Your customers are consumers too. They don’t turn into business bots when they set foot in the enterprise. Whether your organization sells a product or a service to enterprises or consumers, you’re interfacing with consumers who have opinions about security and privacy. S&R pros, you already know that you have to be on top of things like regulatory compliance (Hello HIPAA! Hi EU Data Protection Directive!) when creating policies and implementing controls. But what about consumer perceptions and behavior? Consider that*:
49% of US online consumers are concerned about security and privacy when purchasing products online
44% of EU online consumers say the same about sharing personal information to access a website
39% of US online consumers express security and privacy concerns over sharing personal information to participate on a website (e.g, discussion boards, writing reviews)
20% of EU online consumers are concerned about their security and privacy when downloading apps to their mobile phone
This Forrester-moderated panel of top security executives from Allergan, Zappos and Humana will discuss the impact of scale in solving Big Security challenges. Issues from the importance of scale in detecting advanced threats to benefits to the average user will be debated. Drawing on their experiences, these experts will share their views on why scale matters in the era of big data.
David Hannigan, Zappos, Information Security Officer
Stephen Moloney, Humana Inc., Manager, Enterprise Information Security
Jerry Sto. Tomas, Allergan, Inc., Director, IS Global Information Security
Predicting what malware will look like five years from now requires more than a crystal ball. In order to fully understand future threats and challenges, you need a finger on the broader pulse of technological innovation. Our panel of esteemed experts will attempt to guide a better understanding of where we may need to target our defensive efforts in the coming months and years.
You are now no doubt aware that Boston-based security firm Bit9 suffered an alarming compromise, which resulted in attackers gaining access to code-signing certificates that were then used to sign malicious software. See Brian Kreb’s article for more details. (Symantec breathes a quiet sigh of relief to see a different security vendor in the headlines.)
The embarrassing breach comes at a time when the company has been seen as one of the security vendor landscape’s rising stars. Bit9 has actually been around for more than a decade, but the rise of targeted attacks and advanced malware has resulted in significant interest in Bit9’s technology. In late July, Bit9 secured $34.5 million in funding from Sequoia Capital. Bit9’s future was bright.
On Friday afternoon, Bit9 CEO Patrick Morley published a blog providing some initial details on the breach. A few of his comments stood out: “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network … We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9."
We will be conducting research to look into how big data can be used for better fraud management. We define big data as data of Volume, Velocity and Variety. Our premise is that more and more granular data from more sources allows banks, insurers, government agencies, e-Retailers to cut fraud losses more aggressively.We are interested in your thoughts around this topic.
Undoubtedly, most of you will have seen the amazing story about the developer who secretly outsourced his own role to China, investing 20% of his annual salary to free up almost all his work time. The ruse came to light when the firm, who were pushing forward with a more flexible working package, noticed anomalous VPN activity and called in their telecom provider to investigate. The logs indicated that their lead programmer, "Bob," was apparently regularly telecommuting from Shenyang despite being peacefully sat at his desk surfing the Internet for amusing cat videos.
It transpires that "Bob" had FedExed his SecurID token to China and was allowing the remote development company VPN access to his employer's network so that they could do his day job for him.
Irrespective of the terrible security implications here, and they are pretty horrid, "Bob" was delivering high-quality code to schedule. In fact, his performance review regularly identified him as the best developer they had! And what "Bob" did here was not difficult – many sites offer the services of dedicated professionals such as developers, designers, proofreaders, even lawyers, for a small price.
In a business environment where we encourage flexible working, allow personal devices, and seek to incentivize workers for innovation, excellence, and performance, "Bob" could be held up as a role model, but at what cost to the enterprise?
As 2012 came to a close, we studied the financial position of many CISOs and asked about their expectations for 2013. Unsurprisingly, it was apparent that 2012 was another difficult year and that CISOs had been keeping their belts tight once again. When compared with the other IT departments, however, it became clear that this budgetary flat-line actually represented quite a success, as 2012 had seen most other teams face further cutbacks and spending restrictions.
When we looked ahead to 2013, we saw the usual hopeful optimism from the CISOs – proving once again that any allegation of a correlation between ‘pessimists’ and ‘security professionals’ is complete nonsense. It was interesting, however, to note a marked difference in attitudes dependent upon which side of the Atlantic the respondent was located. Put simply, North American based CISOs had a much more buoyant view of security related finances in 2013 than their European peers.
Before we get too far along into 2013, I’d like to take a moment to reflect back on the events of 2012. Thanks to our friends at CyberFactors*, this is what we saw:
1,468 (publicly reported) incidents. This includes everything from stolen laptops to external hacks to third party partners mishandling data to employees accidentally disclosing data via email.
274,129,444 (known) records compromised. In the 608 cases where there was a record count reported, this was the total count.
Types of data lost/compromised
Personally identifiable information (PII) was compromised in 53% of cases. This also includes credit card or bank account information, as well as medical or health insurance information.
Company confidential information (CCI) was compromised in 4% of cases. This includes things like proprietary intellectual property (IP), compensation data, business plans, corporate financial data, and information subject to a non-disclosure agreement with a third party. These types of incidents may not always be publicly reported, assuming that organizations are even aware that it has occurred or is happening. IP is a valuable asset, and must be protected.
Governmental information was compromised in 42% of cases. This includes things like address, voting data, driver’s license numbers, state or Federal tax IDs, Social Security numbers, and passport information.
It has finally become hip not just to predict the demise of passwords, but to call for their elimination. The recent Wired article makes an eloquent case about the vulnerabilities that even "strong" passwords are subject to, such as social engineering and outright theft. And strength is, of course, relative and subject to degradation: The latest computer hardware can make short work of cracking more-complex secrets.
It's true: Static shared secrets are sitting ducks. But passwords are too useful to go away entirely, both because it's handy to be able to synchronize authenticator data between cooperating systems (and people), and because people find using passwords to be less invasive, fiddly, or personally identifying than a lot of other options. So I don't buy the whole "the era of passwords is over" thing. They will be at least one important element of authentication strategies for the foreseeable future -- it's a rare multi-factor authentication strategy that doesn't include a password or PIN somewhere along the line as one of the "things you know."
So, if that's our reality, let's think outside the box in using them. In talking with Mike Gualtieri recently as part of his TechnoPolitics podcast series, I mentioned a few ideas. I had thought of these as pet password peeves, but on the cusp of 2013, why not be positive and think of them as resolutions?
One of the really cool things about this analyst gig is that we get to field client inquiry calls – 30 minutes where we hop onto the phone to speak with our clients and answer their questions about the topics that we cover. As of the week before Christmas, analysts on the security and risk team have jumped onto over 300 inquiries so far this quarter when not on a plane or on site with a client (and this is a slow quarter given all the holidays!). Vendors are one topic that we discuss quite a bit with S&R pros because, let’s face it, there’s are vendors that are really good at marketing and there are also vendors that just haven’t shown up on your radar.
Research report ideas are often born from inquiries as we notice trends in the types of questions that are asked. As we continue to hammer out research agendas for 2013, we’re thinking of adding a new stream of research for our security playbooks: Vendors You Should Know. It would not be the same as a Forrester Wave which compares established vendors, but rather a report which highlights smaller, emerging vendors that are disrupting the existing market with a unique, innovative technology or service to solve a client’s painful challenge or perhaps alter current approaches to information security. It’s a report to recognize emerging vendors who raise the bar, but may not necessarily raise the most buzz. These would be living research documents that are updated periodically as market events and technological developments warrant changes.
S&R pros, does this type of research appeal to you? Which areas would you like for us to identify vendors you should know? What business and security challenges are you grappling with where you would like to see us profile emerging vendors that could help?
When you fly nearly every week, you can get pretty bored on a plane. When I am sick of working, playing games, or watching movies, my latest distraction is checking out laptop screens. Sometimes I'm curious what movie you are watching but other times I am interested in what type of confidential company information you are displaying for the world to see. In the past few weeks I have seen the following types of information on my fellow flyer's screens:
End of year/end of quarter sales numbers
Disciplinary emails regarding employee peformance
Pre launch marketing information (which I presumed to be under embargo)
Competitive displacement information
Most of the time I suggest that my fellow traveler invest in a privacy screen, and most of the time they are receptive to the suggestion. It really is astounding how many people don't spend the approximate $30 on one. If your company doesn't issue them, I suggest you work to change that stance. World readable aren't the permissions you want on your laptop screen, time for chmod (UNIX joke).