. 7: Insights-Driven Firms Outpace Competitors

“The quest to use big data as a competitive asset has sparked a $27 billion industry; Hadoop and Spark initiated this, but it’s rapidly expanding into services and the cloud,” the authors confirm. “Amid the data gold rush, a new kind of firm — the insights-driven business — is slowly emerging that approaches data analytics differently. Instead of focusing on data, these firms emphasize implementing insights in software and continuously learning. CIOs must understand how this difference lets insights-driven businesses win customers and grow eight times faster than global GDP.”

Trend No. 8: Customer Experience Becomes Immersive

“The boundaries between the human, digital, physical and virtual realms are blurring as CX becomes more immersive,” according to the authors. “Customer-obsessed firms are integrating systems of insight and systems of engagement that interconnect people, places, and objects with data to improve CX and forge two-way, value-driven relationships. Customers are moving seamlessly across channels and embracing new interactive interfaces via mobile and other smart devices. This CX fusion promises competitive advantage for firms that get it right.”

Trend No. 9: Contextual Privacy Boosts Brand Value

“The seemingly never-ending news of data breaches and unauthorized uses of personally identifiable information leads to growing customer concerns about their privacy, making them hesitate to use digital tools from risky companies,” the authors say. “To drive competitive differentiation and business growth, firms must proactively address customer data management and security technologies that enable contextual privacy. But contextual privacy goes well beyond technology capabilities; it is a business practice in which the collection and use of personal data is consensual, within a mutually agreed-upon context, for a mutually agreed-upon purpose. Understanding that no firm owns consumer data and that we merely have the right to use it fuels data-centric security approaches.”

Trend No. 10: The Public Cloud Accelerates Business Innovation

“The public cloud is a juggernaut that is reinventing computing and the high-tech industry itself,” the authors conclude. “The relentless pace of technology and service innovation from mega-cloud providers like AWS, Google, Microsoft and Salesforce means that business innovation is just an API call away. We’ve reached the tipping point for public cloud: Most companies won’t be able to build out a data center to match cloud’s public capabilities or efficiency. Even 30-year IT veterans are increasingly willing to shutter their data centers. CIOs will be forced to move to the public cloud for most applications.”