Counter-Strike?

Rick Holland

On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.”  The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012.  Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback. 

The article explains, “… companies that experience cybertheft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information." I hate to be the bearer of bad news, but for most organizations, once the data has left your environment the chances of you retrieving it are very slim. Your data has left the building and it isn’t going to “re-spawn.”  If you couldn’t prevent exfiltration of this data in the first place, what would make you think that you could prevent the subsequent exploitation of it?  

As I said back in January in my “Five Steps To Build An Effective Threat Intelligence Capability” report, “If you have a mature security program, you can consider counterintelligence operations, but leave the hacking back to governments and militaries.” 

There are many suggested strategies for dealing with the threat landscape. Hacking back should not be one. 

Read more

Deloitte Acquires Vigilant - Harbinger of a Push By Consultancies Into The MSSP World

Edward Ferrara

This week Deloitte announced the acquisition of Vigilant. This is important news for several reasons. With over 14,000 consultants that specialize in information security, Deloitte is the largest and broadest of any security consultancy globally. Deloitte provides customized security solutions across a broad number of vertical industries, including financial services, aerospace, defense, retail, manufacturing, technology, communications, energy and pharmaceuticals. The company's offerings include[i]:

  • Application security — secure coding practices, code review
  • Business continuity/disaster recovery planning
  • Consumerization — iOS, Android, Endpoint Security
  • Regulatory compliance certification, assessment, and audit services (excluding penetration and vulnerability testing)
  • Information security certification, compliance assessment, and audit services (excludes vulnerability and penetration testing, includes SOC 2, and ISO 27001 certification)
  • Data loss prevention
  • Fraud investigation
  • Governance — strategy, design, and implementation
  • Identity and access management
  • Computer emergency response team (CERT) services
  • Information security architecture — strategy, design, and implementation
  • Network security — strategy, design, and implementation
  • Penetration testing (includes cloud, infrastructure, mobile, SCADA, social engineering, and/or wireless)
  • Physical security — strategy, design, and implementation
  • Privacy — strategy, design, and implementation
  • Risk identification and management
  • Security awareness — strategy, design, and implementation
  • Security organization management — strategy, design, and implementation
Read more

Want to win an iPad and get hardcore data on access recertification? Take the UBC-Forrester Access Recertification survey!

Andras Cser
Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
 
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results. 
Here's what we offer for your participation:
 
Read more

CLOUD SECURITY - EXPECT ACCELERATED DEPLOYMENTS DUE TO STRONG MOVES BY PROVIDERS TO IMPROVE SECURITY

Edward Ferrara

Forrester research has always identified security as a major impediment to broad scale implementation for cloud, regardless of the model, SaaS, PaaS, IaaS, the adoption rate has been slowed by security concerns. Cloud providers recognize this is an impediment to selling cloud services and in response are strengthening their security controls. In Forrester’s Forrsights® research program we interview over 2000 security decision makers on a variety of security issues and topics. Cloud security tops the list of concerns regarding cloud deployments.

The appetite on the buy-side is very real for secure IT cloud infrastructures. Our research shows a lot of very strong interest in the deployment of private cloud platforms because of the elasticity, reduced cost and cycle times required to deploy solutions in these environments.

This week Amazon Web Services (AWS) announced that AWS GovCloud (U.S.) and all U.S. AWS Regions have received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements. 

Obtaining FISMA Moderate certification indicates AWS’ focus on providing strong security controls for its cloud offerings. Forrester assumes AWS commercial clients could benefit from this as well by AWS security processes propagating to other areas of AWS’ cloud business.

Read more

XACML is dead

Andras Cser

Conversations with vendors and IT end users at Forrester's Security lead us to predict that XACML (the lingua franca for centralized entitlement management and authorization policy evaluation and enforcement) is largely dead or will be transformed into access control (see Quest APS, a legacy entititlement management platform based on BiTKOO, which will probably be morphed by Dell into a web SSO platform).

Here are the reasons why we predict XACML is dead:

Lack of broad adoption. The standard is still not widely adopted with large enterprises who have written their authorization engines.

Inability to serve the federated, extended enterprise. XACML was designed to meet the authorization needs of the monolithic enterprise where all users are managed centrally in AD. This is clearly not the case today: companies increasingly have to deal with users whose identities they do not manage. 

PDP does a lot of complex things that it does not inform the PEP about. If you get a 'no, you can't do that' decision in the application from the PEP, you'd want to know why. Our customers tell us that this can prove to be very difficult. The PEP may not be able to find out from the complex PDP evaluation process why an authorization was denied.

Not suitable for cloud and distributed deployment. While some PEPs can bundle the PDP for faster performance, using a PEPs in a cloud environment where you only have a WAN link between a PDP and a PEP is not an option. 

Read more

Forrester’s 2013 Update To The Data Privacy Heat Map Shows Increasing Global Momentum Towards Data Protection Standards

Christopher Sherman

As data flows between countries with disparate data protection laws, firms need to ensure the safety of their customer and employee data through regulatory compliance and due diligence. However, multinational organizations often find global data privacy laws exceedingly challenging. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Originally published in 2010, the tool leverages in-depth analyses of the privacy-related laws and cultures of 54 countries around the world, helping our clients better strategize their own global privacy and data protection approaches.

Regulation in the data privacy arena is far from static. In the year since we last updated the heat map, we have seen many changes to how countries around the world view and enforce data privacy. Forrester has tracked and rated each of these 54 countries across seven different metrics directly within the tool. Among them, seven countries had their ratings change over the past year. Some of the most significant changes corporations are concerned with involve:

  • New national omnibus data privacy laws spanning private and/or public industry. Data privacy regulation, when looked at globally, forms a spectrum of maturity beginning with spotty industry or situation-specific laws all the way to omnibus frameworks. As you might expect, responsible corporations prefer to engage in business practices where the data privacy laws are clearly-defined and transparent. For instance, countries such as Brazil and China are in the process of moving towards potential omnibus laws which will replace a multitude of sectoral and situation-based laws. Other countries, such as Colombia and Singapore, have recently passed far-reaching omnibus laws, also replacing a patchwork of prior sectoral laws.
Read more

Adding social network, geolocation, IAM logs, text analytics and link analytics Big Data to the arsenal of Fraud Management

Andras Cser

A common theme during this week's SAS and FICO user conferences was how to use Big Data to make fraud decisions faster, more accurately and without impacting the customers in any negative way.

Big Data is basically about 3Vs: Volume, Velocity and Variety of data to gain veracity and value in fraud management. Volume and Velocity are nothing new: fraud management products have long been capable of analyzing terabytes of data in billions of transactions - in real time.

What's really new for Fraud Management about Big Data is Variety. Using all types of new information to make better decisions with lower false positive rates. The new data sources that are increasingly used in Fraud Management are:

  • Social network data. Has this user been writing about committing fraud on Facebook? After seeing how dumb some criminals can be, this data source is pretty important.
  • Geolocation of a mobile devices. The fraud management system should warn ahead of time if a user has been in the same location as the ATM when he/she used her ATM card to empty her bank account)
  • Identity and Access Management systems logs. The fraud management system should warn ahead of time if the authentication system in front of my customer facing system see any evidence of the user logging in from a risky geography or from a new device before the user emptied their bank online by making unauthorized transfers to a mule account)
  • Textual and unstructured data. The fraud management system should warn ahead of time if, for example, a medical provider or insurance adjustor is always using the same combination of terms of "suture removal" or "rear hit accident" in suspicious contexts or just in an excessively repeated way)
Read more

AP’s Twitter Hack: This Isn’t About Twitter’s Security Protocols, It’s About Yours

Nick Hayes

Let’s put it this way: social media and security don’t work together very well today. Marketing professionals who see social media as a vital communication channel view security as a nuisance, whereas Security pros view services like Facebook and Twitter as trivial pastimes that expose the business to enormous risk. The problem is, when it comes to social media, these two facets of the organization need to come to terms with each other – and this was clearly on display Tuesday when the Dow Jones briefly plummeted over 100 points due to false Tweets from AP’s hacked Twitter accounts that indicated President Obama had been injured by explosions at the White House.

This recent breach signifies two things: 1) the potentially damaging impact of social media is real and growing, and 2) companies today aren’t doing enough to mitigate the risks.

As social media becomes a legitimate source of news and information, the implications for inaccurate or inappropriate behavior continue to grow. Damaging or disparaging comments on Twitter (whether intended or not), can have a real impact on your business and the way customers view your company and brand. Companies need to do more to protect their organization from social media risk because:

Read more

Why the Samsung Galaxy S4 is important to watch for Fraud Management professionals?

Andras Cser

Well, we just saw Samsung launch its latest ubergizmo with tons of interesting features, like pause video playback at the blink of the eye. However, there is an important hardware feature of the Samsung Galaxy S4 to note here: finally a Near Field Communications (NFC) chip is embedded in the device (something that Apple left out of the iPhone 5), making it useful for mobile payments, building access control, and lots of other security uses. Issuers, payment services providers and trusted services managers have long been dreaming of mobile phones with NFC chips: not having to send plastic credit cards with EMV chips (or magstripes in the US) but being able to personalize the credit card right on the phone reduces card management costs, improves end user  satisfaction. There is nothing new here. But here's where NFC finally in a mainstream mobile phone can revolutionize fraud management:

1) GPS verification. So if you use it to make a card present transaction by touching your phone NFC credit card to a PayPass or other proximity based credit card reader, the payment authorization platform can immediately know where you are, correlate it with the riskiness of the location (country) and use your location to build a risk score. 

2) More factors and better capabilities for payment authentication. Instead or in addition to asking for a PIN code for transaction authentication, the payment processor can contact your registered phone and - based on risk - can ask for a PIN code signature, or secondary authentication like facial recognition or biometric retina vein recognition to authorize a higher value transaction.

3) Linking the NFC chip to an eWallet. This will be easier than ever before. If the NFC chip is initialized to be a credit card, the eWallet application can check for the presence of it and maybe even use it in a card present transaction. 

 

Collaborate With Your Non-Security Peers To See How Objectives Intersect (Hint: Mobile Context For Mobile Authentication)

Heidi Shey

“Enterprise rights management? What does that even mean?! You’re using security speak!” exclaimed my colleague TJ Keitt.

TJ sits on a research team serving CIOs, and covers collaboration software. We were having a discussion around collaboration software and data security considerations for collaboration. “Security speak” got in the way. It wasn’t the first time, and it will likely not be the last, but it is a good reminder to remember to communicate clearly using non security speak – and not just to fellow S&R pros, but to the rest of the business (in this case – the CIO) – to talk about what we really mean. That’s how collaboration starts.

Collaboration is also not just about S&R pros engaging the rest of the business to bring them into the security-minded fold, but to also listen and be aware of what’s bubbling up in other parts of the organization as it can have implications for security too. One of the more interesting examples that I see today come from the marketing side of the business, specifically those involved with strategies for customer experience and digital marketing. Mobile is huge (no surprise, right?), and is transforming how companies interact with customers. The future of mobile is all about context: 1) situation, 2) preferences, and 3) attitudes.

Read more