Samsung keyboard bug highlights vulnerability of passwords

Andras Cser

Here's a new exploit on Samsung Galaxy S4, S4 and S6 Swiftkey: remote code execution is possible which can lead to root access to the device, data loss, password sniffing and keylogging, Man-in-the-Middle attacks and compromised passwords. Another reason why we need to think about 'What's beyond passwords?'. We will shortly publish a report on this topic. Stay tuned.

The FCC is the Most Powerful Privacy Regulator in the Land...What Will Happen Next?

Renee Murphy

Since the bulk collection of telephone metadata began, the NSA has been keeping those records in a vast database and maintaining and querying that data for 5 years before being required to purge it. Now that the data will be back in the hands of the telecom companies, the Federal Communications Commission’s regulations will determine the retention of the metadata.

Prior to the 1980's, the FCC retention schedule was 6 months, but in the 1980’s, during the war on drugs, the Department of Justice asked the FCC to change that requirement to 18 months to make it easier to get RICO convictions for the drug cartels and the FCC complied. Since then, telephone data has been used to convict many organized crime syndicates with great success. Now that the NSA is also an agency that would like access to the same data that they FBI has been using since the 1970’s, will they ask the FCC to maintain the data for five yeas as they had been?

Read more

Market Overview: Cloud Workload Security Management Solutions — Automate Or Die

Andras Cser

Today, not moving workloads to the cloud is not an option. Leaving these workloads not secured is also not an option.

However, managing workloads within and across Infrastructure-as-a-Service cloud service providers, we find that S&R professionals struggle with ensuring that their cloud workloads (guest operating systems and data on those operating systems) are secure. Why? Because S&R must ensure that installation and setup bootstraps with the right security and network configuration. They must control access to workloads as well as management consoles, file and configuration integrity, intrusion and endpoint protection. Manual management is simply not an option, you either automate security hardening for a large number of workloads or "die", i.e. fall victim to a breach.

Enter a new class of solution to offer a solution to this problem: Cloud Workload Security Management Solutions. These offerins  typically install a small agent on endpoints, connect these agents to a central service (available as SaaS or on-premises product) then offer centralized management of all the above cloud workload security aspects.

Our CWS market overview looks at and compares the features and company profiles of the most important vendors in this space.

https://www.forrester.com/Market+Overview+Cloud+Workload+Security+Management+Solutions+Automate+Or+Die/fulltext/-/E-RES121266

Forrester’s Security & Risk Analyst Spotlight – Andras Cser

Stephanie Balaouras

Last week, we learned that cybercriminals undermined the identity verification of the IRS’ Get Transcript app and gained access to the tax returns on 104,000 US citizens, so it’s only fitting in this analyst spotlight, we interview one of the team’s leading analysts for identity and access management (IAM), VP and Principal Analyst, Andras Cser. Andras consistently produces some of the most widely read research not just for our team but across all of Forrester. And clients seek his insight across a number of coverage areas beyond IAM, including cloud security, enterprise fraud management, and secure payments. As the tallest member of our S&R team at 6’5”, Andras also provides guidance to clients on the emerging fields of height intel and altitude management.

Read more

Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA)

Rick Holland

For years cybersecurity professionals have struggled to adequately track their detection and response capabilities. We use Mean Time to Detection/Containment/Recovery. I wanted to introduce an additional way to track your ability to detect and respond to "sophisticated" adversaries: Mean Time Before CEO Apologizes (MTBCA). Tripwire’s Tim Erlin had another amusing metric: Mean Time To Free Credit Monitoring (MTTFCM).

Here are some examples (there are countless others) that illustrate the pain associated with MTBCA:

1) CareFirst breach announced 20 May 2015

2) Premera breach announced 17 March 2015

Your CEO doesn't want to have to deliver a somber apology to your customers, just like you don't want to have to inform senior management that a "sophisticated attack" was used to compromise your environment. Some of these attacks may have very well been sophisticated but I'm always skeptical. In many cases I think sophisticated is used to deflect responsibility. For more on that check out, "The Millennium Falcon And Breach Responsibility."  

Read more

Forrester’s Security & Risk Research Spotlight – The IAM Playbook For 2015

Stephanie Balaouras

Once a month I use my blog to highlight some of S&R’s most recent and trending research. When I first became research director of the S&R team more than five years ago, I was amazed to discover that 30% to 35% of the thousands of client questions the team fielded each year were related to IAM. And it’s still true today. Even though no individual technology within IAM has reached the dizzying heights of other buzz inducing trends (e.g. DLP circa 2010 and actionable threat intelligence circa 2014), IAM has remained a consistent problem/opportunity within security. Why? I think it’s because:
 

Read more

Are Passwords Dead? Take the Forrester Password Usage & Trends Survey!

Merritt Maxim

To paraphrase the great humorist Mark Twain, rumors of the death of passwords have been greatly exaggerated. While people lament the challenges and problems posed by passwords, they remain a core authentication and security technology.

My colleague Andras Cser and I have been fielding so many client inquiries around passwords that we are undertaking a quantitative, anonymous survey from end user organizations to gauge their current password policies and usage. This online survey asks about your organization’s current password policies and challenge as well as the future role of passwords in your organization. We also are using the survey to gain perspectives on the future of passwords and how other technologies might replace passwords completely.

The survey is completely confidential, but participants who provide contact details will receive a complimentary copy of the report when it’s published later this year.

You can access the survey here:

http://forr.com/PWTrends2015

We look forward to your responses!

Forrester’s Security & Risk Analyst Spotlight – Martin Whitworth

Stephanie Balaouras
Once a month, my co-research director and partner in crime, Chris McClean, and I will use our blog to highlight one of the 26 people who collaborate to deliver our team’s research and services and always make Chris and I look really, really good. Each “Analyst Spotlight” includes an informational podcast and an offbeat interview with the analyst. This month’s Analyst Spotlight features our newest analyst, Martin Whitworth. Based in London and bringing experience as a CISO and Head of Security across several industries, Martin will cover the most pressing issues keeping CISOs reaching for another bourbon on the rocks, including security strategy, maturity, skills and staffing, business alignment, and everyone’s favorite pastime, reporting to the board. 
 
Martin Whitworth Image Prior to joining Forrester, Martin served as CISO and senior security leader for a number of blue chip organizations, including Coventry Building Society, Steria Group, UK Payments Council, British Energy/EDF Nuclear Generation, and GMAC. In these roles, he developed and executed a variety of security strategies and programs, and he has extensive experience successfully engaging business and board-level stakeholders. He also has considerable experience as a trusted advisor to security leader peers in the public and private sectors internationally, as well as advising standards and regulatory bodies.
 
Read more

Do You Have An Effective Privacy Organization?

Heidi Shey

A guest post from researcher Enza Iannopollo.

Upcoming changes to privacy regulation in the EU as well as rising business awareness that effective data privacy means competitive differentiation in the market makes privacy a business priority today. And this is not only relevant for tech giants: protecting both customer and employee privacy is a business priority for companies of all sizes and across industries.

But where do you start? Many companies start by hiring a chief privacy officer. Some have built brand-new privacy teams that manage privacy for the whole firm, while others prefer a decentralized model where responsibilities are shared across teams. What are the pros and cons of each approach? Which organizational structure would better meet the needs of your firm?

And when your privacy organization is in place, how do you establish smooth collaboration with other teams like marketing and digital, for example? Too often we hear that privacy teams do not have the visibility that they need into the data-driven initiatives happening within the company. When this happens, privacy organizations are less effective and the business risks failing its customers, undermining their expectation for privacy.

Read more

What A Teenaged Driver Can Teach You About Access Governance

Merritt Maxim

Most parents cheerfully mark the key milestones in their child’s path to adulthood: first step,first word, first school, first sleepover, first broken bone, and so on. But for many parents, no milestone causes as much anxiety as “first-time driver,” which is bestowed on all USA-based teenagers upon their16th birthday.

While surviving the experience of having our child become a driver may seem far removed from the world of access governance and entitlement certification, I found some parallels between managing a teenaged driver and managing the access rights and IT privileges of the end users in your organization. You can read more about it in my latest report, “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen,” but here is a quick preview.

A common problem facing parents of teenaged drivers and IT organizations is that they have properly authorized users but often lack visibility into actual usage of those access rights. In the case of the teenaged drivers, parents often seek data around vehicle usage (Where did it go? At what time and at what speed?). For IT security professionals, organizations can no longer rely purely on static lists of authorized users and their access rights. So, just the way parents can impose mileage restrictions (reading the odometer to limit the distance a car can go in a given night) or fuel restrictions, an IT security team cansupplement access governance processes with additional usage data such as:

1.       Has the employee accessed the application/system during the last certification period?

2.       How often did the employee use the given entitlement?

Read more