Tuesday, 13 September 2016

Mega breaches: What’s behind the headlines?

Nowadays, barely a day goes by without an organisation getting hacked. In this age of ‘big data’, cyber criminals can compromise almost any type of personal information. As technology continues to evolve, so do the number of routes of entry for criminals to gain access to sensitive information. These attacks are also increasing due to more businesses using the cloud, adopting Bring-Your-Own-Device (BYOD) and other connected objects.

Why do attacks happen?

More often than not, hacks are conducted with criminal intent. Hackers are on the look-out for what will benefit them – financially or otherwise. The cyber crime landscape is always changing and organisations can find it difficult to stay ahead. There are a number of forms hacks and cyber-attacks can take, including:
  • State-sponsored attacks/cyber espionage: Considered by many to be the new form of inter-state spying. This is usually to uncover state secrets or areas of interest that may be useful to the country carrying out the attack
  • Insider threats: Insider threats are attacks carried out – both accidentally and maliciously – by those within an organisation. The risk of insider threats is on the rise, with 64 percent of security professionals saying insider threats occurred more frequently in 2015[i]
  • External attacks: On a basic level, these are attacks by anyone outside of an organisation. However, beyond that the reasons behind external attacks can differ greatly – state-sponsored attacks are an example. More usually, external hackers are simply cyber-criminals out for personal financial gain.
Our paper, ‘Mega Breaches: Behind the headlines’, examines the rise in mega breaches, why they happens and examines some of the most highly publicised mega breaches of the past couple of years. The paper also explores what steps organisations can take to mitigate the risk and protect sensitive data.



[i] Insider Threat Report 2015, Computer Weekly: http://www.computerweekly.com/ehandbook/Insider-Threat-Report-2015

Thursday, 7 July 2016

Ilex International and Goode Intelligence explore the future of mobile security

Ilex International has worked with mobile security research and consultancy specialist, Goode Intelligence, to develop a white paper which explores the increase in mobility – and why it’s still not fully accepted by the enterprise. For many, this is because they do not want to sacrifice the usability at the risk of inadequate security controls. With 80 percent of adults expected to have a smart phone by 2020, in the paper, Goode Intelligence looks at the future of mobile security and how a next generation security solution should operate – introducing Ilex International’s Sign&go Mobility Center.

Research suggests the number of smart mobile devices (SMDs) managed in the enterprise increased by 72 percent from 2014 to 2015. While a significant increase, this number shows that businesses are still not embracing mobile to its fullest potential and making devices more readily available in the workplace. This is due to technology, security and regulatory concerns held by the IT department.

So, what is the solution? There is no doubt enterprises face a significant challenge in providing improved applications through mobile. Goode Intelligence believes convenience, mobility and strengthened security all need to be considered factors – while meeting company legislation. Goode Intelligence has researched this topic in-depth since 2007 and considered five characteristics to be key to next generation mobile security:
  1. Focus on users
  2. Agile multi-factor authentication (MFA)
  3. Mobile Single-Sign-On (SSO)
  4. Protect data
  5. Simplified unified security
Ilex International’s Sign&go Mobility Center is a solution that combines all of the features of a modern mobile security solution without the pain of having to mix and match separate tools into a unified service. Find out more about Sign&go here.

Read the full Goode Intelligence report here.

Thursday, 30 June 2016

Are your identity and access management systems effective?

Information is the life blood of all organisations. It is essential to measure tangible objects and also to recognise the intangible impacts so as to understand their effects on organisational decision-making.

Establishing an understanding of the effectiveness of an organisation’s identity and access (I&AM) control systems is not straightforward. It is also equally challenging to identify the efficiency with which these systems meet the desired levels of effectiveness. For example, organisations requiring their employees to recall numerous identifiers and associated passwords has complex impacts on security effectiveness and hinders employee productivity.

CISOs and other cyber security professionals often acknowledge the challenge in obtaining clear visibility of which approved users in their organisation (and in their partners/agents organisations) have authorised access to applications/resources in their IT infrastructure.

I&AM practitioners assess the effectiveness and efficiency of identity and access management systems using ten broad evaluation themes.

1. Functional requirements


This theme determines the extent to which an organisation’s I&AM systems fulfil their functional requirements (e.g. supporting user enrolment, credential distribution etc.) to manage users’ (e.g. employees, agents, customers etc.) access to applications/resources. Functional requirements are derived from an understanding of several factors, including business operational requirements, the characteristics of the user communities and their devices, the applications/resources needing protection, and the technological and regulatory constraints of the operating environments. Political and stakeholders economic interests may also influence an organisation’s functional requirements and also their performance requirements to mitigate identified risks to their assets.

2. Performance requirements


Performance requirements relate principally to the accuracy and the speed of an organisation’s I&AM systems to authenticate approved users. While biometric user authentication systems strive to meet tough imposter detection and genuine user authentication threshold rates, the true accuracy of some knowledge-based user authentication systems are often masked, i.e. passwords can be phished.

A requirements evaluation should determine acceptable and realistic accuracy/throughput rates, based upon the practical experience in the intended operational environments and the organisation’s risk mitigation strategy. These rates should not be set by vendors that have not been corroborated. Empirical evidence suggests that, for some biometric authentication systems, insufficient thought has been given to setting acceptable performance in relation to risks. The inevitable result is that the performance of some biometric-user authentication systems often falls short of an organisation’s expectations.

3. Regulatory alignment, including privacy protection


This theme is designed to assess the ability of an organisation’s I&AM systems to demonstrate their compliance with data protection, privacy, social accessibility and discrimination legislation. Equally, this assessment needs to establish the degree to which deployed I&AM systems comply with an organisation’s governance and security policies, or possibly international standards.

4. Technical reliability 


This theme evaluates an organisation’s I&AM system’s assurance capabilities to resist attack and/or errors and to detect when its user authentication method has been compromised. An assessment needs to identify unauthorised user attempts in order to establish the resistance capabilities of its user authentication methods to defend against various types of attack, to ascertain the difficulty of producing artefact and/or credential data to circumvent the user authentication system.

Tests planned for an assurance assessment require substantiated data from audit logs which record the user access events and the corresponding administrative actions. The tests should take place during planned day-to-day activities and should additionally allow for unexpected events. Assurance testing should involve individuals from the intended user community in their operating environment in order to augment assurance test data produced under controlled conditions.

5. Usability of the user authentication methods


This assessment theme is designed to assess the usability of the deployed I&AM system’s user authentication method, particularly regarding the alignment of the user interaction dialogues with the users’ everyday tasks.

The inadequacies of HCI security designs often dilute the effectiveness of preventative controls. Despite these usability design deficiencies, security effectiveness is improved by enabling users to make informed decisions from having a better understanding of a device’s security operations.

Knowledge based authentication systems mainly attract user password management problems. Increasing the number of password attempts could help users’ chances of recollection success. However, this strategy may marginally increase the opportunity of an external adversary obtaining that authentication data.

6. Accessibility of the user authentication methods


The criteria in this theme are designed to gage the extent to which the organisation’s deployed user authentication methods exclude certain members of the user community.

An organisation’s I&AM system’s user authentication method may require individuals in the user community to possess specific technologies, sensory skills and/or cognitive skills. Equally, some individuals may fail to enrol for some biometric systems because they are unable to provide signals of sufficient quality, e.g. capturing fingerprint minutiae. Some customers may simply refuse to use an Internet Service and the associated I&AM system due to the unacceptability of some biometric modalities.

7. I&AM system’s manageability

 
This theme is designed to assess an organisation’s ability to manage the computer-application systems, networks, devices and other components\technologies, during the anticipated lifetime of its deployed I&AM systems. The competencies of the personnel required to support the organisation’s I&AM system’s components may lead an organisation to seek cloud-based user authentication systems.

8. Technical and non-technical vulnerabilities


This evaluation theme relates to the identification of deficiencies in the organisation’s I&AM systems and the potential impact in the event that the organisation’s I&AM systems are not able to function fully as designed.

This assessment includes the protection of the authentication data upon which user authentication takes place. Non-technical vulnerabilities include the likelihood of user error. Users’ capabilities to memorise multiple or complex passwords may lead to undesired behaviour, i.e. saving passwords on devices for easy access.

Additional controls may need to be introduced to minimise the impact of the identified vulnerabilities. However, this invariably increases the expenditure required to mitigate the risks associated with user access control.

9. Identified issues


This theme is designed to evaluate the issues identified during an assessment of the organisation’s operational usage of its I&AM systems. According to many security practitioners, all I&AM systems possess vulnerabilities, attract issues and incur costs.

Again, organisations may suffer additional costs in their attempt to reduce the impact of the issues associated with their deployed I&AM systems. The costs associated to mitigate residual risks and identified issues should be proportionate to the value of the assets which are to be protected.

10. Stakeholders’ costs


This theme is designed to review the costs (both direct and indirect) of their I&AM systems to manage risks and to fulfil organisational objectives.

Direct costs relate to the expenditure (capital and operating) of the identity and access management systems themselves. These expenditures include software components, infrastructure costs (network, PKI, etc.) and also support, including personnel costs. Indirect costs relate to the losses and recovery/compensation expenditure associated with access control security breaches. Lost productivity may also be construed as an indirect cost.

These cost elements are essential for decisions relating to the deployment of I&AM systems for risks mitigation versus costs considerations, or for security return on investment predictions.

Conclusion

Acquired data needs to be evaluated in an analytical framework in order to make sense of information collated from a variety of organisational perspectives, e.g. business activities, risks management, legal and regulatory compliance, IT operations etc. The qualitative data acquired assists in explaining quantitative data gathered during an evaluation.


Tuesday, 17 May 2016

Confidence high despite Government’s latest cyber security research showing growth in cyber attacks on British businesses


Earlier this week, the Government released the findings of its latest CyberSecurity Breaches Survey which revealed that 65 percent of big businesses had suffered a cyber attack in the past year. The research also highlighted that the cost of these attacks on businesses reached millions.

Together with our recent research and Breach Confidence Index these findings raise serious security concerns about the misplaced confidence levels among British businesses. Our study found that almost a quarter (24 percent) of the IT decision makers surveyed were ‘very confident’ and 59 percent ‘fairly confident’ that their business is protected against a data security breach.



Ilex International’s Breach Confidence Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. Given the latest statistics in the government’s CyberSecurity Breaches Survey, there is a major gap between the perception and reality of security breaches among businesses. 

With the UK being a leading economic centre and a major target for cyberattacks, the high confidence level is worrying and completely misplaced. Our research shows that businesses have a false sense of security which could result in an increase in security breaches.

Britain’s businesses are being urged by Ilex International and the Government to better protect themselves from cyber criminals, investing in better cyber security measures. Ilex International’s Breach Confidence Index uncovers the reasons why British businesses had suffered a security breach and best practices for prevention.

Thursday, 21 April 2016

The Panama Leaks: A review


On Sunday, 3rd April the world was alerted to a previously unprecedented breach of over 11 million documents, stolen from Panamanian law firm Mossack Fonseca. Included in the documents were financial records, passports and correspondence with some of the world’s wealthiest people, dating back 40 years. The documents amounted to the equivalent of 2.6 tera-octets of data and were sent to global media outlets.

A number of current and former heads of states and celebrities have since been implicated in the year-long investigation, which has uncovered 214,000 off-shore organisations across more than 200 countries.

Considering the sensitive nature of the data and the potentially disastrous consequences of a leak – how did such a law firm experience such a devastating breach? Surely a company like this would have stringent measures in place to protect its customers…?

How

So far, all Mossack Fonseca themselves have admitted is a hack of their email server. However, cyber security experts the world over are in agreement this is highly unlikely. Rather, it would be more probable that it’s the work of an insider; someone that has access to the firm’s most important data. The media outlets involved claim the anonymous source who provided them with the documents was “concerned by what they saw in the documents”, which would support the claim that it was carried out by an insider.

Prevention  

First and foremost, companies need to stop resting on their laurels and thinking they are not going to be attacked. There are too many that believe it simply won’t happen to them and because of this, they do not have stringent protections and procedures in place to safeguard company and user data. In the case of the Panama Leaks, it’s outrageous to consider that a law firm such as Mossack Fonseca, holding such sensitive and potentially damaging information would have such lax security in place.

In order to prevent or lessen the risk of a security breach, there are a number of best practices companies can implement. Used in conjunction with each-other correctly, organisations can be sure that they are doing all they can to keep their customer’s data safe.
  1. Prioritising data: Companies need to decide what data is most valuable and focus on putting tight identity and access controls around the data that matters the most.
  2. Need to know access: Following this, it’s important to guarantee sensitive data is only available on a strictly need to know basis. Determining who should have access to what information, companies can closely audit access and make sure only those that need to are able to access the data, with strict procedures in place when anomalies occur.
  3. Educating employees: The cruciality of cyber security needs to be recognised company-wide; educating employees from day one is paramount to a company’s success in minimising the risk of a security breach. Incorporating a cyber security ‘manifesto’ into an organisation’s training policies is one way to introduce previously unaware staff to the principles of cyber security. Often more effective is establishing a cyber security training course, which users need to pass in order to show they are engaging with the topic and understand the implications of a security breach.
  4. Identity and access management: Unfortunately, it’s impossible to protect data 100 percent – this is why implementing a proper identity and access management system is crucial for businesses that are serious about protecting their and their client’s data. Key for companies of all sizes, identity and access management represents the foundation of a secure system. It’s well and good investing money in securing applications and networks, but if organisations are unaware of who their users are and don’t control their access, it is worthless.

Lessons  

So what lessons can companies like Mossack Fonseca learn from the Panama Leaks?

  • Be practical: Always make sure your shield is powerful enough to protect you from the might of the sword. Given the determination of governments around the world to fight tax evasion, that sword is going to become a lot more powerful. This is why working with organisations that have implemented proper cyber security strategies and solutions is a much safer and, in the long run, cheaper option – which is true for any legitimate business. 
  • Be strategic: When it comes to cyber security, you are only as strong as the weakest link in your organisation. People and businesses need to stay away from weaker organisations if they want their private and sensitive information to be preserved
  • Be truthful: At the end of the day, tax evasion is illegal – and there is a growing movement to ensure it is made harder to commit. In a case like this, for many people, it can be difficult to see the hacker as the ‘baddie’. Don’t do the crime if you can’t do the time.  

Tuesday, 23 February 2016

59% of the UK workforce is looking for a new job: Five best practices for managing access


Research shows that over half (59 percent) of the UK workforce is actively looking for a new job in 2016*. Ilex International’s report, ‘Staff migration: The security impact to businesses’, emphasises the importance of controlling access to systems and sensitive data especially when employees leave.

Our recent YouGov research found that 39 percent of large businesses take up to a month to close dormant accounts, leaving the door wide open to opportunistic hackers and disgruntled former employees. Large businesses performed better than small and medium size businesses, with 58 percent removing access to data on or before the day of departure, compared to 56 percent of medium and 32 percent of small businesses.

Disgruntled employees or partners are unlikely to wait until a month after leaving to access confidential company information. Access is likely to be sought in a matter of days. The research findings highlight the importance of having a system in place that helps close inactive accounts immediately.

Ilex International recommends five best practices for controlling account access and minimising the security risks of a shifting workforce:

1. With employees and contractors constantly moving, it is crucial to shut down inactive accounts fast, along with removing any associated access rights. By closing dormant accounts, businesses are removing a possible entry point for cyber criminals.

2. When it comes to security, there is no such thing as zero risk so it’s key for businesses to focus on protecting critical data. By being aware of what the most sensitive data is, companies can ensure it is available only on a need-to-know basis. 

3. Access to data should be closely tracked and audited to ensure only users who are meant to access critical data have permission to do so. Processes have to be in place if any anomalies occur. 

4. Companies should implement a strong Identity and Access Management solution. Identity and Access Management is the foundation of a secure system, enabling companies to easily identify and manage their user base and control who has access to their data. 

5. Companies can also minimise risks by educating employees on the importance of cyber security and the impact a breach can have. Lack of employee education was cited as a key reason for security breaches by 15 percent of respondents in the Breach Confidence Index. With the workforce constantly shifting, this has to be done on a regular basis in order to be efficient.

Click here to find out more about Ilex International’s research into account access and for more information on what you can do to make sure your company’s data is protected.

______________________________________
* Hays UK Salary and Recruiting Trends 2016: http://www.hays.co.uk/salary-guide/index.htm