Soft on cyber risk? A balancing act

Document technical information

Format pdf
Size 18.6 MB
First found Nov 13, 2015

Document content analysis

not defined
no text concepts found


Muhammad Ali
Muhammad Ali

wikipedia, lookup

Danielle Walker
Danielle Walker

wikipedia, lookup

Darren Hayes
Darren Hayes

wikipedia, lookup

Peter Hitchcock
Peter Hitchcock

wikipedia, lookup

Ed Powers
Ed Powers

wikipedia, lookup

Paul Kurtz
Paul Kurtz

wikipedia, lookup

Andrew Cuomo
Andrew Cuomo

wikipedia, lookup

James Tracy Hale
James Tracy Hale

wikipedia, lookup

Edward Snowden
Edward Snowden

wikipedia, lookup




Barracuda P40
Monitors, assesses
and remediates app
Simulation exercises show
how companies should
respond under a cyberattack,
says HHS’s Sara Hall. P20
Soft on cyber risk?
Canadian insurance firms are left to
manage their internal cybersecurity
voluntarily. PC1
A balancing act
Apple’s new iPhone 6 and iOS 8 offer
data encryption for mobile users, but
the company’s devotion to consumers
can create security conundrums. P27
Classification for
data, even
on mobile.
White Ops P47
Captcha on steroids
to defend against
VOLUME 25 NO. 11 • November 2014 • WEBSITE WWW.SCMAGAZINE.COM • EMAIL [email protected]
4 Editorial Finding the right
Product section
We look at application security and
two emerging product groups covering
challenging functions.
Threat report Five Bartell Hotels
locations were compromised.
Group Test: Application security
10 Threat stats A breach at Home
We need to have a comprehensive
detection and defense scheme.
Depot exposed 56M records.
12 Update Canada’s RCMP cannot
Emerging products:
tell whether it complies with privacy
law when gathering information.
14 Two minutes on… Another day,
another data breach.
16 From the CSO’s desk…
Getting executives on board, by
Patricia Titus, Freddie Mac.
17 Letters From the online mailbag.
18 Opinion Will cyber threaten
mobile?, by Scott Totzke, BlackBerry.
19 Analysis Hackers are after your
app, by Min-Pyo Hong, SEWORKS.
48 Analysis The elephant in the
room, by Gene Fredriksen, Public
Service Credit Union.
49 Calendar A guide to upcoming
IT security shows, events and
50 Last word Privacy and the
Internet of Things, by McAfee’s
Jonathan Fox and Tyson Macaulay.
Sara Hill, deputy CISO, U.S. Department of Health
and Human Services P20
20 Acting out
C1 Soft on cyber risk?
Online fraud
The creativity of online fraudsters
seems to know no bounds.
Fortinet P41
Canadian insurance firms are left to
manage their internal cybersecurity
24 Safe tether
Wearable devices efficiently monitor
user activity, but also open new targets
for malware authors.
27 A balancing act
Apple’s new iPhone 6 and iOS 8 offer
data encryption for mobile users, but
the company’s devotion to consumers
can create security conundrums.
When a care provider supplied laptops
to its roving employees, it added a
security solution to enable efficient
SC Magazine™ (ISSN No. 1096-7974) is published monthly,
10 times a year, with combined December/January and July/
August issues, by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2014
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website:
Haymarket Media uses only U.S. printing plants and U.S. paper
mills in the production of its magazines, journals and digests which
have earned Chain of Custody certification from FSC® (Forest
Stewardship Council®), SFI (Sustainable Forestry Initiative) and
from PEFC (Programme for the Endorsement of Forest Certification
Schemes), all of which are third party certified forest sustainability
34 Upping the ante
L E A R N M O R E AT W W W. S A M S U N G . C O M / U S / S A F E
Patricia Titus P16
© 2014 Samsung Telecommunications America, LLC. Samsung, Galaxy S, Galaxy Note, Galaxy Tab, SAFE and Knox are all trademarks of
Samsung Electronics Co., Ltd. Appearance of devices may vary. Device screen images simulated. SAFE™ (Samsung for Enterprise) is a mark for
a Samsung device tested for security with enterprise use in mind. For information about Samsung’s SAFE™ program and the security solutions
tested with a SAFE™ device, please refer to
Emerging products:
Simulation exercises show how
companies should respond under a
cyberattack, says HHS’s Sara Hall.
30 Case study: Network comfort
Data classification
We can create policies that define touch
points in a document or email that help
determine its classification.
Jonathan Fox P50
The latest iteration of the PCI Security
Standard calls for moving beyond
meeting compliance mandates.
Cover photo by Aaron Clamage
Finding the right structure
uestions about the recent PwC “Global
State of Information Security” have
arisen regarding its findings that budgets
for information security this year globally
dropped by four percent. This decline happened after the same research showed funds
rising for the last three years, and revealed that
security incidents had spiked about 48 percent
to 42.8 million this year.
Disheartening? Yes. Even PwC execs noted
surprise at the budget drop, especially considering that research firm Gartner has forecast
security spend to jump by about eight percent
to some $71 billion this year.
So what gives? PwC had no clear answers for
the drop, but implied that most security budgets, along with IT security leaders and their
staffs, still fall under the management of the IT
department and CIO.
And there’s the main crux of the problem.
Another reason for the seeming decline in IT
security spend is that it is now becoming a
pervasive part of everyday corporate operations
and therefore is being assumed by business
units whose projects and functions require
protective measures not being earmarked
specifically as IT security. But, another reason
also could be that more of the overall IT budget
is facing a downturn as organizations look to
save money with adoption of cloud and SaaS
Combine these trends with PwC’s findings
that boards of directors take little part in a list
of high-level security activities and one can conjecture on a few areas. The first is that if indeed
IT security is now getting more entangled with
expenditures related to the course of doing
business then we’re moving in a solid direc-
tion. The second is that we’re still on the wrong
path if boards aren’t paying the least bit of
attention in information security and risk
planning until a data breach happens on
the scale and frequency we’re experiencing now.
But, even more importantly, without
that board-level commitment, hierarchical structures will remain antiquated
with security falling under IT. That’s bad
for myriad reasons, but in this specific
case unveils the hazard of IT security
spend declining right along with IT
when it should be at least maintained
if not bumped given today’s data
exposure perils.
Fortunately, some companies are
on top of this issue. For example,
SC Magazine CSO of the Year
Forrest Smith, CISO at Nissan
Americas, saw his organization move out of the information systems department into
corporate services. The move
makes IT security much more
autonomous. “We’re going to
be better tomorrow than we are
today,” explains Brian Delauter,
Smith’s boss, who is the director
of the corporate services division.
That must be any company’s
mantra in regard to its information
security posture, and pretty much
financial plans and organizational
structures related to it.
Illena Armstrong is VP, editorial of
SC Magazine.
IT security spend is now
becoming a pervasive part of
everyday corporate operations...”
If Muhammad Ali were a Network Security Solution
He’d be ForeScout CounterACT™
Lightning quick. Knock-out punch.
Access and device diversity, dynamic exposures and advanced threats. No problem.
Just as Muhammad Ali was a boxing game-changer, ForeScout has changed the
game of network security. Leveraging our ControlFabric™ technology, ForeScout
delivers the continuous monitoring and mitigation necessary to enable business
agility without compromising defenses. Be a game changer.
Knock-out security threats.
Read Bloor Research’s recommendations
on how to protect your network against
rogue devices, applications, and
unwanted users with Next-Gen NAC.
Download the white paper at
Pervasive Network Security.
Contact us: ForeScout Technologies, Inc. | Tel: 1-866-377-8771 (US) |
© 2014 ForeScout Technologies Inc. | MUHAMMAD ALI and associated marks are trademarks of Muhammad Ali Enterprises LLC © MAE LLC Represented by GreenLight.
4 SC • November 2014 •
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host online events
focused on subjects that you – as an
IT security professional – face on a
regular basis.
Rich Baich, chief information security officer,
Wells Fargo & Co.
Paul Kurtz, partner and chief operating officer,
Good Harbor Consulting
Greg Bell, global information protection and
security lead partner, KPMG
Kris Lovejoy, general manager, IBM Security Services
Stephen Northcutt, director, The SANS Institute
Jaime Chanaga, managing director,
CSO Board Consulting
Randy Sanovic, owner RNS Consulting; former general
director, information security, General Motors
Rufus Connell, research director,
information technology, Frost & Sullivan
* Howard Schmidt, principal, HAS Security
Dave Cullinane, CEO, Security Starfish;
former chief information security officer, eBay
Mary Ann Davidson, chief security officer, Oracle
Nov. 13
Vulnerability management
Cybercriminals take advantage of
vulnerabilities in web and other
13 apps to gain entrance to wider
corporate infrastructures. We
learn from experts what companies can
do to mitigate against these threats.
Nov. 20
eSymposium: ID management
For our second identity management
eSymposium of the year, we survey
how security professionals can best
safeguard cloud-based applications,
critical databases and more via identity
management tools and techniques.
Dec. 2
eSymposium in Canada
We’ll23take a sweeping survey of what
currently is being discussed in Canadian
security circles and find out what
companies can do to maximize their
protection of corporate assets and
customer data.
For details on SC Congress 24/7
events, please contact Jourdan Davis:
[email protected]
or 646-638-6176.
For sponsorship opportunities,
contact Mike Alessie at mike.alessie@ Or visit
Ariel Silverstone, chief security officer adviser, GNN;
former chief information security officer, Expedia
Justin Somaini, chief trust officer, Box; former chief
information security officer, Yahoo
Craig Spiezle, executive director and president,
Online Trust Alliance; former director, online safety
technologies, Microsoft
Gerhard Eschelbeck, chief technology officer and
senior vice president, Sophos
Hord Tipton, director, (ISC)2; former chief
information officer, U.S. Department of the Interior
Gene Fredriksen, global information security officer,
Amit Yoran, senior vice president, RSA, the security
division of EMC
Dennis Devlin, chief information security officer, chief
Tim Mather, chief security officer, Apigee
Christopher Burgess, CEO/president, Prevendra
privacy officer and senior vice president of privacy practice,
* emeritus
Maurice Hampton, director, field operations, Qualys
VP, EDITORIAL Illena Armstrong
[email protected]
VP, SALES David Steifman (646) 638-6008
[email protected]
[email protected]
(646) 638-6016 [email protected]
[email protected]
[email protected]
(646) 638-6002 [email protected]
[email protected]
(646) 638-6021 [email protected]
REPORTER Adam Greenberg
[email protected]
646-638-6101 [email protected]
646-638-6174 [email protected]
646-638-6104 [email protected]
[email protected]
(646) 638-6183 [email protected]
[email protected]
[email protected]
[email protected]
[email protected]
James Hale, Karen Epper Hoffman,
Stephen Lawton, Jim Romeo
(415) 346-6460 [email protected]
(845) 201-5318 [email protected]
Richard Scalise (646) 638-6190
[email protected]
Eric Green [email protected]
[email protected]
[email protected]
Jourdan Davis [email protected]
Today, SanS’ cyber Defense, Digital forensics,
penetration Testing, industrial control Systems
and Software Security courses are offered online
to allow you to train anytime, from anywhere. Two
Online Training formats [vlive and OnDemand]
allow you to:
Edelyn Sellitto (646) 638-6107
[email protected]
CUSTOMER SERVICE: (800) 558-1703
EMAIL: [email protected]
Get a MacBook air or
$800 off qualifyinG
online courses!
sans institute has delivered cutting edge
information security training since 1989.
Jennifer Brous [email protected]
ART DIRECTOR Michael Strong
[email protected]
liMiTeD TiMe Offer
expires December 3
Visit now to
take advantage of this special offer.
[email protected]
[email protected]
Start here u
to claim this offer before it expires
on December 3!
• complete SanS Training from your own computer
• Train day or night
• Have extended access to course lectures and
materials (up to 6 months)
• Utilize live support services
• Take quizzes to review course content
• learn from SanS’ world class instructors
COO John Crewe
for terms and conditions of this special offer beginning on Oct. 23, 2014 and
ending Dec. 3, 2014, please visit
6 SC • November 2014 •
Cybercriminal activity across the globe, plus a roundup of security-related news.
Colored dots on the map show levels of spam delivered via compromised computers
(spam zombies). Activity is based on the frequency with which spam messaging
corresponding with IP addresses is received by Symantec’s network of two million
probes with a statistical reach of more than 300 million mailboxes worldwide.
VANCOUVER, CANADA – Telecommunications company Telus shared
its first transparency report detailing
government requests for data. The
Vancouver-based firm received more than
103,000 requests in 2013, the majority of
which (56,748) were related to emergency
situations, such as 911 calls. More than
4,300 requests came from court orders or
peg Regional Health Authority announced
that a doctor’s laptop was stolen from an
office at Health Sciences Centre on Sept.
10. The laptop, which was not password
protected, contained information on 322
patients seen within the last 18 months at
the hepatology clinic.
SAN DIEGO – The payment cardprocessing systems used at five Bartell
Hotels locations were compromised.
The company estimated that between
40,000 and 45,000 customers were
affected. Names, credit card numbers
and expiration dates were among
the information that may have been
crypted desktop computer with
the personal information of 3,780
patients was stolen from a Temple
University physician’s office in July.
The computer was taken from the
department of surgery during a breakin and included patient names, ages,
billing codes and names of referring
LONDON – Within 30 minutes, 250
devices connected to a free public
Wi-Fi hotspot set up by researchers in
London. Web searches, emails and data
were captured, and six people agreed
to give up their eldest child when the
hotspot briefly showed a terms and
conditions page with the deliberately
ridiculous term.
JAPAN – Between 110,000 and
750,000 members of the Japan
Airlines frequent flier club may
have had personal information
stolen, including names, addresses, genders and places of work.
An investigation revealed that 23
computers contained malware,
which was believed to have been
introduced to the airline’s network
via a phishing email
MALAYSIA – Two malicious software programs
that target ATMs have been detected in Malaysia,
one of which appears to be responsible for multiple
ATM thefts in both Ukraine and Mexico. The unnamed
malware was used to infect 18 ATMs in three days. The
attackers launched an executable and infected each
SINGAPORE – A karaoke chain, K Box,
Iran top producer of zombie IP addresses
For the period reported, the EMEA region (Europe,
Middle East, Africa) was the leading source of all
zombie IP addresses. Of the countries making up the
EMEA, Iran was the top producing country. For the
other regions the top producers were Argentina in
South America, the United States in North America
and Vietnam in the Asia-Pacific region. Source: Symantec
8 SC • November 2014 •
experienced a data breach when the personal
information of up to 317,000 members was
posted online by hacker group “The Knowns.”
The information included membership numbers,
points earned, contact numbers, email addresses, identity card numbers, dates of birth
and marital status. • November 2014 • SC 9
Zombie IPs Global distribution
Netherlands 6%
Rate of change
(continuously compounded)
Internet dangers Top 10 threats
Source: Cloudmark
Source: RSA Monthly Fraud Report
Date first observed
Last month
Months on list
The U.S. remained the most targeted
country in August with 61 percent of phishing volume. China, the Netherlands, the
UK and Canada were collectively targeted
by 20 percent of total attacks.
UK 4%
South America 804.3M
China 6%
North America 887.9M
The index queries information security industry professionals monthly to gauge their perceived risk to the corporate, industrial and governmental information infrastructure from a spectrum of cyber security threats. A higher index value indicates a perception of increasing risk, while a lower index value indicates the opposite.
Source: ICS,
10 SC • November 2014 •
United States 61%
Europe 3.5B
Index value
5. Downloader trojan
Africa & Middle East 1.6B
Asia-Pacific 4.6B
Source: Privacy Rights Clearinghouse
(data from a service provided by, hosted by the Open Security Foundation)
Top countries By attack volume
(as of Oct. 10)
SMS spam Volume by month for each region
There were 2,073,328 attacks in the United States last month, primarily
originating from Atlanta; New York; Dallas; Los Angeles; and Newark, N.J.
There were 38,003,450 foreign attacks last month, primarily originating
from Amsterdam, Netherlands; Moscow; and Kiev, Kharkiv and Donets’k,
Source: Dell SecureWorks
Zombie IP addresses are recorded in CYREN’s database as having sent
spam in the past 24 hours. These are infected computers (zombies) that
are unknowingly sending spam. Based on the IP address, the company can
determine the country of the spam-zombie and then sums up the spamzombies per country.
Source: CYREN (formerly Commtouch Software Online Labs)
Index of cyber security Perceived risk
3. Zeus trojan
4. Asprox /Danmec trojan
TOTAL number of records containing sensitive personal information
involved in breaches in the U.S. since January 2005:
Source: Fortinet
2. Rerdom trojan
Bartell Hotels
San Diego
1. ZeroAccess trojan
Top 5 attacks used by foreign hackers
5. Waledac trojan
Bartell Hotels, which operates several
hotels in San Diego, announced it
suffered a data breach of customer
credit card information.
Home Depot announced that the data
breach it incurred in early September
has affected approximately 56 million
credit and debit cards. This makes
the breach the second largest ever,
just behind TJX’s breach of 90 million
3. Downloader trojan
Home Depot
2. Smoke/Dofoil Downloader trojan
4. Allaple.A worm
Type of breach
of records
Number of Android samples
Android samples per day
1. Rerdom trojan
Top breaches in September Data loss
Monthly evolution of mobile malware
A breach at Home Depot exposes 56M records
Top 5 attacks used by U.S. hackers
Source: Alcatel-Lucent Kindsight Security Labs • November 2014 • SC 11
2 minutes on...
Another day,
another data breach
Me and my job
Attracted to the
community aspects
of the industry P15
»British Columbia’s provincial government is notifying
15,000 individuals after a privacy
breach in its Wildfire Management Branch. On Sept. 24,
an unauthorized user accessed
Biometric security
account executives
are needed P15
Bank robbery
» Canada’s Royal Canadian
Mounted Police (RCMP) cannot
tell whether it complies with federal
privacy law when gathering information about citizens without a warrant, according to the Canadian
Privacy Commissioner’s annual
privacy report. The Commissioner
attempted to audit the RCMP’s
collection of subscriber data from
telecommunications service providers without warrants. It searched the
organization’s records, but found
that it couldn’t extract the relevant
data. “In only limited instances were
we able to identify a link between
requests made for wireless access
to subscriber information and the
files that contain such requests,”
the report said. The RCMP said that
it would establish a working group
to better monitor and report on
warrantless requests for subscriber
information. It will report back to
its Departmental Audit Committee in April 2015. The Commissioner’s report also highlighted a
record high in voluntarily reported
data breaches by government organizations. It received reports of 228
data breaches across the federal
government, up from 109 in the prior
year. Among the biggest offenders
was Correctional Service Canada, which reported 22 incidents.
The leader, however, was Veterans
Affairs Canada, which reported
60 incidents.
Skills in demand
Account numbers, passwords and Social Security numbers likely were not
revealed in a massive breach, said Chase.
These scripts
they built
will take the
password list
and try to
—Wayne Huang,
VP of engineering
at Proofpoint, which
identified a Russian
cybercrime group that
infected more than
500K systems
12 SC • November 2014 •
databases within the organization,
the government said. The name,
gender and contact information of
past firefighter job applicants may
have been compromised. Their date
of birth, drivers license number and
job evaluation information may also
have been seen. As well, Alberta
Health Services was forced to
notify 5,000 patients after a laptop
was stolen from a Lethbridge sleep
clinic. The laptop was not owned by
AHS, but it did have a database with
patient names and addresses, the
organization said. It also included
dates of services and the types of
equipment that was used by the
clinic. The database was password
protected, but not encrypted.
»A federal bill that would force
companies to notify individuals of
breaches moved a step closer to
being law in October. Bill S-4, the
Digital Privacy Act, was sent
In a SEC filing in early
October, JPMorgan Chase
revealed the extent of a
breach believed to have
been perpetrated by
Russian state-sponsored
attackers. The financial
institution said that the
cyberattack exposed
customer contact information linked to 76 million
households and seven
million small businesses.
The company reassured
customers that account
information did not appear
to be compromised.
to the Industry Committee for
review on Oct. 20. The Committee
review would be the last time for
significant modifications to the bill
before it goes to its second House of
Commons reading. The Digital Privacy Act would force companies to
notify affected individuals of a data
breach. However, commentators
have criticized it for its provisions
about involuntary data disclosure.
Provincial privacy law is also being
put to the test. Canada’s Supreme
Court extended the deadline to
amend the provincial Personal
Information Protection Act
(PIPA), which also mandates
individual breach notification. The
law, found invalid a year ago, must
be amended to be in line with the
Canadian Charter of Rights
and Freedoms. The original deadline passes in mid-November, but
the Court gave the provincial government a six-month extension.
Debate» Should you pay a cyber ransom?
While many in the security
industry believe one should
never pay a hacker regardless of the circumstances, it’s
wrong to view cyber extortion
as a black-and-white issue.
Even the most well-prepared
company can still be caught
offguard by a hacker.
chief intelligence
For example, hackers will
officer, Treadstone 71
often target companies during
the least optimal time – such as the holiday
selling season, when the financial risk is
greatest and the ransom is small money in
As repugnant as it is, in some cases, paying
a ransom may be the only way to get back
critical data or resources, or to resume normal business operations. By paying the ransom, a company can buy itself a brief reprieve
so that it can fix the underlying vulnerability.
Ransom payments should only be viewed
as a last resort, a short-term solution: Expect
the hackers to come at you again – and their
incursion may launch from anywhere on
the planet – so use that time to harden your
defenses and repel the next attack.
AGAINST Cyber extortion is a growing
problem for businesses, but
the last thing anyone should do
is pay the hackers. Once they
realize they have a compliant
victim, the hackers will come
back again and again – and
there’s no guarantee they’ll even
stop in the first place. There
founder, Parameter
could also be reputational damSecurity
age if the public finds out you
paid, and possibly even legal and regulatory
consequences. Companies should disregard
this option completely – under no circumstances should you pay. Instead, you must take
the proper steps ahead of time to mitigate the
potential damage. Every company should have
a data backup plan in place – this will largely
neutralize the ransomware threat. Segment
networks to limit the spread of infections. Perform DDoS testing and mitigation training and
have cloud backups in place. Conduct regular
security audits and test your company against
specific extortion scenarios. By preparing for
these attacks ahead of time and layering your
defenses, companies can effectively mitigate
extortion-related threats.
Bash bug/
What is it?
The original vulnerability in
Bash, dubbed ShellShock,
can be exploited to execute
arbitrary shell commands
to compromise a vulnerable
system. More vulnerabilities
also have been reported.
How does it work?
Multiple attack vectors
for Bash exist as many
organizations use products
which contain Bash in
multiple parts of their
Should I be worried?
Yes. With the vulnerabilities
came a host of patches
with varying degrees of
efficiency. At the time of
writing, all known bugs in
Bash have been fixed with
official upstream patches.
How can I prevent it?
Do you believe the response to the Bash bug has
been quicker than the response to Heartbleed?
of machines connected
to the internet may be
affected by Bash bug
About the same
To take our latest weekly poll, visit
years ago:
ShellShock, in which
Bash resides, introduced
by Brian J. Fox
Apply the patches provided
by Bash. However, not all
products containing Bash
have been fixed yet so
keep a close eye on those
products and patch them
as soon as possible. If you
are a system administrator, you need to diligently
assess the risk to your
systems; apply the patches
and look for other ways to
mitigate where no patch is
available; and then go back
to verify the result.
– Kasper Lindgaard, director of
research and security, Secunia
Source: New York Times • November 2014 • SC 13
Another day, another data breach
ome Depot and
JPMorgan Chase
seem to be the top
searches that pop up when
one Googles “data breaches.” But just when you think
a particular breach will snag
a headline for weeks, another
takes its place in what seems
like days.
Cybercriminals have long
kept law enforcement on
their toes, but there’s no
denying the amount of hard
work that goes into attributing these threats.
In the BlackShades bust,
an FBI-led investigation that
included help from 17 law
enforcement agencies around
the world resulted in 100
individuals being charged
for using or distributing the
malicious RAT, which could
give an attacker nearly complete control over a compromised machine. Then there
are the eight suspects arrested in Spain who were a part
of the ATM hacking ring
that netted $60 million from
banks around the globe.
Tracking down threat
actors is no easy feat, and
requires an immense amount
of research and collaboration. Sophisticated malware
used in these attacks may
share similar attributes, but
that doesn’t necessarily mean
they’re tied to one cybercriminal or group. While
security researchers conduct
their fair share of work
toward tracking down these
actors, it’s ultimately comes
down to law enforcement to
make the big move.
“Although certain forensic
evidence security researchers help law enforcement in
their investigation, tracking
down the actual criminals is
more of a law enforcement
task,” says Karl Sigler, threat
intelligence manager at
Additionally, even if these
forensic researchers are able
to follow clues – such as
unique strings in a binary
and executable resource lan-
households were
affected by a breach
at JPMorgan Chase
Source: JPMorgan Chase
guage – it’s difficult for them
to be 100 percent accurate
when it comes to opensource intelligence attribution, which is as far as some
researchers can go if they’re
not law enforcement, says Joe
Stewart, director of malware
research for Dell SecureWorks’ CTU research team.
Even then, he says digital
evidence can be forged to
look like it came from someone else.
“That’s really the primary
problem with attribution for
any kind of digital crime,”
Stewart says. At the end of
the day you have to make a
final connection between a
keyboard and a set of fingers.
“We can often find the keyboard, but proving beyond
all doubt which fingers actually made those keystrokes is
a difficult task.”
That’s when, he says, law
enforcement comes knocking with a warrant.
– Marcos Colón
Me and my job
Marisa Fagan
director of crowd operations, Bugcrowd
Why did you get into IT
I’ve always been attracted to
the community aspects of the
security industry. This is an
industry where anyone clever
at solving puzzles can make
an impact that can improve
the internet for everyone.
How do you describe your
job to average people?
My job is motivating the
global community of com-
puter security researchers to
use their skills to make our
customers’ code more secure.
When they all work together,
it becomes a powerful force
with greater numbers than
the bad guys.
What was one of your
biggest challenges?
It’s convincing people that
we need people with a wide
variety of skills. We tend to
place more value on jobs with
skills that are quantifiable,
like penetration testing, and
shy away from those with less
concrete contributions, like
risk management.
What keeps you up at
I worry about miscommunications. At Bugcrowd, we are
the go-between for security
researchers and companies
in a stressful time. Where
one side is hoping for appreciation for their efforts, the
other side is protecting their
assets. Our goal is to get them
to speak the same language.
What makes you most
In our community of over
11,000 security researchers,
there have been many success
stories that make me feel honored to work in this industry.
Often we hear about people
paying their way through
school or supporting their
family with the money they
earn from bug bounty programs. We also run charity
bounty programs where our
researchers will contribute
their expertise to help secure
a charity organization for
How would you use a
magic IT security wand?
I would create an effective,
adaptable security awareness
training program that would
give people the same excitement and passion for security
that I share with my peers.
Skills in demand
The biometric security market
has experienced resurgence
as the mobile market has
continued to mature. Due to
this increase in activity, sales
talent within this spectrum is
in demand.
What it takes
Successful account executives
are likely to have either transitioned from a more technical
position or migrated from
selling another complex solution that is sold to the same
target market.
Salaries range from $120k
to $140k base, and on-target
estimates for total compensation tend to fall somewhere
in the $200k to $300k range
depending on the amount of
business closed each year.
– Adam Malanaphy, director, information
governance, Glenmont Group
Company news
»Prevendra, a Woodinville,
Wash.-based security company,
launched its Red Folder web
application that allows users to
put their important information
behind a protected portal. This
information can also be retrieved
by a designated contact in case
of emergency.
»Jason Eberhardt has joined
Chicago-based Conventus,
a national information security
consulting firm, as VP of strategic alliances. Eberhardt will
coordinate with alliance partner
Jason Eberhardt, VP of strategic
alliances, Conventus
executives and Coventus engineers on business development
projects and pre-sales technical
support delivery.
14 SC • November 2014 •
Tom Grooms, VP and chief
information officer at The
Valspar Corporation, a
Minneapolis, Minn.-based coatings manufacturer, was named
the 2014 CIO of the Year by the
Golden Bridge Awards, a
global industry awards event.
Grooms led Valspar to tighten up
its IT budget efficiently.
»Veracode, a Burlington,
Mass.-based web and mobile
application threat solution provider, closed a late-stage $40
million funding round led by
Wellington Management
Company, and other existing
vendors. The funding will allow
Veracode to continue expanding
globally and explore the acquisition of other technologies, as
well as prepare an IPO.
SIEM and log management
repositories to provide a full view
of the attack chain. The accounts
involved in attacks can also be
»Exabeam, a San Mateo,
Calif.-based cloud information
protection provider, appointed
two new executives. Ajay
Nigam will be the company’s
chief product officer and
Bonnie Helton will be chief
human resources officer. Nigam
previously held a similar position
at Marble Security, while
Cali.-based Big Data security
analytics provider, launched
its new platform that will allow
users to detect attacks and
insider threats in real time. It
adds a layer of user behavior
intelligence on top of existing
»Thomas Miller has
Thomas Miller, SVP of sales,
joined San Jose, Calif.-based
Malwarebytes, a threat prevention software provider, as
SVP of sales. Miller will develop
and deploy the company’s crosschannel sales strategy and also
define the company’s marketing
plan. He previously worked at
Trend Micro as president of
North America.
Helton was previously the global
head of human resources at
Applied Material’s emerging
technology businesses.
Duo Security, a provider of
cloud-based two-factor authentication, headquartered in Ann
Arbor, Mich., announced the
»CipherCloud, a San Jose,
launch of its security research
team, Duo Labs. The division
is led by co-founder and CTO
Jon Oberheide. Its first project included the disclosure of a
bypass in PayPal’s two-factor
authentication, and researchers
have presented findings at Black
Hat, DefCon and Securing IoT.
Follow us on Facebook
and Twitter • November 2014 • SC 15
From the CSO’s desk
Got something to say?
Getting executives on board
VP and CISO, Freddie Mac
riminals are regularly
penetrating some of
the most prestigious
networks where the identities
and credit cards of millions of
ordinary citizens are stored.
The ripple effect for security
pros should be sounding a
tsunami horn. Security is now
being discussed at the highest
levels of business and government. One effect of the latest
wave of hacker attacks is making ours one of the country’s
most sought after professions
and one with a significant
amount of “job security.”
On the other hand, more
C-suites and boards are asking
if simply hiring a CISO and
a security team really solves
“the security problem.” More
to the point, savvy execs are
asking “just what is our security problem and what kind of
CISO do I need to solve it?”
Companies and CISOs who
narrowly define security problems as quickly backfilling a
compliance hole or responding to media hype almost
inevitably have security teams
depth of information risk
One thing these companies
have in common is a CISO
who is able to educate executives about what security is
and what it isn’t. Before sitting
down with their C-team, the
CISOs are also able to use
an industry framework to
systematically approach their
company’s security and risk
management issues in an organized, thoughtful way. This
drives them to build a security
roadmap and follow it, adjusting when necessary based
on the threat landscape and
changing business priorities.
Consequently, this paradigm shift is opening the door
to a different breed of security
pro. It’s no longer enough to
be a security vet. CISOs today
must also have diverse business backgrounds so they can
act as cultural ambassadors
for security.
In other words, successful
CISOs need to master more
than system security to make
their companies competitive
and improve their own job
that are reactive and lack
vision. These companies will
discover that hiring a CISO
will not, by itself, fix years of
delinquent security practices
or make them more competitive in the marketplace.
On the other hand, companies committed to protecting their systems are more
likely to succeed if they also
make the proper investment in a vision for making security a business
enabler. The executives
at these companies don’t
just ask about compliance. They also ask
“what can our security
organization bring to our
corporate vision?”
We see more organizations pushing back on the
“compliance-only” mindset and pushing for a new
direction in security. More
organizations are moving
away from reactive, tactical
thinking and beginning to
embrace the idea that they
need a security program
based on their corporate
business objectives designed
to address the breadth and
30seconds on...
»Changing landscape
The approach to cybersecurity
that we see more organizations
taking in the face of the changing threat landscape takes into
account more than adhering to
compliance mandates.
»Beyond the checkmark
It’s imperative to persuade
execs that security is a business enabler. CISOs will learn
that their jobs are not so secure
in companies lacking an overall
vision for security.
16 SC • November 2014 •
»Forging partnerships
CISOs at companies without
communication are likely to
keep their résumés polished
in case their anxious executive
leaders demand to know “why
they aren’t bulletproof yet?”
»Critical piece
Knowing how to build relationships with the business,
understanding what other divisions need and finding ways to
balance security risk with those
needs is a critical skill.
From the online mailbag
In response to a Sept. 18 news
story, Watering hole attack
targets website visitors of oil
and gas start-up:
So this malware exploited an
unpatched 2013 vulnerability
from Internet Explorer. This
has an easy workaround:
Enterprise policy should not
allow the use of IE, favoring
browsers like Chrome (thanks
to its auto-update feature).
Not allowing users to run in
admin mode should really
lower the infection risk as well.
Fernardo Lopez
In response to an Update item
in the September issue:
Photo by Joseph Eddins Jr.
Patricia Titus
Send your comments, praise or criticisms
to [email protected]
We reserve the right to edit letters.
Your story about Sony PlayStation Network [page 12],
shows an XBOX 360 controller
(specifically the Halo Reach
edition). Most of your readers would likely recognize the
picture is not a PlayStation
controller, but just in case no
one else mentioned it. Great
publication, keep up the good
Mike Greer
In response to a post on the
Data Breach Blog, Viator
investigates payment card
I think it is time to secure
sensitive data across the
entire data flow with modern
approaches. Tokenization can
be implemented in the terminal at the point where the payment card is swiped.
We should use this
approach to also secure personal information across the
entire data flow, in memory, in
transit and at rest.
Ulf Mattsson, CTO, Protegrity
In response to the July-August
Women in IT Security issue:
Very well done issue about
an important topic. Going all
out with a full issue, cover
included, helped convey the
importance while giving the
issue the page space for more
than platitudes. Well done.
Christopher Stave,
Drew University
In response to an October
news story, Chase breach
affects 76 million accounts:
Great article and understanding of where the real cybersecurity problems are: the
software. You are right in your
assumption that current technologies will not fix the problem. Software error – whether
intentional or not – must
be authenticated, viewed,
analyzed and blocked at the
real-time data-in-motion input
level. All current technologies
view this information at the
historical data output level
which, in the case of the Chase
breach, was much too late.
Larry Karisny
In response to an October
news story, Google deletes
hacked images of nude celebs:
Images may be hacked or
not hacked. As well, images
may be of celebrities or noncelebrities, and the persons
in the images may be nude or
not nude. That’s eight possible
combinations of hacked/not
hacked, celebrity/not celebrity, nude/not nude. Which
ones will Google delete and
which ones will they allow?
Mike Smith
In response to an October
news story, FDA presents
guidelines for medical device
Biometrics can theoretically
be operated together with
passwords in two ways: (1)
by AND/conjunction or (2)
by OR/disjunction. I would
appreciate hearing if someone
knows of a biometric product
operated by the first way. The
users of such products must
have been notified that, when
falsely rejected by the biometric sensor with the devices
finally locked, they would have
to see the device reset.
Biometric products, like
Apple’s Touch ID, are generally operated by (2), so that
users can unlock the devices
by passwords when falsely
rejected by the biometric
sensors. This means that
the overall vulnerability of
the product is the sum of the
vulnerability of biometrics
(x) and that of a password
(y). The sum (x + y - xy) is
necessarily larger than the
vulnerability of a password
(y), say, the devices with
Touch ID and other biometric
sensors are less secure than
the devices protected only by
a password.
It is very worrying to see
so many ICT people being
indifferent to the difference
between AND/conjunction
and OR/disjunction when talking about “using two factors
Hitoshi Anatomi
In response to an October
news item, Mozilla patches
Bugzilla bug that revealed
details on flaws:
This is a good recap of the
Bugzilla bug. One thing I’d add
is that the real issue appears
to lie with the Perl programming language and the use
of regular expressions, which
may have further implications
beyond Bugzilla. It is critical
that organizations have an
automated process in place to
track code usage and monitor
for known vulnerabilities.
Bill Weinberg
In response to an October
news item, iCloud hacker
releases new series of celebrity nude images:
I would think by now Americans would understand that
the privacy laws in the U.S.,
in most cases, do not apply
to every country in the world.
And, I would think by now
Americans would understand
that the internet is global.
Lawsuits, shutting down
Google are not going to make
these photos go away.
Peter Hitchcock
The opinions expressed in
these letters are not necessarily those of SC Magazine. • November 2014 • SC 17
Selling Snowden-style access
ften lost in the discussion of the NSA and Edward
Snowden is the fact that the broad access and privileges
he had is the same type of access and power that many
employees in similar positions have at almost every business.
This begs the question: What if these same access powers
were suddenly available on the black market to the highest
bidder? What if outside hackers actually had your privileged/
admin account information and could provide it to anyone of
their choosing – giving them the power to traverse your network at will with the power of an IT admin?
Unfortunately, this isn’t a ‘what if’ dream-scenario concocted
for a Black Hat presentation. It’s the current reality many businesses unknowingly face. In fact, the U.S. Attorney’s office in
Boston indicted Andrew James Miller, a hacker who infiltrated
numerous corporate networks through common means.
Once Miller was able to gain access to a single employee
terminal, he installed keylogging software on the computer to
John Worrall
CMO, CyberArk
steal admin passwords. From there, he was able to escalate the
privileges of these accounts to steal more privileged/admin
account passwords, providing him with root access to entire
systems. Miller promptly tried selling these privileged/admin
accounts on a known black market for hackers and was caught
by the FBI. Miller was selling Snowden-like access to major
companies for as little as $1,000 a pop.
The Miller case provides a microcosm of the security
challenge all organizations face today and highlights why
privileged accounts have emerged as the number one target
of malicious hackers. If you look through the long list of
recent cyberattacks and breaches, you’ll see the privileged
connection form in each one. As the security research firm
CyberSheath noted, the compromise of privileged accounts is
a critical factor in 100 percent of advanced cyberattacks. This
is why the Andrew Millers of the world are working from the
outside to become an insider.
Will cyber threaten mobile?
Scott Totzke
senior vice president,
BlackBerry Security Group
will need the
ability to manage
or wipe devices
his year, as both corporations and governments fell prey to online adversaries,
there was escalating concern over cyberattacks. As mobile devices are further integrated into networks, organizations will have a
critical need to implement end-to-end security
solutions that offer comprehensive security at
the device, server and network level in order to
provide a multi-layered security solution that
will better protect their corporate assets.
With so much sensitive information –
including patient records, customer credit card
numbers, usernames and passwords, databases
and financial records – at stake, a patchwork
solution will never be sufficient for protecting
a mobile computing environment. Too many
organizations learned that lesson the hard way
in 2013, and in 2014, the trend will be toward
more robust security features and controls that
allow organizations to leverage their investments in mobility solutions to drive new ways
of transacting with their customers.
To help avoid and thwart cyberattacks,
organizations should employ a solution that
18 SC • November 2014 •
can proactively identify malicious applications
as well as recognize those that are designed to
erode the privacy of user data on the device,
and then deny access to the network. Strong
encryption of data between endpoints in a
communication chain will help ensure that
data in motion and on devices remains secure.
And in the case of a lost or stolen device,
organizations will need the ability to manage
or wipe devices remotely.
The cost of a cyberattack can far outweigh
the expense of transitioning to a best-in-class
solution with comprehensive management and
security for devices. With the ability to control
the devices, apps and content – and manage
them from a single unified console – your IT
team can save significant time and resources
during the training and transitioning phase.
Take time to develop and implement a formal
enterprise mobility management strategy for
your organization in 2014 – it’ll help detect
where the vulnerabilities are and leave you
better prepared to protect your network from
an attack.
Hackers are after your app
The app is where
the majority of
security breaches
originate, says
Min-Pyo Hong,
odern mobile hacks
are diverse and
can be performed
by anyone, from an inexperienced amateur to highly
skilled teams operating like
tech startups. And the danger grows with the market
Various hacking methods –
including man in the middle
(MITM) attacks, mobile app
piracy, memory hacking and
trojans – constitute a real
escalating danger to app
developers and consumers.
Here is how they work.
(MITM) attacks intercept
the data communicated
between a mobile app client and the server. They
enable session hijacking
or data sniffing. Recently,
Instagram acknowledged
it is particularly vulnerable
to MITM attacks after a
security researcher revealed
the photo-sharing app uses
non-secure HTTP (versus
HTTPS) to transmit data.
This fatal flaw can lead to
user IDs, passwords, and
photos being leaked.
App piracy occurs when
a developer’s source code
is used to copycat the app.
Hardest hit are mobile game
developers, who can see
piracy of their top games
soar up to 90 percent on
Android and 87 percent on
iOS, respectively. This has
forced app developers to
adopt the freemium model,
which is not without its own
set problems.
Piracy is profitable since
there is little development
cost and multiple marketplaces that may not be strictly
policed. Users may choose to
download pirated versions
for lower or no cost, taking
revenue away from the original creators.
Simple internet searches
turn up countless memoryhacking tools used to modify
an app’s data. This can be
used for unlimited game
cash, higher levels, better
scores and to otherwise
cheat. This is an unfair
advantage and discourages
users from otherwise paying
for premium game items.
Trojans pose as legitimate
apps that secretly contain
malicious code. Trojan apps
can steal data – including
user information and passwords – lock the device and
demand a ransom, spam your
contact book, or hijack the
phone and send out unauthorized premium SMS messages to rack up fees without
your knowledge. Even if
the app is deleted, there is
a chance that the malware
was replicated elsewhere and
remains a problem.
This list is by no means
exhaustive. The ramifications
are clear: If hackers want
access to your app, there is no
shortage of methods.
Most existing solutions
focus on protecting server
data or the device and don’t
cover the mobile app. This
is a concern, since the app is
where the majority of security breaches originate. Why
Simple internet
searches turn
up countless
memoryhacking tools.”
bother locking your bedroom
door when the front door is
wide open?
Mobile is not a single-step
platform. Security should
exist on every layer across the
entire ecosystem, from app to
device, communications, etc.
There is no one-stop solution that covers it all, so it is
important to ensure security on all layers. There’s no
foolproof way to prevent all
attacks, but there are simple
and effective practices that
should be employed: Binary
level obfuscation; string
encryption; server verification (payments); encrypting
keys, certificates and tokens
– even public keys and source
code obfuscation.
App marketplaces have
created an unprecedented
opportunity for hackers to
disseminate malware. Our
smartphones and tablets
play an ever-increasing role
in our lives, which is why
developers must do all they
can to protect intellectual
property and prevent malicious attacks. There are no
bulletproof solutions, but
there are preventative steps
to mitigate risk that are
worth the time investment.
We as an industry owe it to
ourselves and our users to do
all we can.
Min-Pyo Hong is founder and
CEO of SEWORKS, a mobile
app security firm with U.S.
headquarters in Palo Alto,
Calif. • November 2014 • SC 19
Attack simulation
n the common parlance of child psychologists, roleplaying – particularly acting out scenarios – is good
practice for real life, helping kids develop the skills and
tools they need to face, navigate and solve the issues and
problems encountered on the vast terrain of growing up.
The same holds true in cybersecurity – playing out likely
scenarios can yield the kind of preparedness that organizations in the private and public sectors can’t master in
training seminars, classes and email advisories alone.
While participants don’t get to dress
up in cool super hero costumes or leap
tall buildings in a single bound, they
do take part in cyberexercises that, if
properly executed, can sharpen and
strengthen an organization’s response,
making it more competent and resilient
in the face of a real, live cyberattack.
“They learn their strengths as well
as weaknesses that can be improved so
they’re ready for an attack,” says Sara
Hall, deputy chief information security
officer at the U.S. Department of Health
and Human Services, of the groups
participating in CyberRX simulation
exercises supported by HHS and
coordinated by HITRUST, an alliance of
health care industry organizations that
has essentially developed a playbook, or
set of best practices, for conducting cyber
attack simulation exercises.
“Organizations should be doing
20 SC • November 2014 •
this sort of exercise for preparedness,” stresses Daniel Nutkis, CEO of
HITRUST. The alliance recently released
a “CyberRX 2.0 Exercise Playbook,”
driven by the recommendations spawned
from its spring 2014 simulation event.
Preparing for cyberattacks is especially
important in the health care industry,
charged with safeguarding personally
identifiable information (PII) and
medical data, and whose ranks includes
pharmacists, hospitals, private practitioners and medical device providers.
“We don’t want citizens not trusting
information with IT and that interfering
with their ability receive medical and
health care,” says Hall.
But that public trust has been shaken
after security incidents rocked health care
organizations, including a significant data
breach at Community Health Systems
(CHS) that affected 4.5 million patients.
While one observer noted that health
care is “about a decade behind” other
Sara Hall, deputy chief information
security officer at the U.S. Department
of Health and Human Services
Daniel Nutkis, CEO, HITRUST
Ed Powers, national managing
partner of Deloitte & Touche’s Cyber
Risk Services practice
Karl Schimmeck, vice president of
financial services operations at SIFMA
Sharon Wallis, member, Bank of
England’s Sector Resilience Team • November 2014 • SC 21
Photo by Aaron Clamage
Simulation exercises
show how companies
should respond under
a cyberattack, says
HHS’s Sara Hall.
Teri Robinson reports.
Attack simulation
sectors, it’s playing catch up. Fast. And it’s
certainly not the only industry vulnerable
to security lapses, as demonstrated by
even higher profile breaches at Target,
eBay, Home Depot and JPMorgan Chase,
and revelations that vulnerabilities, like
Heartbleed and ShellShock, can lurk in
code, ripe for exploitation by miscreants.
The fumbles that occurred during
and after those incidents – as well as
the successes, like the thwarting of
DDoS attacks on banks in 2012 and
2013 – underscore the difference that
preparedness can make in mitigating
Fueled by criminal intent, political
unrest and just plain mischief-making,
cyberattacks are, by and large, on the rise.
And a growing reliance on electronic
devices – within the Internet of Things
even home appliances could be marshaled
into botnets – combined with a surge in
malware virtually guarantees attackers an
unprecedented and ongoing reach into
networks and systems once believed to be
relatively untouchable.
Ain’t nothing like the real thing
Since real-life cyberevents unfold
quickly – and often leave organizations
scrambling – cyberexercises can help
organizations build “muscle memory”
around problems that they have to
solve, according to Ed Powers, national
managing partner of Deloitte & Touche’s
Cyber Risk Services practice, which
served as the independent observer
of the Quantum Dawn II cybersecurity exercise held in July 2013 by the
Securities Industry and Financial Markets
Association (SIFMA). “Muscle memory
reduces the ambiguity when you have a
real event,” Powers says.
Quantum Dawn, says SIFMA, was
designed to “test incident response,
resolution and coordination processes
for the financial services sector and the
individual member firms to a streetwide
Highly engaging, says Karl Schimmeck,
vice president of financial services
operations at SIFMA, the simulation
Muscle memory reduces the
– Ed Powers, Deloitte & Touche
served to create a game-like feel rather
than a discussion around a PowerPoint.
“Coordinated exercises, or war games,
that simulate cyberattacks give organizations and industry groups the opportunity
to launch an ‘incident’ that mirrors real
life and tests the mettle of carefully
crafted plans that heretofore may have
gone untested,” he says.
“Testing your plan is already an
important part of preparedness,” adds
Hall. Through simulations, organizations
can, she says, flag problems before an
emergency happens.
Hall notes that there are outcomes
people may have assumed were all
squared away, but that was before testing
plan. Simulation exercises can validate
outcomes or illuminate weaknesses. “It
will make people more confident than
before they tested their plan,” says Hall.
By mimicking real life and encouraging
the exchange of information in a “safe”
environment, simulations help organizations see where their plans hold strong
and where they need improvement. That
latter often proves to be in communications and the flow of information among
different stakeholders. “The flow of
information creates a lot of stress in an
organization,” says Powers. “People are
eager to receive information and they are
eager to provide information.” Time and
again, cyberexercises prove there is no
portal for information flow and, in fact, it
creeps out in all directions.
That’s a sentiment echoed by
HITRUST’s Nutkis, who says a big
lesson learned during CyberRX was
that communication faltered. Organizations struggle with a security incident
and sometimes don’t respond right
away, he says.
The takeaway, he says, is that
simulations help them understand how to
22 SC • November 2014 •
funnel through information.
They also serve to raise awareness, a
factor that cybersecurity pros say is the
first and strongest line of defense against
attack. In the same vein as New York’s
post 9/11 mantra, “See Something, Say
Something,” if employees know what to
look for and understand their responsibilities when an event occurs, they can catch
it before it does too much damage.
That adds up to boosting an organization’s – and the country’s – cyberresilience, a goal advocated by both the
Department of Homeland Security
(DHS) and private sector cybersecurity
The art of war games
While there’s no downside to conducting
wargames, Hall warns that organizations
can’t slap an event together and expect to
get the needed results. “Exercises need
to be organized and need to be close in
reality to an [actual] event,” she says.
According to Sharon Wallis, a
member of the Sector Resilience Team
at Bank of England, which organized
the widescale Market-wide Exercise
Programme (MWE), as well as smallerscale, more targeted Waking Shark
simulation events, large exercises require
extensive preparation. For example,
the 2011 Market-wide Exercise took 12
months to plan with 87 firms participating, she says.
Start with clear objectives. Understanding and clarifying objectives before the
games begin will ensure that participants
will glean the information they need to
strengthen their cybersecurity muscle.
Establish a steering committee to solicit
contributions from all stakeholders to
create an objective set of goals that can
serve as a neutral set of metrics to gauge
how an organization is doing when it
comes to cybersecurity and how well it
performs in a cyberattack simulation.
Be inclusive. When it comes to
cybergames, the who is as important as
the what. “The biggest challenge is really
getting a good cross-section of stakeholders and [determining] how you scale it,”
says HHS’s Hall.
“Stakeholders should include what’s
unique to company, not just IT,” she says.
Participants should representative every
department that a cyberattack might
effect, which, in reality, is practically all
of them, including legal, IT, security,
human resources, compliance, executive
management and public affairs.
Anyone who thinks those last two
aren’t as critical as the others, has to
look no further than Target to see that,
increasingly, at least partial responsibility for security misfires is being placed
on executives – and boards of directors.
The retailer’s CIO and CEO stepped
down after its stunning breach it was
called out by at least one shareholder
and an independent group.
Organizations, too, must ensure that
participants chosen for a simulation aren’t
just stand-ins for the real players during
a cyberattack. “They need to send people
who would be responsible – they’d be
Don’t do it!
All the hard work and planning that goes
into a cyber attack simulation event can be
overshadowed in a heartbeat by a few missteps. Here’s what not to do.
Don’t…grade performance. “Never
advertise it as pass or fail,” says Bank of
England’s Sharon Wallis. “It’s about having
collective learning” and gathering data used
to improve preparedness and resilience.
Don’t…shortchange communications. As Sara Hall from HHS points out,
being able to defend against threats more
efficiently in the real world requires stellar
communications among stakeholders. So
it’s easy to understand why information flow
is critical during simulation exercises.
[the ones] pulled away if there was a real
emergency, too,” says Hall.
Remember all organizations – and
all departments – are not created equal.
“There are hundreds of organizations,
and they vary in maturity,” says Nutkis,
about the health care industry. War
games should be designed to target
organizations of different sizes and
types, including “an ample number of
scenarios,” he says.
Those scenarios should be challenging
enough that they engage the players and
offer clear benefits. Organizations have
made it clear that they need management
challenges, says Wallis.
Sector-specific, targeted exercises can
yield more specific results and recommendations. While the MWEs helped to
improve the sector response framework
– e.g., communication, coordination
and information-sharing arrangements
– organizers found a need for a more
targeted approach with a suite of options
(desktops, simulations and testing) to help
deliver greater assurance of the financial
system’s resilience, she says.
The new strategy, then, has been a
“shift in focus from the large set-piece
exercises every two years to smaller, more
targeted exercises led by the sector to
Don’t…skimp on planning. It may
take a long time to put together a simulation
event, but it is worth it if the exercises that
truly assess cyber readiness and identify
holes that need to be plugged BEFORE a
cyber attack hits, says Wallis.
Don’t…limit exercises to 9 to 5
staff. Companies operate 24/7 these days
– and cybercriminals most certainly do.
“Make sure you plan simulation exercises
for all shifts,” advises Hall.
Don’t…make simulation a oneshot deal. One of the best ways to make
sure recommendations implemented after
a simulation event work, is to test them
during the next event. The MWE and Waking
Shark initiatives have evolved into a “rolling
program of themes and exercises used to
feed into the next exercise.”
assess impacts and resilience capabilities,”
Wallis explains. “Testing involves putting
plans and procedures into practice as a
means of validating and gaining assurances that they work as anticipated.”
For example, Investment Banks
organized the Waking Shark II cyber
exercise “in response to the continued
evolution of cyberthreats against the
U.K.,” she says.
The targeted approach requires less
planning and can keep a simulation
program more fluid. The annual MWE
initiative took about a year to plan and
by the time the exercises were completed
and the results amassed and reported, it
was time to plan the next one.
Improve communications. Since
information flow is typically a sticking
point in most organizations, it’s critical to
bolster the underlying communications
infrastructure, establishing a pecking
order and reporting framework, complete
with triggers that alert participants to
pass information along, get in touch with
a superior or even speak to the press.
“They’re siloed and have no experience
making decisions in an ambiguous
situation,” says Ed Powers, national
managing partner of Deloitte & Touche’s
Cyber Risk Services practice. Exercises
with a communications component can
remove the ambiguity and open channels
for information flow.
Put the results in action. Simulated
attacks are an exercise in futility if
recommendations based on the results
aren’t heeded and applied. By incorporating them into a cybersecurity strategy,
companies can test them during the next
simulation event to see if the fixes work
and hold up under fire.
Done right, cyberattack simulations
can help organizations and industries
stay, if not a step ahead, then on top of
cyberthreats and build a resilience, or
what Wallis recalled hearing defined
in the simplest terms as “the ability to
withstand shock.”
And “war-gaming is more interesting
than sitting at a desk,” says Powers. Now,
who wants to play? n • November 2014 • SC 23
Risk management
Canadian insurance
firms are left to
manage their
internal cybersecurity
voluntarily. Danny
Bradbury reports.
he insurance industry in Canada
is likely to focus more heavily on
cybersecurity in the next few years,
say experts – both internally, and as a
potential insurance product.
Financial regulators may scrutinise
companies’ cybersecurity efforts more
intensely in the future, as high-profile
incidents raise awareness, says Koker
Christensen, co-chair of the financial
institutions group with law firm Fasken
Speaking at the National Insurance
Conference of Canada (NICC) in
September, Christensen said that
regulators were already aware of the
cybersecurity issue. They may become
more acutely interested in cyberthreats
following such incidents as the theft of
nude celebrity photos via Apple’s iCloud
service, he added.
In Canada, insurance companies
are regulated by the Office of the
Superintendent of Financial Institutions
(OSFI), which covers 239 life, property
and casualty insurance firms, along with
14 fraternal benefit societies. It also
handles trust companies, loan firms and
banks, among others.
“Depending where the OFSI goes
with this, you might see it looking at
the practices of different insurers and
exploring what they think is appropriate
and improvement,” Christensen said.
“So we may see increased scrutiny.”
The OFSI says that it’s already on top
of the cybersecurity risk for financial
firms including insurers.
Cyber risk became a priority for the
OSFI in 2012, according to a spokesperson for the regulator. The following year,
the organization published a voluntary
set of self-assessment guidelines for
federally regulated financial institutions
to assess their own cybersecurity stance.
The assessment is broken into six
main areas. It covers organisation
and resources, cyber risk and control
assessment, situational awareness, threat
and vulnerability risk management,
cybersecurity incident management and
cybersecurity governance.
C1 SC • November 2014 •
But essentially, the document stands
in place of legislation. As voluntary
documents, they can be ignored. The
bottom line seems to be that insurance
companies should be self-policing.
Conversely, the regulation of
cybersecurity among financial
institutions are more aggressive in the
U.S. The Federal Financial Institutions
Examination Council (FFIEC) launched
a cybersecurity assessment program
that will be carried out by institutional
examiners, rather than left to companies
to handle voluntarily.
In May 2013, Andrew Cuomo, the
governor of New York, launched an
inquiry into cyberthreats at large
insurance companies, sending 308 letters
to insurance firms and quizzing them
about their cybersecurity protection.
But Canadian insurers seem content
to handle it themselves. Brent Mizzen,
director of policy development for the
Canadian Life and Health Insurance
Association, says that life insurance
companies are looking after their own
cybersecurity adequately.
“From an industry perspective, it’s a
priority, and I would say the industry has
taken a number of steps towards making
sure that they’re current in terms of best
practice and risk mitigation,” he says.
Insurance companies are focused on
collaborating with each other and with
government, he adds. They reach out not
just to the OFSI, but other branches of
the federal government.
Further, a recent KPMG report
says that cyber risk may not be as
high a priority for insurers as Mizzen
thinks, though. Cybersecurity ranked
seventh on the list of risks for insurers.
Insurers were more concerned about
demographic changes, low interest rates
and regulatory burdens, it found. The
authors were “surprised” that cyber
risk didn’t resonate as much as they had
thought, especially given the extensive
information that they collect.
If Canada’s insurers seem sanguine
when it comes to cyber risk, the same
could be said for their customers.
Anecdotal evidence suggests that a lack
of concern among Canadian companies
has affected insurers’ ability to sell them
cyber risk insurance.
Cyber liability insurance is typically sold
as a standalone policy or an endorsement.
When coverage is offered through
endorsements, it can be attached to an
errors and omission policy or existing
commercial general liability policies.
This kind of insurance is an evolving
product, says Steve Kee, a spokesperson
for the Insurance Bureau of Canada.
“Cyber insurance has been around for
more than 10 years, but it is only within
the last few years that more policies have
come to market, increasing coverage
and capacity,” he says. “Cyber insurance
continues to evolve as more businesses and
public sector organization are realizing
that it should form a key component of
their cyber breach response plan.”
Michael Petersen is managing director
and national leader for the communications, media and technology practice
at Marsh Canada, a North American
insurance broker that connects business
customers to insurance providers.
His company saw a 21 percent rise in
Cyber insurance continues to
– Steve Kee, Insurance Bureau of Canada
demand for cyber risk insurance in
its 2012-13 poll of North American
businesses. That hides a pronounced
apathy north of the border, though.
“What we found is that Marsh Canada
clients in the U.S. were more interested
in exploring cyber risk management
solutions,” said Petersen. “The takeup
for the purchase of cyberinsurance is
ahead of what it is in Canada.”
This disparity has been broadly driven
by two things, he suggests. The first is
the prevalence of large-scale security
events in the U.S. Home Depot and
Target may have lost Canadian customer
details too, but they were U.S. retailers,
targeted on U.S. soil.
The other driver for cyber risk
insurance in the U.S. is regulatory. With
47 states now requiring mandatory
data breach reporting, companies are
under a lot more financial pressure
when a breach occurs that affects their
customers’ privacy.
In Canada, the Personal Information
Protection and Electronic Documents
Act (PIPEDA) has never included any
data breach protection notification
Koker Christensen, co-chair,
Fasken Martineau
Gregory Eskins, SVP and cyber
practice leader, Marsh Canada
Steve Kee, spokesperson, Insurance
Bureau of Canada
Brent Mizzen, director of policy
development, Canadian Life and Health
Insurance Association
Michael Petersen managing director
and national leader, communications,
media and technology practice, Marsh
requirements. This has dampened
the demand for cyberinsurance in the
Canadian market, says Gregory Eskins,
senior VP and cyber practice leader at
Marsh Canada in Canada.
“Because of the immediate tangible
financial consequences after a cyber risk,
and the easy way to transfer that risk,
the takeup has been much quicker in the
U.S. than in Canada because of the lack
of a prescriptive framework,” he says.
The only data breach protection law
historically has been in Alberta, where
provincial legislation has required
companies to inform the Commissioner
of a breach, and where the Commissioner can then force notification of affected
More recently, Manitoba has passed
private sector privacy legislation that
forces companies to notify individuals if
there is a real danger of significant harm.
Now, the Digital Privacy Act could
change things still further. It would
amend PIPEDA to force any organisation
suffering a privacy breach to notify the
Commissioner and affected individuals.
Will the appetite for cyber risk
insurance grow should this bill make
it into law? “Unequivocally yes,” says
Petersen. “You’ll see what we had in the
U.S., which is a clear financial risk for
The financial cost associated with
mitigating a public data breach is
tangible, and companies will be looking
for ways to offload that risk, he says.
For now, though, the regulation of
cybersecurity among insurers - and
the market for them to sell cyber
risk insurance themselves – are both
relatively soft compared to the U.S. As
the legal landscape changes north of the
border, it will be interesting to monitor
for changes there. n • November 2014 • SC C2
Wearable computing
Wearable devices
efficiently monitor
user activity, but also
open new targets for
malware authors,
reports Alan Earls.
24 SC • November 2014 •
el Gibson had it easy. The star
of the Mad Max cult movie
series could at least see his
enemies approaching, so knew
just what to do to keep them at
For today’s road warriors – no longer armed merely
with a laptop but also with mobile phones, tablets
and a growing array of personal “smart” technology
– the threats can sometimes be harder to detect and
anticipate and often impossible to completely fend off.
Indeed, experts paint a grim picture of potentially
expanding vulnerabilities. Of course, in truth, we’ve
seen this movie before in the form of the learning
curve provided by personal computers and the early
years of the internet. We are all older – and potentially at least, wiser.
One element of the threat is simply volume. As TJ
Keitt, a senior analyst at Forrester Research, points
out, the more locations from which an individual
works, the higher the rate at which they use multiple
devices. “Someone who is deskbound
doesn’t use the technology at the
same rate as someone who works
from three or four locations,” he
says. “As they shift context, they try
to use the device that best conforms
with their needs in that situation.”
In addition, Keitt notes,
personal technology devices –
such as those from Fitbit (activity
trackers, wireless-enabled wearable
devices that measure data) – have the
potential to further complicate the challenges
of staying secure. For the moment, though, Keitt says
most of those technologies are “connected” but not
yet too intelligent. So, hacking them is not yet likely to
prove rewarding to the bad actors.
However, even with the existing spectrum of
intelligent devices – phones, tablets and laptops –
there’s plenty to keep security pros busy. “Individuals care about secure practices up to a point, but
that concern is often sublimated to concerns about
accessibility and convenience,” says Keitt. Thus, if a
business cares about keeping apps and data secure, it
is up to them to do the work. Individuals won’t.
Michael Finneran, principal of dBrn Associates, a
Hewlett Neck, N.Y.-based advisory firm specializing
in wireless and mobility, says for organizations with
a mobile workforce, the greatest security concerns
relate to the increased vulnerability they cause for
corporate data and systems. In his view, organizations
need to first define their objectives (e.g., increased
employee productivity and satisfaction, alleviating the carbon footprint, allowing work flexibility
for families, etc.) and then identify what platforms
they will support. Then they need to delineate the
potential threats and design protection measures for
each of them on all supported platforms. “That can
be VPNs, SSL, secure RTP for voice, MDM systems
for mobile operating systems, and anti-virus – the
whole nine yards,” he says.
Ongoing monitoring
As a first step, says Finneran, organizations should
develop an strategy for telecommuting that defines
who can participate, how often they must come into
the office, how they will keep in sync with co-workers
and managers, and what kind of equipment and work
environment should be required. “As part of that, the
security plan should be developed and there should
be ongoing monitoring and assessment as part of the
program,” he says
Like Keitt, Finneran dismisses the
immediate threat from wearables.
However, Tyler Shields, Forrester’s
senior analyst for mobile and
application security, says that those
new technologies, also referred to
as the Internet of Things (IoT), is
complicating the challenges for
“Wearables are mobile devices in
many ways but they are more embedded
and are changing the threat landscape,”
Shields explains. Plus, he says, not much consideration for security has gone into the manufacturing
of IoT devices and its software. “Within the IoT of
embedded devices, protocols are mostly wide open
and all of a sudden security is a real issue. In effect we
are taking steps backwards so people can relearn the
lessons of the past,” he says.
And, Shields suspects that road warriors will be
among those to quickly adopt wearable technology.
Echoing Keitt, Shields says not all IoT/wearable
technology will pose a threat. The targets will be
some devices – such as wristbands that automatically
authenticate the user to other devices – because those
attacks can be monetized.
However, the security industry is paying attention.
Shields says IoT vulnerabilities have already been
a big topic at Black Hat, an annual gathering for • November 2014 • SC 25
Wearable computing
information security pros. “IT has gone
through the necessary thinking but
the people involved with IoT haven’t
experienced the software exploits of
the past,” he says. Still, those lessons are
accessible. When combined with some
of the “hype” about IoT vulnerabilities, Shields believes the organizations
creating the IoT will come up to speed
quickly. “Now it is mostly a matter of
educating them about secure processes
and secure design,” he says.
Still, the overall picture for mobile
security remains worrisome. “We face a
clear growth in malware, and operating
system flaws will continue to be a
problem,” Shields says. On the other
hand, he notes improved MDM capabilities and stronger products from secure
network gateway vendors as plusses.
Of course, technology is only part of
the picture. How and where technology
is used is just as important. Darren
Hayes, assistant professor and director
of cybersecurity at Pace University,
says while the Snowden revelations
have heightened awareness of U.S.
government spying, it is by no means
occuring just within these borders.
France and Spain are active in phone
surveillance and even tracking visitors’
highway travel. He points out that many
vulnerabilities, including some of the
biggest, are connected to governments or
government-sponsored hackers. “When
you travel to a country like China or
Russia, very likely the quick inspection
of your laptop or phone conducted at
Some worrisome facts
What apps are tracking:
• 82% read your device ID
• 64% know your wireless carrier
• 59% track last known location
• 55% continuously track location
• 26% know your SIM card number
• 80% collection location
Source: McAfee mobile security report, February 2014
Apple technology
I recommend that organizations
...disable Bluetooth.”
– Darren Hayes, director of cybersecurity, Pace University
the airport is actually an imaging of the
software to provide cryptographic privacy
device using special hardware,” he says
and authentication for data communicaSome hardware should also be suspect,
tion – or the similar GNU Privacy Guard
including computer and telecommunica(GPG), a free version of the standard.
tion products manufactured in China,
It may not solve all of the road warrior
most likely with the complicity of the
problems but it is a good start, he notes.
People’s Liberation Army. “Most western
Additionally, Hayes suggests adopting
governments won’t use Lenovo laptops,
some of the secure tools increasingly
for example, and they may be right,” says
adopted by journalists, including
Hayes. Another similar peril
SecureDrop, an open-source
potentially afflicting users,
software platform for secure
mobile or not, is the use of
communication originally
free anti-virus software. For
designed and developed by
example, Hayes says the free
Aaron Swartz and Kevin
version of Kaspersky should
Poulsen under the name
be adopted with caution
because “there is reason
Bluetooth, however,
to believe the company
remains problematic. Hayes
Darren Hayes, Pace University recommends that organizais backed by the Russian
government,” he says.
tions encourage people to
Finally, there are now known
disable Bluetooth and never use “free”
vulnerabilities with devices, such as
anything. USBs handed out at tradeshows
Cisco routers and with certain encryption
often contain problematic programs if not
algorithms. Another persistent issue is
actual malware.
Heartbleed – the security bug in the
So, though today’s mobile worker may
OpenSSL cryptography library, which
not face as harsh adversaries as did Mel
still has a wide impact.
Gibson in those Mad Max movies – the
Although Hayes does not yet see
second of which was titled Road Warrior,
threat vectors involving wearable
by the way – the risks are certainly less
technologies, he does see Bluetooth as a
grisly but can have devastating effects
continuing source of concern and says
to the employee on their offsite gadget
it should be a point of focus for security
and the company whose data is being
efforts. “Bluetooth 4.0 allows you to be
transmitted or, possibly, siphoned away.
monitored by beacons that are used for
“I don’t even trust some of the
commercial purposes, for example by
supposedly legitimate free apps because
retailers to offer special deals. However,
they can also make use of your machine in
that can also be used to track the
ways you don’t expect,” says Hayes. “Any
movement of people,” he explains.
company that claims to be concerned
about a secure infrastructure has to pay
attention to these issues if it is going to
Steps to take
protect its business travelers." n
Hayes says there are some specific steps
organizations can take now to protect
themselves and their mobile workers. One This article originally appeared in
the Road Warrior Spotlight edition
of them is adopting Pretty Good Privacy
of SC Magazine.
(PGP) data encryption and decryption
26 SC • November 2014 •
Apple’s iPhone 6 and iOS 8 offer encryption for
mobile users, but a focus on consumers can
create security conundrums, reports Lee Sustar.
an the world’s preeminent consumer electronics company offer
ease of use for a proliferation of
apps and mobile wallets while offering
enterprise-grade security – all on the
same mobile device?
That’s the question hanging over
Apple in the wake of an embarrassing
breach of its iCloud service that saw
celebrity photos leak on the eve of an
important event: the much ballyhooed
release of iPhone 6 and iOS 8. The new
phone models and OS upgrade provide
powerful new encryption capabilities to frustrate hackers while the
newly announced Apple Pay promises
in-person transactions without exposing
customer’s credit-card information to
Apple blamed the iCloud breach on
weak user passwords – a “very lame
claim,” says Juanita Koilpillai, CEO of
Waverley Labs, a Virginia-based data
security consulting group. “Of course it
was their problem,” she says. “Regardless
of the password, all data at rest should
be encrypted so that only the device
accessing it can decrypt the photographs.
Why not have the most stringent security
settings out of the box?”
In the wake of the photo breach,
Apple placed limits on iCloud login
attempts and now notifies users of
any changes to their account. Yet,
according to a range of data security
industry figures, Apple’s security
challenge isn’t its technology. “Apple
devices are already, without question,
the most secure on the market,” says
Rich Mogull, analyst and CEO at the
Phoenix-based research firm Securoris.
Rather, the underlying problem is
the inherent difficulty of safeguarding
enterprise or government data on mobile
devices that individual users control,
if not own, says Andrew Plato, CEO of
Anitian, an Oregon-based data security
firm. “It’s pretty difficult to get stuff off
of – and inject malware onto – an Apple
platform,” he says. “And that keeps
them in high regard among security
people.” The problem, he adds, is that • November 2014 • SC 27
Apple technology
security pros have little choice but to
tremendously,” he says. But in the
trust the claims of Apple’s engineers.
enterprise world, where centralized
“Apple’s biggest problem from a security
monitoring of mobile devices is often
standpoint is the ‘I don’t know what I
considered essential for security,
don’t know’ problem. We don’t know
“sandboxing” creates limitations.
what they do.”
“There is no [enterprise] application
Apple, at least in general terms, has
that can understand what’s running on
set out its approach to the security of its
your phone, or stop an app,” he says.
iPhone 6 and iOS 8. It includes, among
Richard Moulds, vice president for
other elements, system security with
product strategy at Thales eSecurity,
secure boot chain with cryptographia global provider of data protection
cally signed components; Secure
solutions with U.S. headquarters in
Enclave, a coprocessor
Plantation, Fla., speculates
fabricated in Apple’s
that Apple could open
A7 processor (and later
the way for more secure
versions) that provides all
iOS enterprise apps by
cryptographic operations
allowing third parties
for data protection key
greater access to the
management; Touch ID,
iPhone 6, but adds
the fingerprint-reader that
that such a move could
allows quick user access
create new problems.
when complex passcodes
“Developers are desperate
are in place; a dedicated
to take advantage of the
AES 256 crypto engine
security properties of the
Kayvan Alikhani, senior director of
technology, RSA
between flash storage
latest iPhone, but if in
and main memory for file
doing so the basic security
encryption; unique IDs cryptographicalproperties of the phone are weakened,
ly tied to the device; and data protection
there might only be a limited net benefit
for flash memory. The protection for its
to the enterprise,” he says.
apps begins with strict iOS developer
For now, Apple supports a range
program to ensure that each app is
of mobile device management
signed and verified. All iOS apps are
(MDM) services directly and through
“sandboxed” – that is, blocked from
third-party developers that enable
accessing data used by other apps and
IT managers and security pros to
prevented from modifying the device.
enroll devices and track unauthorized
The “sandbox” strategy may boost
usage and apps while offering privacy
iOS security, but it’s a constraint for
protections to users – capabilities that
developers of corporate apps that need
should avoid the kind of debacle seen in
to communicate with one another, says,
the Los Angeles Unified School District
Kayvan Alikhani, senior director of
in 2013, when students simply removed
technology at RSA. “The actual security
MDM profiles on their district-owned
model for the app itself – if it doesn’t
iPads to be able to surf the web and
need to talk to anybody – has been
download unauthorized apps.
greatly improved and strengthened
Yet, even with improved MDM
Apple needed a mobile
payment story.”
– Avivah Litan, distinguished analyst, Gartner
28 SC • November 2014 •
from Apple and third-party providers,
there’s an inherent difficulty in securing
devices that are owned or controlled
by employees who must also use them
for applications handling sensitive
enterprise data, says John Pironti, a
consultant for ISACA and president
of IP Architects, a management and
technical consulting services firm.
“Instead of trying to surround them
with so many controls and capabilities,
what we have do is find a way to say
‘yes,’” he says, adding that rather than
take an all-or-nothing approach, IT
managers and data security professionals should move forward on the basis of
a threat and vulnerability analysis.
For example, those responsible for
enterprise MDM can build on Apple’s
technology as well as third-party solutions
to assess risk from mobile devices
through biometric authentication systems,
like Touch ID, as well as geofencing, says
John Gunn, vice president of corporate
communications for VASCO Data
Security, a Chicago-based company
specializing in authentication. “It isn’t
‘yes’ or ‘no,’” he says. “You come in to the
network with a risk score.”
Vancouver, British Columbia, Canada).
“The very trend that brought Apple
to the enterprise continues to feed the
ecosystem with different device types of
operating systems,” he says.
Such flux and uncertainty created by
BYOD has led one company, Securonix,
to conclude that centralized ownership
and control of enterprise iOS devices
is essential. “For now, the key strategy
to support iOS devices is to ensure that
organizations own the devices and all
content of these devices including all
the apps installed on the devices,” says
Tanuj Gulati, chief technology officer
for the Los Angeles-based provider of
security intelligence solutions.
Enterprise choice?
In fact, Apple’s latest iPhone and
iOS increasingly provide the tools to
support such an approach, according
to Michael Sutton, vice president of
security research of Zscaler, a San Jose,
Calif.-based secure cloud provider.
“Apple has an opportunity to be the
platform of choice for enterprises
wishing to made standard security
policies for BYOD devices,” he says.
But, being the preferred platform
in large companies and government
isn’t the same as being the only one,
as those responsible for MDM and
security in BYOD environments will
still have to grapple with multiple
technologies, contends Kim Ellery,
product marketing manager at Absolute
Software, a German-headquartered
company focused on endpoint security
for mobile computing (Ellery is based in
Kayvan Alikhani, senior director of technology, RSA
Kim Ellery, product marketing
manager, Absolute Software
Tanuj Gulati, CTO, Securonix
John Gunn, VP of corporate communi
cations, VASCO Data Security
Juanita Koilpillai, CEO, Waverley Labs
Avivah Litan, VP and distinguished analyst, Gartner
Rich Mogull, analyst/CEO, Securoris
Richard Moulds, VP for product strategy, Thales eSecurity
Suni Munshani, CEO, Protegrity
John Pironti, consultant, ISACA; president, IP Architects
Andrew Plato, CEO, Anitian
Michael Sutton, VP of security research, Zscaler
Randy Vanderhoof, executive
director, Smart Card Alliance
Apple Pay
While the infosec industry and
enterprise IT managers debate how to
deploy the iPhone 6’s cryptographic
upgrades and the iOS 8’s security
advances, leading retailers, banks and
credit card companies are embracing
Mobile developments
What we have do is find a way
to say ‘yes.’”
– John Pironti, president, IP Architects
Suni Munshani, CEO of Protegrity,
Apple Pay, an iPhone mobile wallet
the Connecticut-based developer of
that combines near-field communicatokenization and encryption solutions.
tions (NFC) technology with data
With EMV-technology credit cards
tokenization that replaces credit card
embedded with microchips set to roll
information with tokens that are useless
out over the next few years, merchants
to hackers.
already obliged to upgrade point-of-sale
While promoted by Apple CEO
terminals are likely to deploy tokenizaTim Cook as a way to make consumer
tion in any case. The
purchases easier, Apple
EMV rollout and the
Pay may be more attractive
launch of Apple Pay will
to retailers like Target,
be “hugely complemenHome Depot and others
tary,” Munshani says.
that have been hammered
Another plus for Apple
by massive breaches of
Pay is that it reduces
credit card data over the
the scope of compliance
past few years. That’s
to the Payment Card
owing to the advances
Industry-Data Security
brought to the market by
Standard (PCI DSS) – a
the system’s use of tokens,
payment card standard
which promisesd to greatly
Avivah Litan, VP and distinguished created by industry
reduce the risk of having
analyst, Gartner
players, says Avivah
credit card data pilfered
Litan, VP and distinguished analyst at
through malware attacks at point-of-sale
Gartner. Because credit card data will be
tokenized, many of the requirements of
“That by itself was a major step
PCI will be moot.
forward for mobile payments security,”
Moreover, Apple Pay will be a boon to
says Randy Vanderhoof, executive
the credit card companies MasterCard
director of the Smart Card Alliance,
and Visa, which apparently convinced
a nonprofit industry association.
Apple to implement precisely the same
By keeping security in the iPhone,
type of tokenization technology that will
using tokens and using Touch ID for
be used in the EMV cards, Litan said.
purchases, Apple Pay has “three levels
Thus the new terminals built to read
of authentication versus everyone else
EMV cards will have NFC capabilities
dealing with one or two,” he says.
that will allows users to pay with an
Apple Pay also gives a fillip
iPhone instead.
to industry players who’ve been
The two credit card giants are trying
advocating for years that tokenization
to keep their virtual monopoly on the
is the best way to protect consumer
payment network, Litan says. “Apple
information. “What Apple is validating
needed a mobile payment story,” she
is a fundamental thesis that the idea of
says. “The company thought it needed
credit card data and other personally
the banks on its side. It was a smart
identifiable information being handed
move on Apple’s part. It was probably
over [at the point of sale] is careless
the best move they could make.” n
and frivolous and needs to stop,” says • November 2014 • SC 29
Case study
When a care provider supplied
laptops to its roving employees,
it added a security solution to
enable efficient collaboration.
Greg Masters reports.
here’s no arguing with the fact that new technology has
enabled workers on the go to perform many of their tasks
with efficiency and convenience. However, while most likely
are little concerned that their communications are at risk of being
intercepted, those charged with protecting enterprise information certainly are. In the health care field, owing to
federal laws regulating the exchange of personal
information, this is of particular concern.
Comfort Care Services (CCS)
provides supported housing
and rehabilitation services for
vulnerable adults with enduring
mental illness, learning disabilities, substance/alcohol misuse and
other complex needs. Headquartered in Slough, England, the
firm distributes services to more
than 55 sites across the U.K. It
also works with over 19 local and
regional authorities.
Due to the organization’s disparate
geographical locations, the majority of its
employees are remote workers and make multiple visits to clients each
week. In order to streamline the process of creating, editing and sharing
the documents its staff creates during these house visits, the specialist care
organization issued laptops to about 250 of its mobile staff.
The laptops were configured with virtual desktops that didn’t permit
document interchange outside of CCS’s virtual desktop infrastructure (VDI)
30 SC • November 2014 •
MDM ensures that devices are
environment. Interchange was limited to
a few select staff who acted as a security
filter and gatekeeper for data.
However, while this security worked
well for documents produced and
shared within the company network
– Anthony Foy, CEO, Workshare
and using company-supplied devices,
when staff must share data and reports
data at a document level while enabling
CCS management was concerned about
with government authorities and other
staff productivity and cross-network
the potential risks associated with case
health care professionals outside of the
collaboration through device familiardocuments being produced outside the
company. We needed to ensure that these
ity – without a significant reinvestment
company network using standalone and
records were secure both inside and
in hardware and security software
personal devices.
outside the firewall.”
CCS has 350 employees. There are two
CCS also needed it to support a rapidly
core IT staff who are supported by an
growing environment. “Our biggest
outsourced partner. “We take the view
The search begins
challenge was to preemptively take
that our core competence and focus is
Bafhtiar heads up the IT department at
control of information exchange, while
to deliver first-class social care, and as
Comfort Care. Together with outsourced
accommodating staff’s preferences for
such we should partner with companies
IT partners, he began a search for a
mobile collaboration,” he says. “We
whose core competence and focus lays
solution. They looked at several offerings
knew we needed to deploy a secure,
in IT,” says Gee Bafhtiar, operations
for collaboration and file-sharing but –
file-sharing alternative that was easy to
director at Comfort Care Services.
as the firm wanted to enable BYOD for
use but gave us full auditability over
Indeed, following deployment
users and IT alike – none provided the
who accessed files and what changes
of the company-supplied laptops,
granular control CCS needed at the time.
had been made to different versions of
management started getting feedback
“From my perspective, it was a matter
from employees that they found them
of finding a solution that would best meet
Addressing CCS’s existing collaboracumbersome, intrusive and intimidatour employees’ preferences and work
tion structure was essential in order to
ing for use with service users. It was
habits, while also accommodating our
help geographically dispersed teams
reported that partners often found them
security requirements,” Bafhtiar says.
work together more effectively, he
to be a distraction when its employees
The search uncovered a solution from
says. Most staff members said they
were taking case notes or entering data
San Francisco-based Workshare. “Only
would be more comfortable using their
about care plans. In addition, employees
Workshare provided this capability,” says
own devices for work and Bafhtiar
found that having a blanket policy that
Bafhtiar. “The easy-to-use interface and
realized that, without formally allowing
prevented data interchange with parties
extensive collaboration features were
BYOD, the company as a whole would
outside its VDI network, unless through
similar to consumer-grade applications,
inadvertently promote work-arounds and but its robust security functionality
select employees, frustrating which lead
wouldn’t achieve productivity gains.
to a dip in productivity. As a result,
made it ideal for the enterprise.”
Yet, allowing
30 percent of the
Part of the selection process involved
laptops deployed
review and Bafhtiar’s IT
were under-utilized.
a small proof of concept,
Solid collaboration
of consumer-grade
When management
which impressed the team, particularly
Gee Bafhtiar, operations director,
file-sharing services
investigated the
with the support it received. “We rolled
Comfort Care Services
didn’t allow for
problem, it became
out the application to our employees and
Anthony Foy, CEO, Workshare
secure, real-time
clear that employees
within a two-week period they were able
preferred using
to self-provision and learn how to use
Additionally, as is typical with all organizafamiliar hardware, and in particular
the applications themselves, which was a
tions in the health care sector, CCS needed
their own devices, with documentsignificant advantage. We were amazed
to ensure that confidential information was with how quickly our staff took to the new
specific security settings that enabled
kept secure. “The files that our employees
cross-network collaboration, all within a
software solution.”
develop, collaborate on and share are care
secure environment.
Workshare is a secure file-sharing,
plans and case notes and they often need
The challenge became finding a way
synchronization and collaboration
to share them with external parties,” says
to promote the use of IT-sanctioned
application that enables efficient
Bafhtiar. “For instance, there are times
applications to ensure uniformly secure
collaboration on high-value content and • November 2014 • SC 31
Case study
protects against unauthorized content
disclosure, says the company’s CEO
Anthony Foy. “Workshare enables
workers to securely access files whether
they are online, at their desktop or on the
road on their iPad or any mobile device.
It supports multiple file types and is
available on any browser-enabled device.”
The solution identifies metadata,
such as tracked changes and hidden
comments, and tables in Excel,
PowerPoint, PDFs and Word, eliminating the risk of inadvertently exposing
sensitive information, says Foy. Integrating with clients’ email infrastructure,
Workshare can clean email attachments
in a single click, or set a policy to do it
automatically based on criteria like the
appearance of sensitive information,
credit card numbers or the word
“confidential” appearing in the body of
the document.
“This cloud-enabled, centrally
managed and policy-driven service
means our IT department can maintain
tight control of sensitive content and
reduce data leakage concerns across all
email users, from Outlook to webmail to
mobile,” says Bafhtiar.
Users can even set policies to replace
every email attachment with a PDF or
a secure link to the document online,
complete with user-defined permissions,
Foy points out. Administrators can
manage access to specific documents
and define which employees can edit,
comment, download or share content
inside or outside the firewall. Additionally, users can request return receipts,
require an authenticated login and set
expiration dates for document access.
“All transactions within the Workshare
environment must be executed from
the context of a personal, authenticated
user account, while SSL encryption and
application-layer security offers further
security benefits,” says Foy. “Mobile
device management ensures that devices
are tamper-proof. If an incorrect password
is entered three times into a lost or stolen
device, access will be denied.”
Foy attests that Workshare has an
unparalleled heritage in documentcomparison technology and has been
entrusted to protect sensitive documents
in semi- and highly regulated sectors
for 15 years. Further, he attests, when
Workshare merged with SkyDox in
2012 to bring these capabilities to the
cloud, it never lost sight of
its commitment to
secure collaboration.
“With the continued
adoption of BYOD
strategies and the impact
of consumerization of
IT across all sectors, only
Workshare offers organizations a tried and tested way
of protecting documents
outside of the corporate
The implementation
of the Workshare solution
has exceeded all of CCS’s
expectations, Bafhtiar says, and he
offers up the results to prove it. “When
we deployed Workshare, I was excited
to see our staff accessing and comparing
documents with a click of a button,
all within a tight and secure online
No problem
As the Workshare application is cloudbased, clients don’t have to worry about
updates, as they are provisioned and
controlled by Workshare as a SaaS provider, says Workshare CEO Anthony Foy.
“This means that they have access to the
same technology and capabilities that
multi-million dollar companies have, allowing them to keep ahead of the market
at no extra cost.”
As a cloud-based application,
Workshare reduces the total cost of IT
overhead and infrastructure, says Gee
Bafhtiar, operations director at Comfort
Care Services. “This allows us to reinvest
those funds into other areas of the organization and thus provide better service
for our patients.”
32 SC • November 2014 •
environment. The role of our gatekeeper
staff has largely become obsolete
allowing them to add value to service
users as opposed to administration.”
CCS has enabled the Workshare sync
and share features to allow specific staff
to do this both online and
offline, anywhere, at any
time. “We’ve also seen
that user productivity has improved since
using Workshare,” says
Bafhtiar. The amount
of time needed to turn
around documents has
been reduced by as
much as 50 percent,
he says. “It’s always
clear which
document version is
correct, and approval
can be given with a click of button.”
Another benefit is that CCS staff can
provide feedback while on the move,
says Bafhtiar. Historically, staff members
were only able to use laptops, which
meant that they were restricted to giving
feedback only when connected to the
internet. With Workshare’s mobile and
desktop sync capabilities, authorized
staff can make comments when they are
offline and their feedback is automatically synced across devices as soon as
they are online again. This process, he
says, saves valuable time.
Compliance aid
As a health care organization in the
UK, CCS is subject to many compliance
mandates, such as those within the
General Data Protection Act, which
regulate all data across all industries.
It also deals with the National
Health Service and local government
authorities, which have their own codes
of conduct enforcing stringent data
controls, says Bafhtiar. “While we don’t
hold patient data on the system, one
of the cornerstones of our business is
privacy and discretion. With Workshare,
our service users can be confident that
our systems prevent data loss.”
We have to use technology to
enable improvements...”
That is because Workshare ensures all
channels of communication are secure
as data is encrypted in transit and at rest
– with password protected access. “It
ensures that communication takes place
in a secure environment with the ability
– Gee Bafhtiar, operations director, Comfort Care Services
to revoke access to specific documents
content on the move from their iOS and
points out, there have been multiple
or from specific devices at any time, with
Android devices. “This was particularly
Dropbox breaches in the news – from
full audit capabilities (who accessed
important for our teams, and we were
breaking authentication protocols to
what, when and what’s changed),” says
impressed by the speed and accuracy of
stealing logins from third-party sites.
Bafhtiar. This negates the need for users
the mobile comparisons,” says Bafhtiar.
These incidents are preceisely why CCS
to rely on email to send files, which is
When CCS users are not on the move,
went looking for an enterprise-grade
often unsecure and hard to control.
they use Workshare Desktop Sync,
alternatives and chose Workshare.
Further, he says, Workshare provides
which integrates with both Windows
Bafhtiar says it offers the same ease of
granular access control while enabling
and Mac operating systems and, as with
use but with more stringent security
online collaboration, allowing secure
Workshare’s mobile application, gives
standards. “All transactions with
collaboration between internal teams
real-time insight into all updates and
Workshare must be executed from
and external parties by invitation.
comments. “Desktop Sync lets our staff
within the context of a personal,
“Together with our VDI environment
work online or offline without losing
authenticated user account,” he explains.
and Workshare, users have increased
changes,” says Bafhtiar.
Document owners can assign folder-level
their productivity while the company has
CCS is still in the early stages of
permissions and managed access and
enhanced data security.”
implementation, but staff uptake is a
sharing, preventing confidential or
CCS also has the option to decide
resounding success, says Bafhtiar. “There
sensitive files from being downloaded
where its data resides and, therefore,
is clear internal demand
or passed on to those without access
under which jurisdiction it
for the combined VDI
authorization. They can also get a return
is subject. The firm’s data
network, BYOD and
receipt and enable time-limited file
resides in a European data
Workshare solution.”
access. In addition, CCS has access to
center, so complies with
full audit trails. “Ultimately, Workshare
EU and UK legislative
offers more security and auditability –
The right balance
not to mention more powerful features
The Workshare
Against the backdrop of
– than other vendors.”
deployment reaches across
BYOD, CCS is primarily
Additionally, the cost of data
CCS’s entire network
concerned with finding
breaches is significant and becoming
and secures its desktop
the balance between
more punitive with each breach, says
and mobile users. “Our
an open exchange of
Bafhtiar. And, at the same time, he adds,
staff can access and
Gee Bafhtiar, operations director,
the market is seeing downward price
make tagged comments
Comfort Care Services
pressure. “This means that we have to
on documents, even if
priorities once revolved
use technology to enable improvements
they don’t have the document’s native
around preventing device theft and
in quality and speed of action in a
application installed on their computer,”
protecting information within the
scalable solution.” That’s because
Bafhtiar says. “They can compare two
company’s four walls, it now has to find
adding support staff is no longer viable,
documents with a single click and roll
ways to manage information in the cloud
he says. “We believe that Workshare
back to previous versions at any time.”
and on mobile devices, says Bafhtiar. “At
has allowed us to take a major step
Presence indicators and real-time
the same time, our security measures
forward in creating a secure, scalable
alerts keep everyone up-to-date, he
shouldn’t limit how and when employees
adds. To ensure that employees do
access applications or data.”
environment that leverages our staff’s
not inadvertently share confidential
With its employees more tech-savvy
BYOD preferences to enable productivor sensitive documents, there are
than ever, the CCS IT team is now
ity improvements.”
user-defined permissions and managed
more focused on protecting against the
It’s been an added benefit to work
access. Workshare’s mobile applications
risks associated with consumer-grade
with Workshare because its support
enable staff to compare multiple
applications and providing secure
staff are so focused on the end-user, says
versions, create new workflows and share alternatives. For instance, Bafhtiar
Bafhtiar. n • November 2014 • SC 33
PCI Standards
The latest
iteration of the PCI
Security Standard
calls for moving
beyond simply
meeting compliance
mandates, reports
Jim Romeo.
n the wake of Home Depot’s massive
security breach, the PCI Security Standards Council is creating some change
this year by updating within its Data Security Standard with PCI DSS version 3.0.
This new version, however, was already in
the works. The payments industry can only
hope that new standards will keep such
breaches from happening and millions of
consumers will avert such exposure again.
Compliance with this migration is
expected by the end of 2014, explains
Ken Ammon, chief strategy officer of
Xccedium. Though many organizations
have already started migrating from v2.0
to v3.0, all will be required to comply with
the new standard by the end of 2014.
“Though the core 12 security
requirements remain the same, PCI DSS
v3.0 includes a significant number of
evolving sub-requirements not mandated
by its predecessor,” says Ammon. “To
gauge the scope of the change, v3.0
34 SC • November 2014 •
introduces ‘20 Evolving Requirements,’
defined as changes to ensure that the
standards are up to date with emerging
threats and changes in the market,”
he says. As a comparison, the previous
change from v1.21 to v2.0 introduced
just two evolving requirements. “These
changes are, simply put, the most basic
best practices available in the market
today. As a security professional, these
changes mean putting security back into
compliance – it’s a good thing.”
The two broad categories that the
updates fall into include some new
requirements with clarifications to,
or additional guidance on existing
requirements to help organizations better
understand intent or provide direction on
how best to meet the requirements, says
Rob Sadowski, director of technology
solutions at RSA.
In addition to helping organizations keep up with the evolving threat
landscape and changing technology
infrastructure, the Council’s overall goal
with the changes in 3.0 is to help make
complying with the DSS part of their
normal business processes and not just
a point-in-time event, says Sadowski. “It
also will drive more consistency in the
DSS compliance assessments being done
by auditors (QSAs) by providing specific
assessment procedures,” he adds.
Overall, v3 will help IT security pros
in advancing the overall protection of
their organizations, says Charles Danley,
senior compliance engineer at FireMon.
“The updated and new security controls
are greatly improved and guidance
now looks to ensure security is built
into the business process for day-to-day
operations, which people have often cited
as a shortcoming of previous iterations
of the standard,” he says. “In this sense,
pursuing compliance will track more
closely with the core goals of operational
security, which is the right direction.”
Other experts point to the require
that organizations rethink data
protection along the lines of both
security and compliance, instead of just
compliance. “As the PCI Council points
out, the end goal is about protecting
sensitive information, not just doing
the bare minimum to pass an annual
compliance audit, says Bob West, chief
trust officer at CipherCloud. “This will
require companies to reassess their
current protection strategy and then
address any gaps.”
West says that at a high level, v3.0
from last November addressed defined
shared responsibility for data protection,
a relevant topic to help create security
structure for the shared nature of cloud,
and implemented password education
and point-of-sale (POS) security training,
which is particularly relevant given the
string of POS breaches. The August 2014
updates focus on risk assessment to drive
more effective security in addition to the
compliance that the payment industry
looks to PCI DSS to provide.
As a result, retailers, card processors
and others in the payment supply
chain will need to invest more in threat
monitoring, detection and response,
West explains. These recommendations, and the high-profile card
breaches over the past nine months,
make a strong argument for payment
industry companies to incorporate these
technologies into their existing set of
security solutions.
One notable implication of the new
standards is more transparency between
service providers and merchants, says
Gregory Rosenberg, a security engineer
with Trustwave.
“Third-party service providers – any
businesses that interacts with cardholder
information – will need to articulate • November 2014 • SC 35
PCI Standards
Service providers can be negligent
when it comes to security.”
The Council
In the shadow of a
major data breach
where nearly 60
million Home
Depot consumers
were exposed, and
PCI Data Security
Standards are undergoing change, we spoke to Stephen
Orfei, general manager of the PCI
Security Standards Council, to
garner some valuable words of advise to
accompany the new security standards.
1. Don’t forget the basics:
Malware and other agents make their
way into systems because basic
controls fall down, such as changing
passwords, patching systems and
managing access.
2. Ongoing monitoring: The difference between one record and millions
of records compromised is the ability of
an organization to detect and react to an
3. Prioritize technology: With EMV
chip, encryption and tokenization more
affordable and accessible than ever,
organizations need to use technology to
make data worthless to attackers.
4. Choose trusted partners:
Security is only as good as your weakest
link. Responsibility can’t be outsourced.
Third-party security needs to be as high
a priority as the integrity of your own
5. Focus on risk, not compliance:
Remember that compliance is just a
point-in-time measurement. Prioritize
your efforts to reduce risk and increase
security, everyday, year-round, not just
at assessment time.
– Gregory Rosenberg, security engineer, Trustwave
what aspects of the compliance process
they are going to fulfill,” he says. In
the past, he explains, merchants simply
had to list their service providers
as part of the compliance process.
The service provider had to verify in
writing that they were taking steps to
protect customers’ cardholder data
and doing their due diligence in being
in compliance. The problem was that
the merchant didn’t really know what
security measures, if any, the service
providers were taking.
“Service providers can be negligent
when it comes to security, i.e., using weak
passwords for remote access into the
merchants’ PoS systems,” says Rosenberg.
Under the new requirement, service
providers need to openly articulate
what security measures they are putting
in place as part of the compliance
process. This change opens the lines of
communication between the merchant
and third-party service provider so that
both parties are aware of what each is
doing to maintain compliance with the
PCI DSS standard, he says.
However, for most merchants with
a mature PCI and security program,
v3.0 isn’t a huge leap, according to Peter
Chronos, chief security officer with
Earthlink, an IT services, network and
communications provider headquartered
in Atlanta. He points out that merchants
who have viewed passing an annual PCI
audit as the single measure of success
for their security program will struggle.
“The aim of the new standards is to
challenge merchants to move beyond
compliance and adopt a security posture
that evolves over time,” he says.
Particularly, requirement changes
in section 8 – 8.2.3, 8.5.1 and 8.6 – are
designed to enhance password security
36 SC • November 2014 •
and remove an easy attack vector
that has been exploited for years.
“Requirement 12.8.5 now mandates that
merchants and service providers must
maintain documentation that clearly
outlines which party is responsible
for each DSS requirement,” Chronos
says. “This change takes away the
scope and responsibility guesswork
when merchants partner with a service
provider to manage their IT and network
The challenge accompanying new
mandates like this, specifically for
third-party relationships, is one of scale
as most companies today have hundreds,
if not thousands, of third-party
suppliers, says Stephen Boyer, CTO and
co-founder of BitSight Technologies.
“Certainly not all of these are tied
to the payment industry, but in our
experience the standards implemented
for the PCI-specific parts of a business
help to inform the overall security
practice for the organization,” he says.
“The good news is that the use of
security ratings and other disciplines
help to mitigate the challenge of scale
and implement a ’tiered due diligence
program’ as suggested by section 3.3.”
Xccedium’s Ammon agrees. “Rather
than simply complying with standards,
organizations need to proactively address
cyber threats by implementing privileged
identity management. Organizations
need to establish a zero trust privileged
identity management model inclusive of
two-factor authentication that contains,
controls, alerts, monitors and audits to
proactively mitigate risk.”
With the hangover of Home Depot
looming over the industry, we shall see
how effective the new security standards
help to proactively mitigate such risk. n
Product Section
Can gives
peace of mind
to CISOs P41
Boldon James
Covers virtually
all types of files
In November, addressing
difficult challenges
his month we look at application security,
and we have a real treat for you with two
emerging product groups covering a couple
of the most challenging functions that we need to
perform on our enterprise: on-line fraud management and data classification. All three topics are
challenging for different reasons.
First, databases are hard to secure in an age
where the perimeter has all but disappeared. Web
front-ends connect more or less directly to backend databases and under some conditions it seems as if the connection
between the data and the user is direct and uninhibited. That’s not true of
course, but under the wrong circumstances an intruder can gain the level
of access that makes it appear to be.
The fraud management challenges are more or less obvious, even if the
solutions are not. To manage fraud you need to identify it. That is the first
problem. Then you need to stop it. Second problem. Finally you need to
make sure that you can identify the fraudster so you can block them quickly and easily. Our emerging products do a nice job of dealing with them.
Last, anyone who has ever tried to deploy DLP without data classification knows how challenging – and ineffective – that can be. However, data
classification can be equally as challenging. Our emerging products in this
group address those issues in unique ways. DLP simply does not work well
if you don’t have the data classified and people don’t like to be troubled
with classifying documents and email. What is needed is a product that
makes that chore easy or, at best, nearly transparent to the users.
The database security group was surprisingly small – only two products – but that gave us the opportunity to take a good look at them and
to spend some serious time on our emerging products. It also gave us the
time to set up our second SC Lab facility at Norwich University, where we
will be using the able talents of Sal Picheria, Ben Jones (one of the lead
system administrators in the Center for Advanced Computing and Digital
Forensics at the university) and James Verderico. Setting up a test lab in a
114 year-old building had its challenges but the Center is well equipped
and we called on it for the testing infrastructure that we need.
—Peter Stephenson, technology editor
Detects complex
takeover fraud
How we test and score the products
Our testing team includes SC Labs staff, as well as external experts
who are respected industry-wide. In our Group Tests, we look at
several products around a common theme based on a predetermined set of SC Labs standards (Performance, Ease of use,
Features, Documentation, Support, and Value for money). There
are roughly 50 individual criteria in the general test process. These
criteria were developed by the lab in cooperation with the Center
for Regional and National Security at Eastern Michigan University.
We developed the second set of standards specifically for the
group under test and use the Common Criteria (ISO 1548) as a
basis for the test plan. Group Test reviews focus on operational
characteristics and are considered at evaluation assurance level
(EAL) 1 (functionally tested) or, in some cases, EAL 2 (structurally
tested) in Common Criteria-speak.
Our final conclusions and ratings are subject to the judgment
and interpretation of the tester and are validated by the technology editor.
All reviews are vetted for consistency, correctness and completeness by the technology editor prior to being submitted for
publication. Prices quoted are in American dollars.
What the stars mean
Our star ratings, which may include fractions, indicate how well
the product has performed against our test criteria.
★★★★★ Outstanding. An “A” on the product’s report card.
★★★★ Carries out all basic functions very well. A “B” on the
product’s report card.
★★★ Carries out all basic functions to a satisfactory level.
A “C” on the product’s report card.
★★ Fails to complete certain basic functions. A “D” on the
product’s report card.
★ Seriously deficient. An “F” on the product’s report card.
What the recognition means
Best Buy goes to products the SC Lab rates as outstanding.
Recommended means the product has shone in a specific area.
Lab Approved is awarded to extraordinary standouts that fit into
the SC Labs environment, and which will be used subsequently in
our test bench for the coming year. • November 2014 • SC 37
GROUP TEST l Application security
Application security
Specifications for application security tools
●=yes ○=no
In order to control the impacts of attacks, we need to have a comprehensive detection and
defense scheme, says Peter Stephenson.
For its easy installation and superior functionality at an excellent
price point we make the Barracuda
Web Application Firewall Model 660
our Best Buy.
The FortiDB 1000D from Fortinet
can provide the type of strong
security that gives peace of mind
to CISOs and DBAs alike. This one
is our Recommended product.
his month we look
at application security. Really, this means
application firewalls, but it
is something more than that.
Databases operate at layer 7
as applications, of course, but
there is more to an applicationlevel attack, sometimes, than
just the layer 7 activity.
For example, there needs
to be a penetration to get to
the database. That could be
an application-based attack –
such as phishing – or it could
be a directed attack, such as
compromise of a weakness
in the communication stack.
In reality, just about all OSI
layers could, theoretically, be
involved in what appears to be
nothing more than an application compromise.
That said, our two products
this month focus on the application side of the problem.
Both look for holes, but each
does it slightly differently.
While one performs a lot more
than vulnerability assessment
– including remediation – the
other is focused on auditing
vulnerabilities. Web apps are
the low-hanging fruit in any
organization with a web presence connecting to a backend
database. Understanding the
vulnerabilities is important
and, unfortunately, not as easy
as it sounds.
The problem is that in many
of today’s enterprises the
perimeter has all but disappeared. The firewalls, NACs
and IPSs are still there, to
be sure, but there is a direct
38 SC • November 2014 •
Supports proxy
sensitive data from
pages in transit
Scans for
Baracuda Networks
Web Application
Firewall 660
Fortinet FortiDB
connection between the users
on the outside and the data
on the inside. All that stands
between those two points is
the security of the applications
that act as middleware and the
secure configurations of the
web application itself and the
database it connects to. Unless
this entire path is secure you
are at risk.
So the big question is, how
do you know that you are
secure? And if you are not,
what do you do about it? Both
of these fine products solve
either or both of these problems. In years past, security
testing of web applications was
a matter of auditing the code.
Today, code audits still work
but performance auditing is a
better bet. This tells you how
the application will behave
under a variety of conditions
and it is less prone to false
positives than a code audit.
Essentially, this is a web version of a penetration test.
This type of audit needs a
couple of companions to make
it really effective. First, it needs
a way to identify and block
malicious activity attempts,
and second it needs to be able
to repair the damage. The tools
we looked at provide one or
both of these functions.
When we ran the two tools in
the SC Lab, we used a database
and front-end that had several
flaws purposely included. Both
devices performed admirably
to the point where they discovered flaws of which we were
unaware. Further manual test-
ing confirmed that they were
not false positives. What this
says is that the type of testing that we experienced with
this month’s products likely is
the way to ensure that you are
applying the best protection to
your layer 7. Applications are
touchy things. Every time that
you update them you run the
risk of breaking something in
the act of fixing or patching
something else. Constant vigilance and proactive remediation and protection are critical
on these applications because
they are the most likely entry
point for an experienced
We found that both of these
tools filled the bill very nicely
and provided a lot of good
functionality. When you are
buying an application firewall,
determine what types of applications and databases you want
to protect. Then match the tool
to the need. Tools that have
multiple deployment modes –
in-line, out of band, etc. – can
be very attractive depending
on your traffic load. Automatic
remediation may be a good
bet for you if you have limited
resources to repair manually.
We liked both of these products. In fact it was hard – from
a performance and functionality standpoint – to chose
between them. They both
have fine feature sets and both
exhibited stellar performance.
We suggest that you have a
good look at both if you are
considering application protection in the near future.
built-in policies and
functionallity to
support regulatory
Creates reports
compliance and
Statement of Ownership, Management and Circulation
1. Publication Title: SC Magazine. 2. Publication Number; 005-213. 3. Filing Date: Sept. 12, 2014. 4. Issue Frequency: Monthly. 5. Number of Issues Published Annually: 10. 6. Annual Subscription Price: U.S.: $98; Canada and Mexico: $110; Foreign: $208. 7. Complete Mailing Address of Known Office of Publication: Haymarket Media Group 114 West 26th Street, 4th Floor, New York, NY 10001. 8. Complete
Mailing Address of Headquarters or General Business Office of Publisher: Haymarket Media Group, 114 West 26th Street, 4th Floor, New
York, NY 10001. 9. Full Names and Complete Mailing Addresses of Publisher, Editor and Managing Editor: Publisher: David Steifman,
VP Sales, Haymarket Media Group. 114 West 26th Street, 4th Floor, New York, NY 10001; Editor-In-Chief: Illena Armstrong, VP Editorial,
Haymarket Media Group. 114 West 26th Street, 4th Floor, New York, NY 10001; Managing Editor: Greg Masters, Haymarket Media Group,
114 West 26th St, 4th Floor, New York, NY 10001. 10. Owner: Haymarket Media Group, Ltd., Teddington Studios, Broom Road, Teddington, Middlesex TW11 9BE. 11. Known Bondholders, Mortgages and Other Security Holders Owning or Holding 1 percent or More of Total
Amount of Bonds, Mortgages, or Other Securities. If none check box: None. 12. Tax Status: The purpose, function and nonprofit status
of this organization and the exempt status for federal income tax purposes: Has Not Changed During Preceding 12 Months. PS Form
3526-R. July 2014. 13. Publication Title: SC Magazine. 14. Issue Date for Circulation Data Below: Sept. 2014. 15. Extent and Nature of Circulation [i] Average No. Copies Each Issue During Preceding 12 Months [ii] No. Copies of Single Issue Published Nearest to Filing Date a.
Total Number of Copies (Net press run) [i] 40,964 [ii] 40,487 b. Paid and/or Requested Circulation (1) Paid/Requested Outside—County
Mail Subscriptions Stated on Form 3541 [i] 39,977 [ii] 39,979 (2) Paid In-County Subscriptions Stated on Form 3541 [i] 0 [ii] 0 (3) Sales
Through Dealers and Carriers, Street Vendors, Counter Sales, and Other Non-USPS Paid Distribution [i] 0 [ii] 0 (4) Other Classes Mailed
Through the USPS [i] 94 [ii] 87 c. Total Paid and/or Requested Circulation [i] 40,071 [ii] 40,066 d. Free Distribution by Mail (1) OutsideCounty as Stated of Form 3541 [i] 98 [ii] 96 (2) In-County as Stated on Form 3541 [i] 0 [ii] 0 (3) Nonrequested Copies Distributed Through
the USPS by Other Classes of Mail [i] 0 [ii] 0 (4) Nonrequested Copies Distribution Outside the Mail [i] 668 [ii] 200 e. Total Nonrequested
Distribution [i] 767 [ii] 296 f. Total Distribution [i] 40,837 [ii] 40,362 g. Copies not Distributed [i] 127 [ii] 125 h. Total [i] 40,964 [ii] 40,487
i. Percent Paid and/or Requested Circulation [i] 98.12% [ii] 99.27%. 16. Publication of Statement of Ownership for a Requestor Publication is required and will be printed in the November 2014 issue of this publication. 17. Manager, or Owner: John Crewe, Chief Operations
Officer, 09/30/2014. I certify that all information furnished on this form is true and complete. I understand that anyone who furnishes
false or misleading information on this form or who omits material or information requested on the form may be subject to criminal sanctions (including fines and imprisonment) and/or civil sanctions (including civil penalties). • November 2014 • SC 39
Barracuda Web Application
Firewall Model 660
Vendor Barracuda
Price $9,999 (hardware
Ease of use
Documentation ★★★★★
Value for money ★★★★★
Strengths Great price point and
a well-designed interface.
Weaknesses None found.
Verdict For its easy installation
and superior functionality at an
excellent price point we make this
our Best Buy.
40 SC • November 2014 •
he Barracuda Web Application Firewall is a hardwarebased device which is used to monitor, assess and remediate web-based application vulnerabilities. The device is
flexible and can be deployed in several ways. In the Two-Arm
Proxy Deployment, the Web Application Firewall sits between
the network and the web server, allowing total visibility and maximum security.
The Firewall can also be deployed using only one interface connected to a mirror
port, providing zero downtime during installation. In this configuration, there is an alternate path to the web servers in the event of hardware failure. The tool is more than just a simple web security device.
It even includes some DLP functionality, and the default policy it
came with already blocked the leakage of credit card numbers and SSNs.
The Barracuda Web Application Firewall was easy to set up. After we
removed it from the box, we easily installed it into our server rack using the
included rack-mount hardware. After that, we connected our keyboard, monitor and mouse to the back of the server and powered the device on. We decided
to test it using the Two-Arm Proxy Deployment, so we set up both NICs. Once
the machine booted, we were greeted with the built-in configuration tool,
which allowed us to configure the interfaces and test network functionality.
The appliance comes with great built-in functionality and requires minimal
configuration to integrate into the network. It has a well thought out web GUI,
which allowed us to smoothly access and implement firewall policies. Before
interfacing the device with our test site, we updated the software. The 660’s
online updater installed the latest security definitions in the background while
we continued testing. The PCI DSS 2.0 policy files are present on start-up and
allowed us to compliance audit our test system right out of the box. We were
pleased with its ability to generate reports at the click of a button. A unique
characteristic of this device was the ability to obfuscate sensitive data, such as
credit cards, SSNs and also custom user-specified strings.
When we opened the box, we found that the 660 came with a quick-start
guide as well as some marketing materials. The well-written quick-start guide
outlined the various deployment scenarios the device is capable of and how
to implement them. It included pictures and diagrams, as well as some screen
shots of the CLI, which made setup easy.
Barracuda offers two types of support for its firewall. In order to receive
software updates, users must be subscribed to its Energize Update service. This
provides security and product updates at a cost of $2,699 per year, along with
basic eight-hours-a-day/five-days-a-week telephone support. For an additional
cost of $2,199 per year, a 24/7 service contract can be purchased.Because of
its rich feature set, we believe that the value for money is outstanding. Coming
in at $9,999 for the base hardware, it is significantly less expensive than other
products of its type. Overall, we were thoroughly impressed with the price
point and the scope of this product’s functionality.
GROUP TEST l Application security
» GROUP TEST l Application security
Fortinet FortiDB 1000D
he FortiDB 1000D is a hardware appliance that monitors, audits and
identifies vulnerabilities in databases. There are three deployment
options: network sniffer, native audit and network agents. Network sniffer looks at all the traffic going to and from the databases.
In native audit, the FortiDB logs in to the databases and requires
almost no setup. Using network agents, the databases send data
back to the FortiDB appliance. All of the deployment options
allowed for non-intrusive setup and did not require any downtime
in our environment. Once setup, a full audit is a few clicks away and reports
are downloadable with ease. FortiDB is compatible with all major
databases and can be easily installed in any environment.
When we pulled the FortiDB out of the box, we found a sleek-looking server that stood out when we put it in the rack. We attempted to
connect through the provided serial cable, which after some troubleshooting, we
eventualy determined was faulty. We were able to configure the device with one of
the spare cables in our lab. An error in the documentation caused confusion and
prevented us from a complete setup until after we called support. Once that stumbling block was over, setup was easy and straightforward.
The web GUI is a delight to use, and the device is fast. While working with it,
there was almost zero delay on any actions. It was clear to us that Fortinet puts
a lot of emphasis on performance. The GUI was simple, intuitive and, overall,
was easy to understand. Adding databases is a breeze as the FortiDB 1000D can
search automatically for databases. We had a clear, concise and professional audit
report in mere minutes. On its first scan, it caught everything we expected it to
and quite a bit more. The report was thorough and provided simple and helpful
solutions to fixing the problem. It has support for multiple standards.
The quick-start guide was lacking a bit and, as mentioned, the documentation
had an error that slowed our setup. Further, navigating the website was convoluted and finding the full documentation was more tedious than we like to see.
However, the full documentation was long and detailed, and the product was
so easy to use once it was set up we really didn’t need to reference it.
Support for FortiDB is subscription based with FortiCare and is available
in different levels. A FortiCare eight-hours-a-day/five-days-a-week Enhanced
Support contract is $3,000 and the FortiCare 24/7 Comprehensive Support
contract is $4,999 .
Fortinet provided us with a great product and while we encountered some hiccups in setup, we felt that it redeemed itself through its feature set. The FortiDB
is a great database security asset and can deliver peace of mind in the security of
your database. In our tests we found it reliable, informative and straightforward.
Its reports were so informative and well done that it would be useful to anyone
– from database administrators to CISOs. In our test database, FortiDB found
more security holes than we expected. It was so good that it could be used as a
benchmark to compare other audit tools to. It excels at what it does, but $19,995
is a steep price for some environments. If you can afford it, and are in a securityminded environment, FortiDB 1000D is well worth the investment.
Vendor Fortinet
Price $19,995 (hardware
Ease of use
Documentation ★★★★
Value for money
Strengths Great reports with
thorough, easy to use and solid
Weaknesses Some minor challenges during setup, and documentation could be stronger.
Verdict Can provide the type of
strong security that gives peace
of mind to CISOs and DBAs alike.
This one is our Recommended
product this month. • November 2014 • SC 41
EMERGING PRODUCTS l Data classification
Emerging products: Data classification
We can create policies that define touch points in a document or email that help determine its
classification, says Peter Stephenson, technology editor.
Each quarter, Technology Editor
Peter Stephenson and his team
at the SC Lab address emerging
technologies and markets. The
purpose is to look at segments in
the information assurance space
that represent new technologies,
needs and capabilities. In those
emerging areas there always are
new entries and old pros that
want to expand into the space.
We will be looking at both – and
bringing you the companies and
products that we believe will
shape the future.
any organizations plan
to implement data leakage protection (DLP),
but many believe that DLP will
solve all of their data exfiltration problems. They’re wrong.
While some data leakage
problems can be solved with
DLP alone – it’s pretty easy to
spot Social Security numbers or
credit card numbers –some of
the most onerous require a lot
more definition than DLP alone
can give. It’s a bit like expecting
an IDS to identify all threats
without defining what that
threat consists of. Something
needs to tell the DLP system
what is acceptable data exfiltration and what is unacceptable
leakage. That’s where data classification comes in.
Data classification, done manually, is one horrendous slog.
Manually working through tens
or hundreds of thousands of
documents and email to classify
them would not be even remotely acceptable to just about any
organization. So most never do
it. But that’s only one issue.
Another important piece of
the data classification puzzle
is determining who owns the
data. In most organizations, it
is hard to make that determination for certain types of asset.
If the organization has an ERP
system, for example, who owns
the backend data that makes it
work? More important, which
backend data? A big ERP system can have financial, inventory, HR and other types of
data sets.
Most enterprises today use
42 SC • November 2014 •
discretionary access control
and therein lies the answer.
If we authorize access to data
based on authorization from the
owner, why not classify data the
same way? That may seem to
take us back around to ‘nobody
wants to take the responsibility
for owning the data,’ but if we
get a bit more granular we can
say that anyone who creates a
discrete piece of data owns it
and owns the right – responsibility, really – to classify it. If we
create classification guidelines,
we can make that process quite
easy for the users.
Now we get back to the problem of classifying legacy data.
That is, as we said, a huge challenge. However, we can create
policies that define touch points
in a document or email that
help determine its classification. If we keep the number of
classifications simple – public,
internal use and confidential,
for example – we can teach our
data classification tool to recognize and classify documents
For this month’s emerging
products, we looked at some
of these tools and were pleased
with what we saw. We consider
the whole notion of automated
data classification to be an
emerging area of cybersecurity
because it is not in widespread
use – even though it should be.
There are a couple of tools that
have been around for a while
and we see these improving
every year, but we also see new
players on the scene and they
are doing some rather interest-
ing things.
Functionalities we look for
in these products are an ability
to perform bulk data classification – i.e., classifying the mass
of legacy documents and emails
sure to exist at the time you
deploy the data classification
tool – ease of use for the enduser classifying his or her data,
and the ability to carry the classification with the document
no matter where the document
ends up.
We also like to see the effect
of mixed classifications. For
example, if we take a public
email and attach a confidential
document, what happens? Does
the system refuse to send the
email? Does it upgrade the
email to confidential? Or does
it raise an alert and then give
the user the option? It might do
a combination of these as well.
Finally, we look at how well
the tool interacts with other
offerings, such as DLP systems.
The ability to work together is
pretty important when we are
considering the close relationship between data exfiltration
and data classification. Some
nice-to-have features include
ad hoc classification. In other
words, if we create a document
on a different computer and
bring it to work on a thumb
drive will the system try to classify it as soon as it enters the
In general, then, we look for
the more advanced functionality when we are looking at
emerging products and this
batch doesn’t disappoint.
Identity Finder Sensitive Data Manager
ecause of the complicated nature of today’s enterprises, data discovery can be challenging. Sensitive Data Manager ties discovery to business issues making classification easier and more relevant. The process needs to be: discover, identify and classify
data in the business context. That is exactly what this tool does. You cannot protect your
data if you don’t know where it is.
Searches can be performed using agents or agentlessly. This is what the developer calls
a “split agent/console design.” A console can perform agentless searches or you can place
agents on Windows, Mac or Linux machines. In either case, the searches are managed by
the data aggregator and policy engine. Applying the policies can result either in forcing or
restricting user behavior.
One thing we especially liked was its ability to classify legacy documents based on policy.
As well, it integrates cleanly with other systems, such as Active Directory. The end-user interface is lucid and easy to use and the product has integrated OCR-enabling character recognition from a variety of documents and document types.
There are numerous reports and displays that allow users to see data in just about any way
one can imagine. Automatic remediation is available, allowing data to be redacted or entire
documents to be shredded. With its solid forensic audit trail it is perfect for data retention
and eDiscovery. Custom reporting is easy – all drag-and-drop – and everything is done
through the use of wizards.
Overall, this is about as complete as it gets with a clean, intuitive user interface and lots of
Product Sensitive Data Manager
Company Identity Finder
Price Starts at $25,000 for 100 seats.
What it does Data discovery and
What we liked Ease of use and
comprehensive data discovery.
CA Data Protection Classification
his is a clean product with a well thought-out goal and a well-executed solution. It
is part of the overall CA suite of access control products with which it integrates
smoothly, and it offers dynamic classification and recognition. That means that if a
user has an unclassified document and tries to add classified information to it, the tool will
update the classification appropriately.
Data Protection Classification is intended for use with Windows Server 2012, as well as
with SharePoint. However, the tool does not control access directly. Rather, it works with the
Microsoft operating system to perform restrictive actions. Essentially, Data Protection Classification directs and the Windows operating
system executes.
The policy editor is excellent and easy to use.
Of course, lots of policies are available out of
the box, but creating custom ones is quite easy.
Much about this product seems familiar making it a breeze to administer and use. The user
interface is well done and operation nearly is
The classification process begins with file
creation and classification by the file’s creator.
The file then is stored with its classification.
When a user requests the file, the classification of the file and the user are looked up and
access to the file is controlled based on the policy. Reclassification is allowed, but only if the
reclassifier has the appropriate level of access to the file.
Overall, we liked this because it fits so neatly into the CA architecture, but if you would
rather just have the CA Data Protection Classification product as a standalone tool you can
do that too. If you are running SharePoint in a Server 2012 environment, you really need to
have a close look at this one. It’s a good fit.
Product Data Protection Classification
Company CA Technologies
Price $20,000, plus 20 percent annual
What it does Dynamic classification
and control for SharePoint and Windows
Server 2012 environments.
What we liked Integrates with other CA
products, as well as third parties; doesn’t
impose controls, it simply classifies the data. • November 2014 • SC 43
Boldon James Classifier
Product Classifier
Company Boldon James
Price $15.20 per user for the combination
of Email, Office and File Classifier at 5,000
What it does Allows users to apply
relevant visual and metadata labels
(protective markings) to messages and
documents in order to enforce information
assurance policies.
What we liked Part of the Classifier portfolio that covers virtually all types of files.
Simple to use.
robably the neatest thing about this product is the way it inserts itself into documents
it is protecting – as if it was part of the original design of the product. When you look
at a Microsoft Word document, for example, the classification tools are part of the
tool bar just like the fonts, paragraph definitions and other Word functions. Under a tool bar
section called Classifier Label, you will find the classification choices and any label dialog
you wish to add. These are created by policy.
Applying Classifier labels is just a mouse click away so users are not deterred from classifying their documents as they create them. When the document is created, it not only has the
classification icon, it has the detailed label. There is no doubt about the classification. Moreover, the classification label contains a message that tells the user what they may or may not
do with the document.
Policies also include who can change classification levels. If you are not authorized for a
particular document, you won’t be able to make any changes. The same process applies to
Microsoft Outlook as well. The addition is that any attachment to a message impacts the
classification of the message.
Similar to documents, the classification information for emails shows up in the header as
metadata. If one makes a change to a classification, it will immediately be reflected in all of
the documents saved under that classification.
Of course, this product suite integrates with Active Directory, and the company’s goal for
the end-user is that classifying a document or email involves only a mouse click – no more
difficult than changing a font.
TITUS Classification Suite
Product TITUS Classification Suite, including Message Classification for Microsoft
Outlook, Classification for Microsoft Office,
Classification for Desktop, and Classification
for Mobile
Company TITUS
Price Starts at $89 per user
What it does Provides classification for
data, largely in a Microsoft environment,
plus mobile environments with the new
Classification for Mobile tool.
What we liked Besides the comprehensive
suite of interlocking products, we like the
mobile product for its uniqueness.
he TITUS Classification Suite really covers the bases. While it
is not uncommon to see Outlook and Office applications covered, Outlook Web Access (OWA) and mobile devices are not
so common. The trouble is that of the entire bunch these two product
groups probably are the most vulnerable to data leakage.
Documents are classified in the familiar way of selecting the appropriate marking from the Word (or other Office application) tool bar.
The classification metadata become part of the document’s other metadata and the document is protected from changes based on policy.
The suite works with Active Directory and also with third-party
products, such as DLP. Email gets the same treatment, plus colored
labels that immediately call the reader’s attention to the classification.
As one would expect, the email message will assume the classification
of an attached document if it is higher than the email’s.
Policies can dictate what documents must be classified, based on business drivers. So one
department may be required to classify all of the documents and email that originate within
it while another department might have the option of not classifying.
We especially liked the two mobile device apps – one for Android and one for iOS. These
cover email and documents moving into and out of the device. The mobile apps cover such
unique areas as wireless printing permission and sharing options.
The bottom line here is that this is a very comprehensive suite of products that covers
Microsoft and mobile devices extremely well and in a well-integrated infrastructure. The
TITUS ecosystem includes integration with some of the top names in the information security market. Well worth a look.
44 SC • November 2014 •
» EMERGING PRODUCTS l Data classification
Emerging products: Online fraud
These tools have matured rapidly because the creativity and effectiveness of online fraudsters
seems to know no bounds, says Peter Stephenson, technology editor.
For this month’s second
examination of emerging products, Technology Editor Peter
Stephenson and his team at the
SC Lab put four new tools under
the microscope which address
the challenge of online fraud –
each in its own way.
nline fraud detection is
not an easy task. Fraud
comes in many flavors
– from malware embedded in
mobile apps to click-fraud and
account takeover. So it is not
surprising that there would
evolve applications that address
portions of the online fraud
landscape. This month, we
took a look at four of these and,
surprisingly, although we had
seen these companies before,
their products and services have
matured considerably.
It also is not surprising that
these tools have matured rapidly because the creativity and
effectiveness of online fraudsters seems to know no bounds.
All one needs to do is watch the
news for the next big breach to
appreciate the task that online
fraud detection represents.
So, it was with a healthy curiosity that we watched these four
products and services perform.
Our conclusion is that while we
are not quite keeping up with
the bad guys – that probably
never will happen, if for no
other reason than not all organizations deploy these advanced
tools – we are getting close to
breathing down their backs.
That’s the good news.
The bad news, of course, is
that if you don’t deploy the tools
you won’t prevent the fraud. To
that end, we were pleased by
their comprehensive capabilities, but a bit daunted by the
price tags. However, for all of
that, remember that one major
breach costs a whole lot more
than the cost of the tools to
prevent it. As we looked at what
these products and services do
and how they do it, we were
reminded of how the various
high-profile breaches of the
past couple of years happened
and how they could have been
prevented. Truly, some organizations can be penny-wise and
These products almost universally act by detecting things
that should not be present but
are. It could be the presence of
abnormal browsing patterns,
malware in the data stream or
malware in an Android app. But
with the availability of sophisticated analysis algorithms,
we are becoming more and
more able to detect very small
The technologies represented
in the four tools we looked at
are prodigious. They address
the problem slightly differently
in each case. One method is to
deploy sensors in web applications to detect anomalous
behavior. Another is to profile
all of the apps in the various
app stores and then compare
the ones being downloaded into
your mobile device with what it
should look like, or blacklisting
apps that come equipped with
malware. Some detect man-inthe-browser attacks.
Overall, we found these four
emerging products to set the
stage for a comprehensive view
of fraud operations against an
organization, but in reality each
organization will have unique
requirements and some mix of
products is necessary. Selecting
fraud protection tools is a serious undertaking and requires
the participation of groups
within the organization that go
beyond IT and cybersecurity.
In a financial services company,
for example, support for the
fraud investigation team may
be appropriate since much of
today’s fraud is, in fact, online.
So, as you look at solutions
to the online fraud problem, be
sure that you include the correct players. The second issue
to consider is: do you want a
hosted service – SaaS – or do
you want an on-premise tool?
While this decision usually is
made based on such things as
cost and support, with these
tools the ability to benefit from
widely distributed data from
other deployments is, perhaps,
The other side of that, of
course, is confidentiality. Keeping your analysis in-house may
make the most sense if you deal
with high value or extremely
sensitive data.
The bottom line when
selecting the appropriate tool
is: understand your environment and the types of fraud it
invites, understand the nature
of your data and how it is used
within your organization, consider the controls already in
place and generally augment
rather than replace them, and
understand how you are prepared to support the tool you
buy. Around the $150K range
for some of these tools, the cost
may not be the best use of your
money. • November 2014 • SC 45
RiskIQ Platform
Product RiskIQ Platform
Company RiskIQ
Price $35 per 1,000 analyzed pages per
year; for the mobile product, $150,000 per
analyzed brand plus cumulative consumer
downloads per year.
What it does Threat protection centered
outside the firewall.
What we liked This is a truly creative
approach to intercepting web and mobile
threats and diffusing them. We especially
liked the concept of virtual users.
iskIQ analyzes eight million mobile apps from 91 different app stores. Since
there are far more app stores than Google Play and the Apple App Store, there
is a strong possibility that you’ll find something malicious.
The process of app analysis is rigorous. First, RiskIQ does a full binary reproduction of the app. Then it performs both a static and dynamic analysis. Then it tracks
the apps in the app store and around the world.
At the same time, RiskIQ is busy collecting data across the internet looking for
phishing, malware distribution sites, etc. To do this, the firm uses virtual users rather
than bots or web crawlers. These virtual users behave as real users do when browsing, downloading and using web resources. This activity unearths malicious content,
such as malvertising and enables tracking.
Part of this activity helps RiskIQ locate its customers’ digital assets no matter
where they reside. Analysis also includes the typical tasks, such as passive DNS,
reverse whois and monitoring of activity by Java scripts and widgets. Combining
these techniques with the more sophisticated proprietary analysis capabilities in
the RiskIQ arsenal provides a high assurance of protection against various types of
online fraud.
This is a strong tool, well-conceived and chock-full of reports that contain as little
or as much detail as your particular application requires. For the security or fraud
analyst, there is more than enough information to help identify and respond to
threats. The dashboard can provide a simple and quick view of activity. Overall, this
is a complete product and a unique approach to the problem of online fraud.
RSA Web Threat Detection
Product RSA Web Threat Detection
Company RSA, the security division of EMC
Price Starts at $150,000.
What it does Detects anomalous behavior
on websites.
What we liked The elegance of how this
product monitors the entire click stream in
real time and the sophisticated dashboard
and drill-down scheme.
his tool, provided for on-premise deployment, is a one-stop shop for detecting
most types of online fraud. We have watched this product evolve and it seems
as if it always has some new anti-fraud trick that keeps it on our Emerging
Products list. The variety of fraud types it addresses is prodigious – ranging from
account takeover, DDoS and bots to wire transfer, credit card and random deposit
fraud. Almost every type of anomalous behavior common in today’s online fraud
attempts is covered.
This offering – formerly known as Silver Tail – has one strong point in its favor: it
detects in real time. The key to the tool’s success, besides speed, lies in a combination
of sophisticated analytics and understanding user behavior. Legitimate users behave
differently than fraudsters, and detecting those subtle patterns and deviations in
real time is the best way to interdict fraud attempts, especially when the attempts are
One of the things we liked was the different views available to investigators. The
main UI is targeted at fraud departments. It focuses on fraud activities rather than
the deep technical details that underlie them. However, a deeper dive is just a few
clicks away and user accounts can be managed right from the desktop.
The rules engine is comprehensive and adding new rules is straightforward. Scoring occurs in real time and the results are displayed immediately. Overall, this is
an elegant, well-presented tool with user interfaces and dashboards that simplify a
traditionally difficult and deeply technical task for fraud investigators who are not
deeply technical.
46 SC • November 2014 •
» EMERGING PRODUCTS l Online fraud
IBM Security Trusteer Pinpoint Criminal Detection
ccount takeover is a fraud investigator’s worst nightmare. Most tools simply
do not get to the problem in time to remedy it – even though they might offer
a detailed analysis at some point in the future. There are many pieces of the
fraud picture in account takeovers and most of them have been monitored and used
to create risk scores. However, all of these focus on current activity and do not take
into account historical behavior.
One of the things that makes the use of statistical models less than optimum is the
small percentage of fraud attempts compared to the entire clickstream. For example,
the number of fraud attempts per day in a population of 10 million logins might be
as small as 20. That’s a ratio of about .0002 percent, statistically insignificant. By
comparison, voice recognition and online marketing – both of which are less than
perfectly reliable – are several orders of magnitude greater. Clearly, statistical analysis
of this small target population is not viable.
To counter that problem, Trusteer Pinpoint Criminal Detection looks at account
compromise history from phishing or malware, gathers device intelligence to create
a complex device ID, watches in-session user activity along with account access and
transaction history, and applies intelligence data on known fraudsters. Organizations can, if they wish, add specific risk data to the mix to refine the evidence even
All of these data are applied to a real-time risk assessment that results in a recommendation for action to take, why there is a risk and how great the risk is. This lets
risk analysts make the decision to allow the login and transaction or not.
Product IBM Security Trusteer Pinpoint
Criminal Detection
Company IBM
Price Starts at $25,000 based on number
and type of users.
What it does Account takeover detection
and prevention.
What we liked Designed to detect complex
takeover fraud using evidence-based detection based on such data as malware history,
phishing history, remote access and proxy
White Ops Advanced
ne of the biggest threats to websites – especially financial services or e-commerce sites – comes from bots. Bots automate the entire browsing process
and do it so quickly that it is difficult to detect and differentiate bot traffic
from legitimate traffic. What is needed is Captcha on steroids and that is exactly what
White Ops Advanced is. This is not a batch process. Rather, it is real-time bot fingerprinting. It actively interrupts the botnet process model rendering it less effective.
It detects bots and malware attacks in real time. It differentiates any automated
browser-based request from a normal user request. It does this by placing a small tag
in the html of a web page. This is a Detection Tag and it is registered with the White
Ops cloud. The Detection Tag detects when a browser has been automated or controlled remotely and notifies the fraud investigator with data about the session.
The system has a special propensity for detecting malware through its activity. One
example of malware that has had a major impact on the financial services industry is
the banking trojan, such as Zeus and its many variants. Because the Detection Tag is
lightweight it has no discernable effect on performance - allowing up to a billion sessions per day without impacting the sessions.
Another interesting aspect of White Ops Advanced is that it is deterministic. That
means that it makes a decision based on specific evidence and it arrives at a specific
conclusion. Many similar systems are probabilistic, meaning that they use heuristics
to approach a possible set of solutions and then rank them by probability. Obviously,
a deterministic approach limits false positives and gets to the problem much faster
and with more certainty.
Product White Ops Advanced
Company White Ops
Price Varies with the deployment.
What it does Provides evidence-based bot
and malware detection with high certainty,
in real-time, on any browser-based web
What we liked This is so easy to use
and the user interface and dashboard so
straightforward that it is almost deceptively
simple. • November 2014 • SC 47
Events Seminars
The elephant in the room
e openly discuss
and debate security technologies,
but many organizations are
reluctant to discuss the people-centric issue of insider
threat. We are all aware of
it, we inherently know the
risk to our company, but
yet the topic seems to be
taboo in many organizations.
Whatever your organization
or industry, regardless of size
or location, we all face the
unpleasant reality that we
are vulnerable to an insider
attack. In an era of teambuilding and empowerment,
most organizations are hesitant to talk about the insider
threat because it means
that one of our own trusted
48 SC • November 2014 •
Involve all levels of management, HR and legal. Admit
the susceptibility of your
organization to the insider
thereat and develop aggressive plans to guard your
The FBI offers the following advice to get started:
• Educate and regularly
train employees on
security or other
• Ensure that proprietary
information is adequately,
if not robustly, protected.
• Use appropriate
screening processes to
select new employees.
• Provide non-threatening,
convenient ways for
employees to report
• Routinely monitor
computer networks for
suspicious activity.
• Ensure security (to include
computer network
security) personnel have
Insiders were
responsible for
66.7 percent
of all exposed
»SANS Sydney 2014
Nov. 10-22
SANS Sydney 2014 is being held
over two weeks to allow attendees to choose multiple courses
from SANS’s most diverse course
offering yet. Top instructors will
ensure enrollees not only learn
the material but can apply it immediately when back in the office.
Venue: Sydney, Australia
the tools they need.
Remind employees that
reporting security
concerns is vital to
protecting your company’s
intellectual property, its
reputation, its financial
well-being, and its future.
They are protecting their
own jobs.
At its root, this is a people
and cultural issue. We can
monitor with technology, but
if we hope to fully address
this threat we must develop
programs that will change
the way people think about
their obligation to protect
company data. Start having the hard conversations
with senior management.
You will find they are just as
concerned with the “elephant
in the room,” but may not
have known a way to discuss
it without violating company
culture or seeming like “big
Further, use external
resources to come in and
talk about the insider threat.
Additionally, take the initiative to help management
understand that the insider
threat is a pervasive problem that must be addressed.
Bring the issue into the light
and focus on culture change.
The benefits to your organization are very real.
Gene Fredriksen is global
information security officer at
Public Service Credit Union
Seattle SecureWorld
Nov. 12-13
One of North America’s most
vital cybersecurity conference,
providing globally relevant education, training and networking for
cybersecurity professionals on a
regional level. Speakers include
Robert Bigman, CEO, 2BSecure
and former CIA, recognized as a
pioneer in the field of classified
information protection; and David
Matthews, associate, MKHamilton & Associates and founder
of the Cyber Incident Response
Coalition and Analysis Sharing
Venue: Seattle
Photo by Bob Croslin
Bring the insider
issue into the
light and focus on
culture change,
says PSCU’s
Gene Fredriksen.
employees may steal the
lifeblood of the organization.
The reality is that regardless
of your industry, the size of
your organization or the type
of business you have, the
insider threat is a menacing reality. To compound
the issue, job consolidation
and downsizing in many
organizations has resulted in
a broader access to sensitive
data by many of our employees. Most organizations are
adept at knowing when an
outsider attempts to access
or steal proprietary data,
but how do you sense data
theft by an employee with
legitimate access?
How prevalent is the
issue? According to Forrester Research, insiders
represented the top source
of breaches over the last 12
months. Indeed, 25 percent
of those participating in the
study said a malicious insider
was the most common way a
breach occurred. Let’s also
acknowledge that insider
attackers are likely to cause
more damage than external
attackers. The Open Security
Foundation published data
showing that while insiders
were responsible for only 19.5
percent of incidents, those
incidents were responsible for 66.7 percent of all
exposed records.
Organizations need to do
their part to deter intellectual property theft. It’s time
for the tough conversations.
Pen Test Hackfest 2014
Nov. 13-20
SANS Pen Test Hackfest Training
Event and Summit is an ideal way
to take your penetration testing
and vulnerability assessment
skills to an entirely new level.
Featuring top-rated, industryleading experts sharing their best
tips and advice, this must-attend
event is focused on building skills
in providing high-value in your
work projects.
Venue: Washington, DC
SC Congress Chicago
Nov. 18
SC Congress Chicago returns
to the Windy City for another
exciting one-day program. We’re
bringing together leaders in the
information security industry in
both the public and private domains. You will have a chance to
walk our expo floor exploring the
latest trends and products best
suited for your company, as well
as sit in on keynote and breakout
sessions. Don’t miss this opportunity to earn nine CPE credits,
network with other information
security professionals, and better
equip yourself to stay ahead of
the pack.
Venue: Chicago
Contact: congress.scmagazine.
CSA EMEA Congress
Nov. 19-20
The Cloud Security Alliance and
MIS Training Institute announce
the 2014 EMEA Congress. The
CSA is one of Europe’s premier
cloud security events as a
gathering and information hub
for end-users and industry
players alike. The congress’s mix
of research and development,
end-user and industry audience
members promises compelling
sessions and networking and
business opportunities.
Venue: Rome
Contact: cloudsecurityalliance.
»Gartner Identity &
Access Management
Dec. 2-4
Attendees will gain the latest
strategies to help craft an IAM
vision defined by business objec-
Start here for a calendar of events.
To have your event included, contact
[email protected]
tives, build consensus across
stakeholders, set appropriate
expectations and execute successfully, to accelerate progress
at every stage of IAM maturity.
Make sure you’re prepared for
mobile, cloud, IAM as a service,
the Internet of Things and other
emerging challenges.
Venue: Las Vegas
»Healthcare Cyber
Security Summit 2014
Dec. 3-10
Security experts from leading health care companies will
discuss proven approaches for
securing the new health care
environment. Meet leaders from
health care organizations and see
what works in securing health
care. Learn how health care
organizations can balance the
security, compliance and innovation required to thrive.
Venue: San Francisco
SANS Cyber Defense
Initiative 2014
Dec. 10-19
Courses in IT security, security
management, IT audit, penetration testing and computer forensics, including short courses
that can be taken with a long
course to enhance professional
training. Every event is designed
to equip attendees with cuttingedge knowledge and skills
required to combat today’s
cybercriminals and protect
corporate assets.
Venue: Washington, DC
SANS Security East
Jan. 16-21
SANS will provide outstanding
courses in IT security, forensics
and security management.
Venue: New Orleans
Infosecurity Europe
June 2-4
Infosecurity Europe features
more than 325 exhibitors, the
most diverse range of new products and services, an education
program with over 100 hours of
free education, and 13,000-plus
visitors from every segment of
the industry, it is a must-attend
for information security professionals.
Venue: London
Inside Frond Cover
SC Circulation
Inside Back Cover
Deloitte & Touche LLP
Outside Back Cover
URL • November 2014 • SC 49
A comp
rehensiv P44
applian n security
2014 •
With parameters, new tech can help
your business, says McAfee’s
Jonathan Fox (left) and Tyson Macaulay.
are manipulated by people
(smartphones, desktops,
tablets), devices that support very limited interfaces
(point-of-sale and medical
tools), and devices that communicate with other devices
in the process of observing or
managing the physical world
(remote sensors, location
trackers, meters, industrial
controls) in automated or
semi-automated manners. It
all sits on a common network
technology, like internet
protocol (IP), or behind a
gateway sitting on an IP network. One way or another,
most of these networks are
For privacy and IoT to
thrive, here are a few prerequisites: There needs to
be adoption and formalization of the notion of privacy
engineering so that devices,
sensor and networks that
50 SC • November 2014 •
form the IoT are designed,
built and managed to ensure
that personally identifiable
information (PII) is flagged
early in the design process,
and privacy is built-in and
not bolted-on.
Privacy needs to be
thought of as a functional
requirement and not just a
quality attribute. In order
to do this, one must look at
the components of privacy as
articulated by such things as
the Fair Information Practice
Principles (FIPPs) and The
Generally Accepted Privacy
Principle (GAPP), and apply
them to the data and functions of what is being created
throughout data’s lifecycle.
A shift in perspective is
also needed around privacy
policy from being a document linked to a web page
that delivers boring but
needs to be
thought of as
a functional
necessary notices about
data practices to becoming
a strategic document that’s
essential and highly valued.
The privacy policy must
inform and guide use cases,
business data models and
user requirements in a more
articulate way than just “meet
privacy compliance.”
Be prepared to be more
expansive and less narrow as
to what is PII. The definition
must move beyond standalone datasets that include
individual identity and activities to include the notion
of being able to link and
correlate identity and activity
across infobases.
Finally, the corporation
must be strong, willing, able
and supportive. It must recognize trust and respect and
abide by the notion that users
of IoT are its customers and
not its inventory.
There is and always has
been a tension between
privacy, technology and
innovation. IoT is not the
first example of this tension.
With each challenge we
have learned to not merely
co-exist, but thrive. IoT will
be no different. In fact, good
privacy engineering will help
the IoT accelerate and thrive.
At McAfee, part of Intel Security, Jonathan Fox is director
of data privacy and Tyson
Macaulay is global VP of
telecommunications strategy
within the office of the CTO.
Forum Sy
Privacy and the Internet of Things
he question has been
posed: Privacy and
the Internet of Things
(IoT), can they coexist?
However, a better question
is: Can privacy and IoT thrive
The answer is a resounding Yes! Together, they bring
unparalleled value, opportunity, efficiency, service, and
connectivity. But, for privacy
and IoT to thrive there needs
to be commitment, discipline, imagination, respect
and restraint, by those who
work and exploit in the personal information ecosystems
that IoT is creating.
There are different definitions of privacy. In this discussion, we are talking about
data privacy, which can be
defined as the fair, legitimate
and authorized processing of
personal information.
IoT includes devices that
Hexis P4
A well-d 5
network esigned
control access
A simple
effectiv yet
manage way to
It’s all ab
say it, sa out what you
ys DHS’
s Phyllis and how you
k. P20
Driven by
providerre makers an
d solutio
s seek
to prot
ect devic e right form ns
es – an
d data.
s are pass
New so
tractio tions are ga
n to
replace, complemening
metho or
ds. P29
Your subscription to
SC Magazine awaits
For more than 25 years, IT security professionals entrusted with protecting their company’s data
have relied on SC Magazine as their go-to source for the latest information on cyber security.
In every issue, SC Magazine delivers up-to-date news, comprehensive analysis, cutting-edge
features, contributions from thought leaders, and the best, most extensive collection of product
reviews in the business.
Through our print and digital platforms, our readers gain all the relevant information they need
to safeguard their organizations and, ultimately, contribute to their longevity and success.
See what SC Magazine can bring to you and your organization.
If you currently hold an (ISC)2 credential, when you register to receive SC Magazine, you may
claim five CPE credits per year. Simply go to to earn your CPE credits.
There are 2 easy ways to start your subscription:
Call us:

Similar documents


Report this document