Not to frighten anyone with this post but the naysayers to the threat of cyberwar must awaken. An article on the BBC news website talks about a hacker that gained access to one of the water pumps and damaged it by quickly turning it on and off.
A lot of critical infrastructure components controlled by SCADA applications were not specifically built with Security in mind. Speaking from experience, I know that most of the SCADA applications were front ended with applications written in Java, .NET and prior to that Visual Basic. The basic purpose was to make the interface slicker and provide distributed controls to operators. Now unless these applications are segmented off from the net enabled segment, these applications will be vulnerable to attack.
I speak about this from years of experience in the automation industry and hope that the security flaws are looked at seriously before someone causes serious damage.
Here is a link to the article: http://www.bbc.co.uk/news/technology-15817335
With Identity Intelligence being the rage at the last Gartner IAM Summit in London, we expected Securonix to get the spotlight with the innovative Access Risk Intelligence offering. We just did not anticipate the amount of attention we would garner and the water cooler discussions we would stir up.
I will attempt to be as objective as I can and provide readers of this blog an opportunity to form their own opinion. Feel free to leave us comments about your thoughts on this topic.
I believe Earl Perkins, the distinguished analyst from Gartner coined the term Identity Intelligence to refer to the strategic purpose that Identity and Access Management can play in the decision making process for Security professionals and ‘C’ level executives. The central theme of Identity Intelligence is the move of IAM technologies from User Administration to User Intelligence.
At Securonix, we believe Identity Intelligence is core to preventing Insider Threats within the enterprise. Given the right Intelligence, organizations can prevent fraudulent actions, data breaches and Intellectual Property theft. Identity Intelligence plays a key role in security by bringing all identity related information together and mining on this information for key threats to the enterprise.
The three major core components of Identity Intelligence includes:
- Enhanced Visibility: It is pertinent to have complete knowledge of who a user is, what they have access to, what they are accessing and what policies they are violating. This 360 degree view of a user within the enterprise enables better controls and mitigates security risks within the enterprise
- Actionable Intelligence: It is not enough to know the users within your IT infrastructure. Organizations cannot track every user action hapening within their enterprise. It is more important to receive actionable intelligence that can help organizations prevent the next data breach
- Risk Based Controls: Risk plays a very important role in Identity Intelligence. There is inherent risk with any user identity having access to critical applications and doing activities on those applications. With proper risk ranking of user access privileges, user activities and violations, security professionals can focus on mitigating actions that matters most to their organizations.
At Securonix, we have developed a innovative technology that focuses on these 3 core components of Identity Risk Intelligence. Our Access Risk Intelligence offering is able to risk rank access privileges held by accounts to find the needle in the haystack. Our Activity Risk Intelligence offering uses behavior based anomaly detection technology to identify out of band user activities. By combining user access, activity and events, we have managed to provide actionable intelligence on which user poses the highest risk within the enterprise. With a 90% success ratio being recorded at live deployments, our technology is helping organizations prevent the next wikileaks and making Identity Intelligence core to security programs.
McAfee sure knows how to “focus” on security. With hundreds of participants pouring in from all over the world to the Venetian in Las Vegas, the event boasted of the who’s who in the Information security world. With a phenomenal location, great food, entertainment and several great sessions the event was a grand success.
We would like to thank our customers and partners for making our See More. Do More campaign a huge success. At the conference, Securonix showcased the three Intelligent Risk solutions for companies that want to harness intelligence from the DLP, IAM and SIEM offerings.
The Intelligent DLP solution offering focused on the collection of DLP events from McAfee ePO and adding identity content and context to the events for a more proactive approach to security.
The Intelligent SIEM offering showcased the connectivity of Securonix with Nitrosecurity ESM for log events and the application of our behavior based anomaly detection engine to detect out of band activities.
Our booth saw a hubbub of activity on all 4 days with customers and partners that wanted to know how our solution can help with their existing DLP deployments and help them detect Insider Threats and Risks. It was also great to see some of our visitors try their analytical, mathematical and mostly intuitive skills at guessing the number of Jelly Beans. We finally had a winner that was just 3 Jelly Beans away from the actual.
Securonix also presented along with Ernst & Young and McAfee at the breakout session (Protecting Sensitive Information with Dynamic Data Loss Prevention (DLP) Policies and User Behavior Analysis). With overall great participation from the crowd and a closing demo of the technology that can help protect Intellectual property from leaving the premises of companies, Securonix was a coffee table discussion even after the session ended.
We would like to thank all the customers that stopped by our booth and attended the breakout session. Look for us at the upcoming Gartner IAM conference (dates/venues) and FS-ISAC conference in Washington DC on dates
Lulzsec announced that they are going to take it easy for a while. May be they just think its time to give organizations some time to catch their breath, may be lick their wounds or get busy putting up bigger fences. The reason for their announcement is unclear but the recent attacks have shown organizations how much work needs to be done before they can safely claim to be secure.
I liked the information below on the recent attacks in the last 3 months. Thought i’d share it with the masses.
https://spreadsheets.google.com/spreadsheet/ccc?key=0Apf9SIxJ8Cm_dGxuNUJjbmM5LU40bVdWaFBVcTZPN3c&hl=en_US&single=true&gid=0&range=A2%3AJ61&output=html
I wasnt making things up when I said that the hackers have been busy last month. Today, another successful hacking story hit the street with Sega announcing that its systems were hacked and 1.3 million records were stolen. What I found interesting is that the Lulz group – the hackers that hit Sony have reached out to Sega to provide assistance in nabbing the hackers. I wonder how many groups are out there that can break into the security systems of corporations. It certainly seems like hackers can get into systems at will. How vulnerable is all our data and what are organizations doing to protect this data.
http://www.nytimes.com/2011/06/20/technology/20iht-sega20.html
The hackers have been busy last month. With successful hacking attempts at Citigroup, Sony, IMF, Bank of America (I know I am forgetting a few names here), the hackers are no longer the disgruntled developers gone wild group. The sophistication of these attacks and the targeted victims of these recent hacking attacks suggests that the criminals have now found an easy way to get the goods and an easier way to sell their wares to willing buyers. An article on NPR caught my attention today. It basically lays out a website that mimics ebay to buy and sell credit card numbers with seller rankings and verification. You cant even register as a buyer without a couple of legit references. This is the ultimate virtual crime with every activity being done remotely except the people that suffer the losses are very real. I think these cyber crimes have now rendered the brick and mortar criminals obsolete. There is no need for robbing a bank and asking for unmarked bills anymore.
http://www.npr.org/blogs/money/2011/06/17/137227559/how-to-buy-a-stolen-credit-card
http://www.eweek.com/c/a/Security/Sony-PlayStation-Network-Data-Breach-Compromises-77-Million-User-Accounts-208028/
Is this the biggest data breach in history? Probably so. The TJX data breach that has long been at the #1 position has finally met its match. About 45 million records were stolen during the TJX fiasco and the Sony data breach is already being rumored at 77 million.
I think the biggest highlight of this data breach is the lag in response from Sony. The service was out for a week but customers were unaware that their data had been stolen. Could customers have taken steps to monitor their accounts and credit card statements in that week when Sony was reportedly investigating the extent of the data breach.
This data breach also exposes the risk that we put ourselves at when we avail of cloud hosted services. Do these data breaches warrant another transaction system for the net. Are credit cards cut out for supporting the web economy?
http://www.reuters.com/article/2011/04/04/us-citi-capitalone-data-idUSTRE7321PI20110404?feedType=RSS&feedName=topNews&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+reuters%2FtopNews+%28News+%2F+US+%2F+Top+News%29&utm_content=Google+Feedfetch
An unauthorized individual or group of individuals hacked into the Epsilon systems and gained access to millions of email addresses and names. What does this really mean to customers and how could this be prevented?
Well, in a nutshell, we can all expect phishing attacks that are more targeted. The email addresses in the To field will no longer be a shot in the dark that goes directly to the spam folder. We will actually see an email that may originate from seemingly genuine companies that we trust and have subject lines that are enticing enough for us to click on it. These will most probably lead us to fake sites that look quite like the original vendor site and may ask us for our login credentials..voila..the perpetrator now has our user name and password to possibly access our bank accounts..scary!!!
These attacks are not isolated incidents on organizations..hundreds of such attacks happen monthly and a select few make it to the news because of they either impact millions of the company in question is reputable enough for people to raise their eyebrows.
Implementing security controls within and outside the perimeter is paramount to preventing such incidents. More often than not, companies are found lacking in implementing basic controls like tracking employee activities and access.
It is no longer acceptable for companies to pass the buck to some one else citing ignorance. When customers choose to sped their hard earned money with bigger companies, they rightfully expect companies to do the right thing.
It is already apparent that Epsilon is going to take the majority of the heat for this disaster. However, did anyone knowingly pass on their information to Epsilon or did they pass it on to the highly reputable firms that they trust. There should be no question about where the responsibility lies when it comes to protecting private data. If you take my information, you are required to protect it.
So I decided to explore the google marketplace for some apps today. Interestingly, most apps want to access my email and my documents. Concerned about security, I decided to investigate the vendors that will now have access to my data. Is it even possible for google to scrutinize any of these vendors. So google passes sas 70 audits..thats great. So they have built the fortress around their datacenters and have controls in place and they gave the keys to the kingdom to some unknown entities that they cant vouch for. Is security in the cloud a myth? Not really. It just depends on the trade off between flexibility/cost and your requirement for security. So my wife saves her grocery list on google docs and uses some of these market apps to collaborate with her friends. Thats useful, cheap and serves a utility. I wouldnt put my companies design documents and source code there…the assumed risk does not justify the flexibility and reduced cost…thats just me.
What a way to begin the week. Last weeks challenge is this weeks deadline. Well, the engineering guys have put in their heart n soul in improving the performance of our system. Now we put it to test…can we monitor @ speed of light?
