Still On Windows XP? Time To Review Your Options

Christopher Sherman
Does your organization still have a significant number of endpoints still running Windows XP? Don’t worry, you’re not alone: Forrester's Forrsights Hardware Survey, Q3 2013 shows that the average organization still has 20% of their employee endpoints running XP. Considering that most organizations spend 18 to 32 months when migrating to newer versions of Windows, many organizations will likely find themselves scrambling to batten down the hatches before Microsoft’s April 8, 2014 end-of-life deadline.
 
After this date, Microsoft will stop releasing security patches for the 13-year-old operating system, a terrifying situation for organizations still relying on XP. What can you do as an organization if you still have a substantial XP presence within your environment? You can:
 
  • Migrate to Windows 7 or 8 posthaste. Microsoft has come a long way in preventing certain classes of attacks, such as bootkit and rootkit attacks. In fact, Microsoft has told us that Windows XP is 21 times more likely to get infected with malware than Windows 8.1. To help our clients understand the pros and cons of Windows 8.1 security, I recently published a guide on this very topic.
  • Buy some extra time. For those that can afford it, Microsoft will offer “custom support” in the form of XP security patches past the April 8 deadline. I’ve spoken with a number of organizations that determined that it would be cheaper to pay this premium than to migrate away from XP. Of course, this is just prolonging the inevitable; custom support will not be available forever.
Read more

LG Is Learning An Embarrassing Privacy Lesson In The Age Of The Customer

Rick Holland

In a recent report titled “Technology Management In The Age Of The Customer,” Forrester defines the Age of the Customer as: "A 20-year business cycle in which the most successful enterprises will reinvent themselves to systematically understand and serve increasingly powerful customers."  In this Age of the Customer, empowered consumers using social media can have tremendous influence.  Technology gives the lone voice a platform to be heard across the Internet. Technology is the force multiplier for empowered consumers.  

Jason Huntley, a UK-based IT consultant, is a perfect example of one of these increasingly powerful customers. He posted a blog titled “LG Smart TVs logging USB filenames and viewing info to LG servers.” In it Jason detailed how his Smart LG TV was spying on him.  The TV was not only reporting data about viewing habits, but was also uploading the filenames from the storage devices he attached to the TV.  His viewing habits data was collected despite the fact that he had opted out of the “Collection of watching info.”  Jason wrote, “This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.”  He had a false expectation of privacy. See below: 

Read more

NFC Adoption Becomes Much Simpler: Google Opens Android 4.4 KitKat So That The NFC Can Be Provisioned By Anyone

Andras Cser

This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element.

What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present credit card information to the NFC and allow the user to use the card information for payment. This might mean that traditional trusted service managers (companies that are authorized to provision the secure element on the mobile phone, like Gemalto, FirstData, CorTSM, etc.) may face fierce competition from really anyone who wishes to provision cards to the phone. Mobile network operators can now be easily cut from the payment chain, too.

Kicking Off Forrester's "Targeted Attack Hierarchy Of Needs" Research

Rick Holland

I am about to kick off my next Forrester research on targeted attacks.  Here is the short abstract: "The threat landscape has evolved but organizations haven't. Leveraging concepts of Zero Trust, this report will detail strategies for protecting against targeted attacks against your organization. We will focus on the pros and cons of various strategies and provide suggestions for maximizing your investments." If you'd like a preview to the tone of this research please see one of my previous blogs: "Kim Kardashian and APTs."

  • Vendors:  The focus of this research is on overall strategy and NOT on specific vendor capabilities. We look forward to detailed vendor conversations when we do follow on Waves or Market Overviews in the future. 
  • Enterprises:  If you would like to provide us feedback on your experience with defending against targeted attacks, we would love to hear from you.  If you purchased a magic anti-APT box and it is/isn't living up to your expectations, let us know.  We are currently scheduling research interviews.  Research interviews are open to more than just Forrester clients.  If you aren't a client and would like to participate, we will provide you a complimentary copy of the final research upon completion. 
Read more

If Everything Is Threat Intelligence, Then Nothing Is Threat Intelligence

Rick Holland

The hype surrounding threat intelligence has continued to build since I wrote the blog "My Threat Intel Can Beat Up Your Threat Intel” in mid-2012.  S&R pros are responding to both the hope and promise of threat intelligence. According to our Forrsights survey data, 75% of security decision-makers report that establishing or improving threat intelligence capabilities is a top priority for their organization.   

One of the most significant challenges in leveraging threat intelligence is operationalizing it. Today, there are two broad categories of organizations that leverage threat intelligence. I’ll use an analogy to describe them. The US television show “Sons of Anarchy” follows the lives of an outlaw motorcycle club. The Sons of Anarchy refer to themselves as “1%ers”: They have the power, resources, and means to accomplish anything they desire. This is in contrast with the 99% who are merely motorcycle enthusiasts without these capabilities.  Some of these early adopters include financial services, technology, and manufacturing companies. 

Read more

Why You Should NOT Build Your Own Authentication Framework And Solution In-House. See OWASP A2.

Andras Cser

We regularly get the question: should we build our web authentication and single sign-on solution?

Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says:

"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities."

Implementing your own session and key management, validation, update, periodic rollover, etc. mechanisms in a scalable and fault tolerant way is extremely difficult. We regularly get inquiries from clients who want to replace their own in-house built web single sign-on framework -- mostly because they have been hacked or it's too expensive to operate and update.

This is why we see open source and commercial Web Access Management packages and solutions critically important to protect your web assets. Since they are mostly mature technologies, they protect against not just authentication and session management problems but often against cross site scripting and other older threats as well. If you use a newer product or a pure federation product, make sure that the vendor or supplier can help you answer your questions based on the the OWASP list.

Check out https://www.owasp.org/index.php/Top_10_2013-Top_10 for more details on the OWASP Top 10 for 2013.

 

 

Forrester expects a wave of acquisitions of cloud IAM providers

Andras Cser

With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure. 

 

Forrester expects that we will see the following in the next 12-18 months:

1) Wave of acquisitions of cloud IAM providers. Those IAM vendors (SAP, Oracle, NetIQ, Quest, McAfee, RSA and even Symantec and Cisco etc.) that have not yet built an IAM framework or don't have on-premise IAM products they could turn into a cloud service will probably want to get into the game sooner rather than later. This will start a wave of acquisitions of cloud IAM providers. Now is the time to acquire and to get acquired in the cloud IAM space.

2) Moving of user stores into the cloud. We predicted this in 2012, but it's becoming a reality now. It is increasingly clear that on premise user directories (AD, LDAP, etc.) are starting to be only used for basic services and there is a great need for cloud based directories to support an increasing number of SaaS applications. Cloud IAM vendors we talk to (UnboundID and Okta) have announced plans to help customers with this migration.  SalesForce.com OEM agreement with ForgeRock to create SalesForce Identity Connect is the first step in this direction. Identity bridges or connectors which connect on-premise user stores to the cloud provider’s user store will play a critical role and be the hardest first step in this transition.  

Read more

Kicking off the Forrester Web Content Security Wave

Rick Holland

We are about to kickoff our next Forrester Wave on web content security.  The inclusion criteria for vendor prequalification will be sent out within the next two weeks. We will be focusing on both traditional web gateways as well as the hybrid and SaaS delivery models. What does this mean for you?

  • Vendors:  If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey.  We will be limiting the number of vendors participating in this evaluation. 
  • Enterprises:  If you would like to provide us feedback on your experience with web content security solutions and vendors, we would love to hear from you.  We plan to leverage your feedback for evaluation criteria as well as score weighting.  

Please contact Kelley Mak (kmak at forrester.com) if you are interested in participating.   We expect this Wave will publish in the Spring of 2014. (Fine print: This is a publication estimate and this date is subject to change.) 

Insights From McAfee Focus

Stephanie Balaouras

Last week, I and several analyst from Forrester’s Security & Risk team, including Chris McClean, John Kindervag, Tyler Shields, Heidi Shey, and Chris Sherman, attended McAfee’s annual Focus conference in Las Vegas.

I attend numerous security and IT conferences each year, most of which simply blur together into a vendor cacophony about the perils of social, cloud, and mobile device adoption or the ever present danger from devious cybercriminals and nefarious state-sponsored agents. The uniform repetition of this narrative from every vendor in the industry reminds me of the drowning din of thousands of cicadas awakening from hibernation. McAfee Focus had a different feel. And overall, compared to other conferences, it was a worthwhile trip, and not just because Chris McClean and I won at craps, but because while McAfee did pay homage to the technical security pros in the audience with the requisite discussion of the changing threat landscape and accompanying hacking demo, there was a palpable difference in their narrative, particularly in CEO Mike DeCesare’s keynote. Here are a few notable highlights from the conference:

Read more

Technology Use By MSSPs -Check Out Our Survey

Edward Ferrara

Technology is essential in any managed security operations center. Technology has come a long way to create an active defense of the enterprise. There are vendors that offer solutions for log management, web application defense, firewall, incident event correlation, and many others. In order to understand the size of the security technology market, Forrester and the MSP Alliance are partnering in a survey to look at the managed security functions and the technology MSSPs use to deliver their services. If you are an MSSP or an end user of these technologies, you can complete this survey at:

FORRESTER - MSP ALLIANCE SURVEY

For completing the survey you are automatically entered into a contest to win an iPad mini. Also for completing the survey you will receive a complimentary copy of the resulting research paper.