Secure file sharing & content collaboration for users, IT & security

Larry Ponemon

The ability to securely and easily share files and content in the workplace is essential to employees’ productivity, compliance with the EU’s General Data Protection Regulation (GDPR) and digital transformation. However, a lack of visibility into how users are accessing sensitive data and the file applications they are using is putting organizations at risk for a data breach. In fact, 63 percent of participants in this research believe it is likely that their companies had a data breach in the past two years because of insecure file sharing and content collaboration.

According to the findings, an average of 44 percent of employees in organizations use file sharing and collaboration solutions to store, edit or share content in the normal course of business. As a result of this extensive use, most respondents (72 percent) say that it is very important to ensure that the sensitive information in these solutions is secure.

Despite their awareness of the risks, only 39 percent of respondents rate their ability to keep sensitive contents secure in the file sharing and collaboration environment as very high. Only 34 percent of respondents rate the tools used to support the safe use of sensitive information assets in the file sharing and collaboration environment as very effective.

Sponsored by Axway Syncplicity, the purpose of this research is to understand file sharing and content collaboration practices in organizations and what practices should be taken to secure the data without impeding the flow of information. Ponemon Institute surveyed 1,371 IT and IT security practitioners in North America, United Kingdom, Germany and France. All respondents are familiar with content collaboration solutions and tools. Further, their job function involves the management, production and protection of content stored in files.

This section presents an analysis of the key findings. More details can be found on Axway’s website. Following are key themes in this research.

Data breaches in the file sharing and content collaboration environment are likely. Sixty-three percent of respondents say it was likely that their organizations experienced the loss or theft of sensitive information in the file sharing and collaboration environment in the past two years.

The best ways to avoid a data breach is to have skilled personnel with data security responsibilities (73 percent of respondents), more effective data loss protection technologies in place (65 percent of respondents), more budget (56 percent of respondents) and fewer silos and/or turf issues among IT, IT security and lines of business (49 percent of respondents).

Data breaches are likely because of risky user behavior. About 70 percent of respondents say they have received files and content not intended for them. Other risky events include: accidentally sharing files or contents with individuals not authorized to receive them, not deleting confidential contents or files as required by policies and accidentally sharing files or content with unauthorized individuals outside the organization, according to 67 percent, 62 percent and 59 percent of respondents, respectively.

A lack of visibility into users’ access puts sensitive information at risk. Only 31 percent of respondents are confident in having visibility into users’ access and file sharing applications. Some 65 percent of respondents say not knowing where sensitive data is constitutes a significant security risk. Only 27 percent of respondents say their organization has clear visibility into what file sharing applications are being used by employees at work. A consequence of not having visibility is the inability for IT leadership to know if lines of business are using file sharing applications without informing them (i.e. shadow IT).

Customer PII and confidential contents and files are the types of sensitive information at risk. The most sensitive types of data shared with colleagues and third parties is customer PII and confidential documents and files. Hence, these need to be most protected in the file sharing and collaboration environment.

The plethora of unstructured data makes managing the threats to sensitive information difficult. As defined in the research, unstructured data is information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but may contain data such as dates, numbers, and facts as well. An average of 53 percent of organizations’ sensitive data is unstructured and organizations have an average of almost 3 petabytes of unstructured data.

Most unstructured data is stored in email file sharing solutions. Respondents estimate an average of 20.5 percent is stored in shared network drives and 20 percent is stored in other file sync and share solutions. Almost half (49 percent of respondents) are concerned about storing unstructured data in the cloud. Only about 20 percent of unstructured data is stored in cloud-based services such as Dropbox or Box (20 percent) and Office 365 (17 percent).

On average, almost half of an organization’s sensitive data is stored on-premises.  According to Figure 7, an average of almost half (49 percent) of organizations’ sensitive information is stored on-premises and approximately 30 percent is located in the public cloud. An average of 22 percent of sensitive information is stored in the hybrid cloud. Hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud and third-party, public cloud services with orchestration between the two platforms.

Companies are challenged to keep sensitive content secure in the file sharing and collaboration environment. As mentioned earlier in the report, respondents are aware of the threats to their sensitive information, but admit their governance practices and technologies should be more effective. According to respondents, on average, about one-third of the data in the file sharing and collaboration environment is considered sensitive.

To classify the level of security that is needed, respondents say it is mostly determined by data usage, location of users and sensitivity of data type (62 percent, 61 percent and 60 percent, respectively). Twenty-four percent of respondents say their companies do not determine content and file-level confidentiality.

To read the rest of this report: Click here to visit Axway’s site. 

No, I don’t have Bruce tickets — When Google ‘interprets’ emails, it’s spooky and too clever by half

What is this reservation for???

Bob Sullivan

Google and Facebook often do spooky things, without our informed consent.  Recently, Google seemed to possibly ruin a holiday surprise for me…but ended up breaking my heart instead. Here’s a story about a clever tech going too far, doing things I never asked it to do, and ultimately, making a fool of itself.

During a recent visit to Times Square in Manhattan, I spotted an intriguing and surprising PIN when I pulled up Google maps on my phone. “Reservation. Dec. XX / 8 p.m.” it said (I’m omitting the date).   It looked like a typical hotel notification, the kind that started showing up automagically on G-Maps about two years ago.  They always surprise (spook?) me, pulled as they are from Gmail, but in truth, they are often useful.

Not this time.

A little context. Back in September of 2016, Google told users that it would start integrating calendar events with maps.  When entering a meeting, if you fill out the “where” field, the address appears on your version of G-Maps. This is a pretty logical use of the tool. If you have a meeting, you are likely to pull up Maps and see where you are supposed to be. Given that you’ve explicitly entered the address into Google’s calendar, it seems not much of a leap to use that information on Google Maps.

But the 2016 announcement revealed something else.  To further embed your life in the Google ecosystem, the firm would also scan your emails (remember, Google and other developers can still ‘read’ your Gmail) for events like hotel reservations and enter those as points on maps, too. Naturally, I never read the announcement.  Like most of you, I just started seeing these pins for airports and hotels on maps, and somewhere inside, figured that was Google inferring things from my Gmail. This feels different to me. In this scenario, I didn’t explicitly give Google the right to know where I was going; instead, the firm looked over my shoulder at what I was doing, and put it on a map.  Again, it’s useful. But I never asked for this feature. I could imagine situations where this would be a bad thing. What if I had booked a surprise for someone, and s/he spotted it when I innocently pulled up a map one day? What if my boss saw it?  Also, who else can see it? What other kinds of marketing might I get because Google knows where I’m going?

I hadn’t considered the Bruce scenario, however.

Back to the suspicious “Reservation. Dec. XX / 8 p.m.”  I had no plans for that day, but there it was.  So I clicked on the PIN.  The addresss showed 219 W 48th St. Didn’t mean anything to me. A restaurant?  A hotel? I clicked on the picture, and saw this:

BRUCE!

Ohhhhhhhhh. It’s not a movie. It’s not a dinner. It’s BRUCE! At the Walter Kerr Theatre. I’m from New Jersey, so I love Bruce. And I’ve been dying to see this Broadway show.

One problem: Tickets are really hard to get. And I know I don’t have them. Then it dawned on me: last Christmas season, I discussed going with my brother.   It was more of a joke, given the insane price tag. But maybe…maybe…he managed to score tickets.  Wow!

But then, how did it get into my calendar?  Some happy error? Some new shared family calendar feature? As I contemplated my possible good fortune, I was also deeply troubled.  Sure, ruining a surprise is bad. But this seemed beyond creepy. Did Google somehow know about my conversations with my brother? Or about his credit card purchases? As I went full-on conspiracy theory, I decided to make sure there was nothing in my email that created this situation. I searched for “Walter Kerr Theatre”

And there it was.  No, I don’t have tickets to see Bruce that night.  A friend does.

Many months ago, an old friend who had won the online lottery scored Bruce tickets from Ticketmaster for December. And in her excitement she forwarded me the confirmation email she’d received from Ticketmaster.

That forwarded email was apparently enough to convince Google that *I* was going to the theatre that night. So it took details from the note and auto-populated it into my Google map.

Haha, jokes on me.  No big deal, I’ll see Bruce another time.

But, this is both spooky and weird.  Not only is Google looking over my shoulder and putting things on a map (again, I never asked). Now it’s putting wrong things on that map. With just a little creativity, it’s easy to see how this could go wrong. A wife spotting a “suspicious” resort hotel reservation (is he cheating?).  A boss “finding out” that you are visiting a competitor (“Is she moonlighting?”).  Worse still, let’s say there’s a crime in Times Square on that December night.  When police subpoena Google for everyone who was near the scene of the crime, I’d be in the list.

I have no idea how often G-Maps makes mistakes like this.  Maybe it’s exceedingly rare. But now, I’m not so sure. I’m on the lookout for more. If you know about one, please tell me. Meanwhile, if you don’t want Google to do this, I’m not sure what to tell you. Back in 2016, project manager Zach Maier gave handy instructions for toggling this feature off — on the map app, under settings, then “personal content.'” The option “upcoming events” was apparently listed there at the time.  It’s no longer there, at least on my version of Android. (While you are there, you can toggle off a feature I find annoying, the placement of contracts on Google maps.)  You could sign out of Maps, but that will probably screw with the normal operations of the software.

It’s hard to get right, the balance between creating new features and respecting privacy.

 

 

 

Managing the risk of post-breach or “resident” attacks

Larry Ponemon

Sponsored by Illusive Networks, Ponemon Institute surveyed 627 IT and IT security practitioners in the United States to understand how well organizations are addressing the cyber risks associated with attackers who may already be residing within the perimeter, including insiders that might act maliciously.

Click here to read the full study on Illusive Networks website.

 

All participants in this research are involved in the evaluation, selection and/or implementation of IT security solutions and governance practices within their organizations.

This study starts with the premise that mitigating business impact once attackers are within the environment requires the ability to:

  1. Understand which cyberthreats pose the greatest risk and align the cybersecurity program accordingly;
  2. Proactively shape security controls and improve cyber hygiene based on an understanding of how attackers operate;
  3. Quickly detect attackers who are operating internally;
  4. Efficiently prioritize and act on incidents based on real-time awareness of how the organization could be impacted.

The data indicates that organizations have low confidence in their ability to prevent serious damage from post-breach attacks. When presented with a set of statements, only 36 percent of respondents express agreement or strong agreement that their security team is effective in detecting and investigating cybersecurity incidents before serious damage occurs.

It is welcome news, then, that security budgets are shifting in favor of allocating greater resources to threat detection and response.

For organizations to get to where they need to be is an uphill challenge. While more than half (56 percent) of respondents to this survey believe they have reduced attacker dwell time over the past year, over 44 percent say they have not (32 percent) or don’t know (12 percent). And not all attacks and incidents are equal. The survey also shows that only 28 percent of respondents agree or strongly agree that their security technologies are optimized to reduce top business risks. A recurring theme in this study is that the inability to see and act on what matters most to the organization hampers the effectiveness of multiple functions.

Part 2. Key Findings

In this section of the report we analyze the key findings of the research. The complete audited findings are presented in the Appendix of the report. We have organized the report according to the following topics:

  1. The risk alignment problem between IT security and the business
  2. Current capabilities to preempt, detect, and respond to post-breach attackers
  3. Takeaways: Toward better risk mitigation for post-breach or resident attacks

A.    The risk alignment problem between IT security and the business

 Comparing a few key data points makes it clear that the day-to-day functioning of IT security is not well-aligned to business needs.

Although 56 percent of respondents say business leaders consider cybersecurity a top business risk, only 29 percent of respondents say business leaders communicate their business risk management priorities to IT security leaders, and only 29 percent of respondents say their security leaders effectively align security with top business risks.

Over 70 percent of respondents say senior leaders do not clearly communicate business risk. Some, 71 percent of respondents say they are not informed about what senior managers consider their organizations’ business risk management priorities—important guidance if IT security is to prioritize what’s most important to the business.

Respondents also are not positive that their leadership understands how persistent and advanced threats can affect the enterprise and that IT security controls are not 100 percent effective (68 percent and 65 percent, respectively).

It makes sense, then, that 60 percent also indicate that leaders don’t understand that the risk of a successful cyberattack should be an ongoing concern.

Business leaders appear to be conflicted about the importance of a strong cybersecurity posture—or perhaps leaders don’t understand the importance of a business-aligned, proactive approach or their role in it. When respondents were asked to describe their executives’ views of the importance of the cybersecurity program, the top two responses seem contradictory.

On the one hand, respondents indicate that executives think a cyberattack could pose a strategic or existential threat to their organization (40 percent of respondents), yet given how important cyber risk seems to be, a reactive approach seems fairly prevalent; almost half (49 percent of respondents) say their organizations’ executives think cybersecurity should be addressed on an as-needed basis when problems arise.

The business/security collaboration gap is reflected in many ways. Whether fault for the disconnect lies on the side of IT security leaders, senior executives, or both, Only 35 percent of respondents say their IT security leaders are proactively included in planning and decision-making for new technology and business initiatives, and only 29 percent of respondents say IT security leaders effectively align security investments, processes, and controls with top business risks. Other steps not taken are having well-defined criteria for determining when to involve business leaders in responding to a cybersecurity incident or issue (only 30 percent of respondents agree), as well as educating business leaders on cyber risks that may impact their organization (only 38 percent of respondents agree).

Only about half (51 percent of respondents) say their organizations’ executives and senior management respect IT security leaders. As a possible consequence, only 37 percent of respondents say the security team has the support it needs from business teams to design and execute business-oriented threat detection and incident response capabilities.

Respondents say that protecting high-volume private data is not the top concern. Respondents were asked to identify the cyberattacks that pose the greatest risk to their business. Given the lack of communication about business risk, these views may not reflect the views of business leaders, but it is notable that although large breaches of PII, EHI, payment and employee data tend to hog the headlines, these are not respondents’ top concerns. The data indicate that the threat of intellectual property or other strategic information theft—theirs or their clients—and various forms of disruption are significantly higher on the risk scale.

Also, 60 percent of respondents say the worst consequence of a cyberattack would be the tampering with or compromise to the integrity of their products or services followed by the disruption of their core business network (58 percent of respondents). Threats to executive safety and privacy are also high on the list.

Business leaders lack understanding of the threats. Leaders cannot communicate effectively with IT security leaders or set cyber risk management priorities without a foundational understanding of the threat actors an organization needs to contend with, yet 68 percent of respondents say their executives and senior management do not have a good understanding of how threat actors work and the harm they can cause. Among technical functions, where granular threat understanding is necessary for strong detection and response, organizations fare better, but could be stronger.

Basic asset and access governance are only half-way there. A risk-focused approach also requires a strong picture of where the important IT assets are and who has access to them. Some 54 percent of respondents agree or strongly agree that their security team has up-to-date knowledge of which data, systems and infrastructure components support critical business processes, yet when asked a series of more detailed questions pertaining to asset awareness and change management, respondents rate themselves considerably lower.  The ability to keep pace with rapidly changing users, user functions, and IT infrastructure continues to be a challenge.

To keep reading this report, click here. 

Someone (China?) is building an enormous dossier database from all these massive hacks

Bob Sullivan

Perhaps you missed the tantalizing detail I reported earlier  that Congressional investigators believe the initial Equifax hackers entered that company’s systems with computers using IP addresses in China.  Or The New York Times reporting that U.S. authorities now blame China for the hack on Starwood / Marriott.  You probably forgot that the devastating hack of the Office of Personel Management systems has also been blamed on China. And you probably forgot that the hack of Anthem, the health care firm, was also blamed on China.

Combine all that information, and one thing seems disturbingly likely: There’s a big dossier database in the sky, controlled by some foreign entity, and your most personal information is in it.

Maybe you are worried about your credit report. But this surveillance database contains far, far more precious and revealing information. Where you traveled. How long you stayed. Your driver’s license. Your passport.  If you are a government worker, who your closest friends are, and even your fingerprint.

All in the hands of a foreign, potentially hostile, nation-state.

Attribution is a very tricky game — freelance actors? the Chinese government? Another nation state hiring mercenaries in China? — and anyone who asserts with surety they know who did it might be overstating their case. When we spent months looking into the Yahoo hack, it became clear that both nation-states and freelancers can be involved in the same hack, making breach analysis even harder. With Equifax, there’s a theory that rogue hackers gained entry at first, then handed off the access to a more sophisticated entity. This kind of hack-sharing means that whoever stole all that data from Yahoo — remember, for years, Russian agents could read millions of victims’ emails — is available to whoever is building this big dossier database in the sky. Passport numbers and 15-year-old emails linked? That’s quite an incredible amount of information.

It’s fashionable to blame things on China right now, but the particular nation-state that’s the culprit at Starwood doesn’t matter as much as the potential existence of this database.

I haven’t seen it, but plenty of folks I speak to very much believe it exists. The best evidence for it: Where are all the stories of Equifax-related identity thefts, or widespread Starwood points hacks, or….? Whoever is stealing this information isn’t doing it for money, and isn’t doing it for lulz. No one hangs out in a network for four years for lulz.  Or, for that matter, for money.

Instead, think about how useful a list of hotel stays would be as an intelligence-gathering tool? As my colleague at NBC News Ben Popken points out, Starwood is a favorite chain for U.S. Government employees. Executives, too. So perhaps most of the data is useless to the hackers; they just want to good stuff. That was initially the goal in the Yahoo hack: Read the email of very specific people. A needle-in-a-haystack search, with the hay uninteresting.  Later on, however, the Yahoo hackers shared the stolen data with others who indeed picked through the hay — you and me, in this metaphor — and found all sorts of other uses for it.

Perhaps the criminals are even more interested in tracking corporate executives.  Understanding their movements can provide a lot of intelligence — “Why is he visiting South Korea? Is he interested in a new supplier?”  Think deeper, and you can imagine the data being used for leverage or extortion. What if a foreign power had information on a clandestine relationship a U.S. executive was having? That would be very useful in negotiations.

In some ways, all these hacks are starting to sound redundant, as if someone keeps stealing the same kinds of data over and over. But as Avivah Litan of Gartner recently told me, there is the matter of upkeep. Whoever has this database has to keep it current, and accurate.  Each new heists helps the “owner” clean the data. (Read more from her here, and here .)

Bill Malik at Trend Micro offers another clever use for this executive-tracking database: something I call executive identity theft. Business email compromise is among the fastest-growing cybercrimes. A criminal poses as a CEO and demands her secretary wire money overseas immediately as part of secret merger talks. It works because underlings are less likely to question bosses. If a criminal had a tool that predicted executive movements, imagine how much easier, and more targeted, these attacks could be.

At this point, you are probably wondering what all this has to do with you.  If merely monitoring high-value targets is the goal of these hackers, that should be a relief to most of us, right? Perhaps. You must understand that whoever is stealing these massive datasets is in it for the long game, however.  Again, the Starwood hack lasted four years.  Can you really be sure that you’ll be uninteresting to a foreign power in a decade or two?  Are you sure there isn’t an email you wrote in 2003 that wouldn’t embarrass you somehow in 2023?

This is the point at which an editor would yell at me to give readers some hope, to dole out advice on what to do about all this.  So sure, change your passwords and limit the personal information you give large companies. Always act like anything you type into a keyboard might eventually end up on a billboard in Times Square. But realistically, you are collateral damage in a cyberwar being fought by nation-states on one side and fairly helpless U.S. corporations on the other.  The big dossier database in the sky is only going to get bigger, and more accurate, with each big hack.  That’s our 21st Century reality now.

 

Email impersonation attacks: a clear & present danger

Larry Ponemon

Most companies admit that it is likely they experienced a data breach or cyberattack because of such email-based threats as phishing, spoofing or impersonation and they are concerned about the ongoing risk of such threats. However, as shown in this research there is a disconnect between the perceived danger of email-based threats and the resources companies are allocating to reduce these risks.

Sponsored by Valimail, Email Impersonation Attacks: A Clear & Present Danger, was conducted by Ponemon Institute to understand the challenges organizations face to protect end-users from email threats, such as impersonation attacks. Ponemon Institute surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats.

The risks that are causing IT security practitioners to lose sleep are phishing emails directed at employees, executives, customers and partners; and email as a vector for cyberattacks. When asked what measures or technologies will be deployed in the next 12 months to prevent impersonation attacks, more companies say they will be using secure email gateway technology, DMARC, DKIM and anti-phishing training for employees. In fact, more companies will be using automated solutions to improve email trust.

We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively. Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users.

The following findings illustrate the disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study. 

  • Eighty percent of respondents are very concerned about the state of their companies’ ability to reduce email-based threats, but only 29 percent of respondents are taking significant steps to prevent phishing attacks and email impersonation. 
  • Only 27 percent of respondents say they are very confident that their organization knows all of the vendors and services that are sending email using the organizations’ domain name in the “From” field of the message. 
  • Companies have complex email environments. On average, companies in this research have more than 1,000 employees, six servers and 15 cloud-based services that send email on their behalf. However, only 41 percent of respondents say their organizations have created a security infrastructure or plan for email security. 
  • Despite the ineffectiveness of anti-spam and anti-phishing filters, they have been the primary solution for preventing email-based cyberattacks, and impersonation. Sixty-nine percent of respondents say their organizations use anti-spam or anti-phishing filters and 63 percent of respondents say they use these technologies to prevent impersonation attacks.
  • Companies are not spending enough to prevent email-based cyberattacks and fraud. While there is a sense of urgency among respondents to address the numerous threats against their email systems, only 39 percent of respondents say their organizations are spending enough to protect email from cyberattacks and fraud.

Because the risks discussed above are not being addressed, most companies believe they had a material data breach or cyberattack during the past 12 months that involved email. Seventy-nine percent of respondents say their organizations certainly or likely experienced a serious data breach or cyberattack during the past 12 months such as phishing or business email compromise. More than 53 percent of respondents say it is very difficult to stop such attacks.

“With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail. “While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks.”

To read the full study, click here and visit Valimail’s site. 

The life-cycle of a vote, and all the ways it can be hacked

Bob Sullivan

We know every vote counts, but will your vote actually be counted? Or will it be hacked? I’ve spent the last several months reporting on election hacking for my podcast Breach, and I’ve learned a lot: Mostly that vote “hacking” is a much broader problem than people realize.  While lots of attention has been paid to the hacking of electronic voting machines themselves, elections can be hacked months before, or months after, voting day.  Here’s a look at the entire life cycle of your vote, and all the places it can be hacked along the way.

Listen to the podcast on Stitcher

https://www.stitcher.com/podcast/pods/breach

or iTunes

https://itunes.apple.com/us/podcast/breach/id1359920809?mt=2

 

Step 1: Deciding to vote

The voting process begins when people decide to vote (or, they don’t), and register. The enemies of democracy spend a lot of time trying to convince citizens that their vote doesn’t count, that people shouldn’t even bother going to the polls. Encouraging apathy is actually step one.  How does that happen? Through disinformation campaigns — state-sponsored trolling — that are nudged along unwittingly by people who fall for the trick

“Academics will make the distinction that disinformation is false information that’s knowingly spread,” says Nick Monaco, a D.C.-based researcher and expert in worldwide trolling campaigns. “So there’s an intent to deceive people knowingly. Then they’ll say that misinformation is information that is spread unknowingly that’s false. So maybe you retweet a story that you thought was true, that would be a case of misinformation. But if you create a false story to smear someone that would be disinformation.”

In the podcast, we talk about a fictitious election between myself and Alia Tavakolian, my Breach co-host. Someone spreads a rumor online that I am a puppy killer — very untrue — and I lose crucial campaign time fighting off this attack. Why does it spread so quickly?  Bots, using artificial intelligence, talk it up.

“Most news organizations now have incentive (and) choose of their own accord to report on what’s trending online. What if what’s trending online is produced 90% by bots and 10% (by) humans?” Monaco said.

In other words, bots are hacking people’s attitudes. State-sponsored trolling is the hacking of our minds.

“I think that in the first place, if people’s attention is hacked already by a platform, and they’re spending time on this platform, and then they’re receiving messages that might sway their actions … So we already have you in one place, we know where you are, we know what you think about, and we know where you live. Let’s just send you some information that we think would be amenable to what you — what you think, and maybe influence you to act in some way,” Monaco said.

 

 

Step 2: Voter registration

Let’s say you press on past digital propaganda and decide you are going to vote. You register. That data has to live somewhere. And it has to remain accurate.  If a group wanted to engage in voter suppression, they could hack state registration databases and remove names — or just change addresses in a way that would create election-day chaos.

“(Voter) records are maintained in computer databases, many of which are connected directly or indirectly to the internet, and subject to the same kind of data breaches that affect other kinds of internet systems,” said Matt Blaze, a computer science professor at the University of Pennsylvania, where he’s been working on voting technology for the past fifteen years. “We often don’t find out that we’re not listed on the voter registration database when we should be until we show up at the polls to vote.”

This isn’t a theoretical risk. The U.S. government says that Russians tried to access voter registration databases in at least 21 states, and in two states they were able to succeed to some degree.

Even more ominous: If someone wanted to tip an election, they’d do this only in zip codes that traditionally leaned one way or the other.

“Because with the marketing data these days we can microtarget down to the neighborhood how we know a certain neighborhood’s going to vote,” said Maggie MacAlpine, co-founder of security firm Nordic Innovation Labs. “We’ve had some elections that were decided by less than 1,000 people, and the burden tends to be on the voter to say that you are registered or not. So if just ten people in the right place at the right time come in and say, ‘Well, I should be registered, why aren’t I registered?’ If you can keep that spike under the radar, you can actually change things that way.”

Many jurisdictions use e-poll books at voting locations now, to get the best registration information in the hands of poll workers. They also add another layer of technology to the process that can be hacked.

 

Step 3: Voting “Day”

U.S. voting machines have been under scrutiny dating back at least to the hanging chads of Bush v. Gore in the 2000 presidential election.  In 2002, Congress passed the Help America Vote Act, which gave states money and incentives to abandon old-fashioned voting machines and led to the purchase of electronic machines — generally touch-screens (DREs) or optical scan / scantron machines (like multiple-choice tests). They’ve caused a lot of trouble. There have been years of demonstrations showing the machines are vulnerable to various attacks.  Vendors often say these are only theoretical, that the machines themselves are not networked so they aren’t really vulnerable.  Many voting experts disagree.

“What people sometimes don’t understand about voting machines is that they’re really not as isolated from each other and from internet-attached systems as they may seem,” said J. Alex Halderman,  director at the Michigan Center for Computer Security in Society, and another long-time voting expert.

For starters, the machines must be loaded with candidates — somehow.

 

“Before every election, virtually every electronic voting machine in the country has to be programmed, and it has to be programmed with the ballot design. That is the candidates, the races, and the rules for counting,” he said.  This is usually done with an election management system. “(Hackers) can potentially spread malicious software to every voting machine in the jurisdiction just by having that software essentially hitch a ride with the ballot programming that election officials copy to the machines in the field.”

Harri Hursti was the researcher who first hacked voting machines nearly 15 years ago.  His technique actually has a name: “The Hursti Hack.”

“What I found was that the bootloader is looking from the memory card a certain file name. If it finds that name, it will reprogram itself with the contents of that file with no checks, balances whatsoever,” he said. Some of the same machines he hacked 15 years ago are still being used in elections today. “Sometimes I get tired of talking about it…but it took people 15 years to listen.”

Step 4: Vote counting

Once you leave the polling place, an intricate dance of technology takes place.  Perhaps the machine you used creates a local tally and prints out an end-of-day receipt, which is later added to tallies from other machines in that precinct , in that county, and that state. The counts themselves must be accurate, but perhaps more important, the transmission of the counts must be secure.  Many experts see this as a vulnerable step.

“If we’re able to modify the transmission of vote tallies back and forth across these systems, we could potentially influence the vote,” said Mark Kuhr, a security expert with Synack Inc.

The votes might be sent over the Internet. They might be sent via “sneaker net,” with a courier driving memory cards to a central location.  In some states, vote tallies are transmitted wirelessly. And that introduces more potential problems. States that do this claim the data is encrypted, but experts worry about vulnerabilities – such as so-called man-in-the-middle attacks.  Devices like Stingray machines – often usually by police to intercept smartphone transmissions — can pose as cellular network towers and download all information sent towards those towers.

Step 5: Announcing the results

It’s easy to overlook, but perhaps the prime election hacking opportunity might also be the easiest – skip the James-Bond-esque vote-flipping efforts, and just hack a secretary of state’s website to cause confusion.

“We know that the Russians have hacked websites that announce election results in the past,” said Jake Braun, executive director of the University of Chicago Cyber Policy Initiative and organizer of the Voting Village project at hacker conference Def Con. “They did it in the Ukraine a few years back. I mean, can you imagine if it’s election night 2020, and they have to take the Florida and Ohio websites down because they’ve been hacked by Russia, and like Wolf Blitzer is losing his (mind) on CNN and Russian RT has announced that their preferred candidate won, who knows who that is, and then of course the fringe media starts running with it as if it’s real here in the United States. …How long would it take to unwind that? I mean it would make Bush v Gore in 2000 look like well-ordered democracy.”

 

This makes me think of somebody who spent six hours making a wedding cake and drives it to the wedding and gets to the wedding and the second before they’re going to put it on the table, they trip and fall and the wedding cake splatters on the floor. That’s our election process.

Step 6: Accepting the results

Even after the vote is over, it’s not over.  A critical element of democracy is that the losing side accepts the results. Think back to step 1: If an enemy of democracy could foment enough disenchantment that a sizable set of the population refuses to accept the legitimacy of the election, that could be enough to “hack” the election process, too.

“Messaging around the integrity of voter information or the legitimacy of the election is something I’m really worried about,” Monaco said. “So aside from hard hacking of infrastructure, (what scares me most is) a disinformation campaign that would say, ‘The vote’s not legitimate, these people couldn’t vote, their voting records were altered,” even if that stuff’s not true. I mean the scary part is like with a kernel of truth that would really, really empower that disinformation campaign. So that’s like a nightmare scenario for me.”

In our market, the dollar bill is the fundamental unit of capitalism in America, The integrity of the dollar bill is paramount. If one day people decided, “What is the dollar really worth? I’m not sure. I don’t trust this thing.” Our country would collapse. Voting is exactly the same way. The vote is the central unit of democracy, and right now the vote is under serious threat. People right now are asking themselves, “Should I really take a vote or not? Does that really matter? Does it really count? When we added them all up, is it really correct?” It’s that fundamental an assault on our way of life.

The End: Next steps

Kim Zetter, who’s been reporting on election hacking for a decade, lays out the dark reality. Russian election interference is only the latest in a long line of problems with the way we vote in America.

“I would say that the Russians are a red herring because that’s not why we should be looking at this. This problem has existed since 2002, people have ignored it,” she said. What is the real danger? “Everything is the danger. Danger is a software bug that could cause the machine to not record your vote to — to lose votes, to record it inaccurately. The danger is an insider in the election office, anyone who is opposed to U.S. foreign policy, anyone who has a gripe with the U.S. And again, it doesn’t have to be someone who’s really sophisticated. “

If all this seems hopeless, it’s not.  For starters, every single expert we talked to about election hacking said that, while the problem is challenging, democracy is far from doomed.

“I have confidence in our democratic institutions, and we’ve survived a lot,” said Adam Levin, whose company Cyberscout performs security audits for state election officials. “And my belief is that we’re going to survive this as well, but the truth is, look, it is a Herculean task. It is a daunting task. No one denies that. But this country has always stepped up, always. At some point, we dug down deep, and we stepped up.”

What can you do? Step up and vote. And be informed. The biggest vulnerability in democracy is apathy. The fewer people who vote, the easier it is the manipulate the result. The fewer people who work hard to be informed, the easier they are to manipulate.  The angrier you are, the easier it is to set you against your fellow citizens.  So vote on (or before!) election. Read, read, read before and after the election to stay informed. And don’t fall for the enemies’ “divide and conquer” strategy or “let’s you and him fight” tactics. Disagree, but keep America a civil society. There’s a lot you can do to prevent the hacking of democracy. Listening to the full podcast would be a good start.

 

Where’s the data? Firms increasingly fret about governance; join us for a free webinar

Larry Ponemon

There will be a free live webinar discussing these results on Oct. 18 at 11 a.m. Click here to register for this webinar.

Organizations are becoming increasingly vulnerable to risks created by the lack of oversight, visibility and controls over employees and other insiders who have access to confidential and high-value information assets. The 2018 Study on the State of Data Access Governance, sponsored by STEALTHbits Technologies, reveals the importance of a Data Access Governance program that can effectively reduce the risk created by employees’ and privileged users’ accidental and conscious exposure of confidential data.

In the context of this research, Data Access Governance is about making access to data exclusive and limiting the number of people who have access to data and their permissions to that data to the lowest levels possible. Ponemon Institute surveyed 991 IT and IT security practitioners in the United States (586) and United Kingdom (405).

To ensure these respondents have an in-depth knowledge of how their organizations manage users’ access to data, we asked them to indicate their level of access to their organizations’ IT networks, enterprise systems, applications and confidential information. If they had only limited end user access rights to IT resources, they were not included in the final sample of respondents.

While the study reveals companies are taking some steps to manage the risk, the perception among these respondents who are knowledgeable about access rights in their organizations perceive that the risk will either increase (48 percent) or stay the same (41 percent) over the next year.

Key Findings

 Following is an analysis of the key findings. The complete audited findings are presented in the Appendix of this report. We have organized the findings according to the following topics:

  • The risk of end user access to unstructured data
  • Data Access Governance tools used to limit access to sensitive data
  • Current practices in assigning privileged user access
  • Effectiveness of Data Access Governance programs
  • Recommendations for improving Data Access Governance programs

The risk of end user access to unstructured data

 Organizations lose track of where employees and other insiders are storing unstructured data. In the context of this research, end users are employees, temporary employees, contractors, consultants and others who have limited or “ordinary” access rights to their organizations’ IT resources.

Unstructured data is defined as information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured data tends to be user generated or manipulated data that lives in documents, such as spreadsheets or even scanned and signed contracts. Typically, this data may be in a structured format in an application and exported to a document for use by a person or team of people.

Respondents were asked to rate their confidence that their organization knows where users are storing unstructured data from 1 = no confidence to 10 = high confidence. Only 19 percent of respondents rate their confidence as high (7+ responses). This lack of confidence indicates that much of a company’s sensitive unstructured data is not secured.

Organizations lack visibility into how users are accessing unstructured data. As discussed above, respondents have little confidence they know where unstructured data resides. They also don’t know for certain the end users accessing the sensitive unstructured data.

The majority of respondents (50 percent) say their organizations rely upon platform capabilities, such as access controls built into Dropbox, to determine who has access to sensitive unstructured data. Only 37 percent of respondents say they use role-based access enforced through AD groups, even though many rate AD as very important. Only 31 percent of respondents monitor compliance with policies or information from specialized file activity monitoring (28 percent of respondents).

Documents and spreadsheets are the unstructured data most secured today. Some 71 percent of respondents say documents and spreadsheets are most often secured and 64 percent of respondents say emails and text messages are secured.

Confidence in safeguarding unstructured data is low. As a result of the volume of unstructured data that needs to be protected and the difficulty in determining who has access to sensitive unstructured data, only 25 percent of respondents rate their confidence in discovering unstructured data containing sensitive information as very high (7+ on a scale of 1 = no confidence to 10 = high confidence). Only 12 percent of respondents highly confident in their organizations’ ability to discover where unstructured data is stored in the cloud.

Inappropriate behaviors by end users put organizations at risk. Fifty-nine percent of respondents say users access sensitive or confidential data because of curiosity and 52 percent of respondents say users share their access rights with others.

False positives and too much data are the biggest challenges in determining if an event or incident is an insider threat. Organizations find it difficult to determine if inappropriate access to sensitive data was caused by a negligent or malicious insider. Security tools yield too many false positives (63 percent of respondents) and security tools yield more data than can be reviewed in a timely fashion (60 percent of respondents) are the biggest challenges in determining if an event or incident is an insider threat.

To continue reading, download the full report at Stealthbits website.

There will be a free live webinar discussing these results on Oct. 18 at 11 a.m. Click here to register for this webinar.

 

 

What should college students know about ethics and technology? Help us make a 101 course, here

Bob Sullivan

What should computer science students — all college students — learn about the intersection of ethics and technology? @ethicaltechorg, founded by two Duke University students, (I’m an adviser) is crowdsourcing the curriculum for Tech Ethics 101. Thoughts here, or at the link: https://ethical-tech.org/request-for-collaboration/

Algorithms run our lives today. They decide what homes we should buy, who we should date, what jobs we are qualified for, what updates and Tweets we see, and even welfare payments, mortgage loans, and how long convicts must remain in prison. Complex formulas make all these decisions in darkness, their calculations unknown to their subjects, often even beyond the understanding of their data scientist creators. Operating beyond reproach inside a black box, computers have become our puppet-masters, as consumers buy things, choose mates, and make political decisions based on realities calculated on their behalf.

But like all systems that operate in secret, algorithms have a dark side. They can lie. They remain vulnerable to hacking and reverse-engineering. And they reinforce some of society’s worst elements, like racial, class, and gender bias.

I’m really concerned about this; I believe everyone in the world should be. So today I’m announcing that I’ve joined a new group called Ethical Tech, which collaborates with groups like the Duke University Center on Law and Technology; I’m a member of the organization’s advisory board.  Founders Cassi Carley and Justin Sherman, both of Duke, have ambitious plans for the organization.

We join a rich set of organizations springing up lately — long overdue — to deal with runaway technology and its unintended consequences.  The Center for Humane Tech opened its doors earlier this year, born out of frustration with Facebook, promising to help programmers think more about what they are making. Just this week, my pal Julia Angwin announced a publication called The Markup, funded by Craig Newmark from Craigslist. It will seek to add journalistic accountability to the world of technology.  So, energy around this topic is brewing.

At Ethical Tech, our  first project involved bias in algorithms used by judges around the country to decide how long convicted criminals should spend in prison. Several other projects are in the works, including design of a tech-ethics class for college students.

I hope you will consider helping. What should future programmers know? What should future digital citizens know? How can we arm them for this ongoing information war; and how can we convince engineers to use their math skills for good instead of evil?

I often ask a basic question when I am in groups, like this: “The Internet — good or bad?”  Yes, yes, it’s done an amazing job spreading information around the world. But it’s done an even better job spreading BAD information around the world. Some research suggests that more people think the world is flat today than 10 years ago.  So, that’s bad.  But I doesn’t have to be that way. (And anyway, I think the Internet is good, but it’s more a 60-40 thing). We can’t afford to be passengers in this digital journey any longer, however. We have to make deliberate choices, every day, to make sure tech enhances our humanity instead of destroying it.  That will require concentrated effort across all sorts of party, racial, gender, and ideological lines.  We’re going to have to talk to each other. So, let’s get started.

What should computer science students — all college students — learn about the intersection of ethics and technology? @ethicaltechorg, based at Duke, (I’m an adviser) is crowd sourcing the curriculum for Tech Ethics 101. Thoughts here, or at the link: https://ethical-tech.org/request-for-collaboration/

 

Separating the truths from the myths in cybersecurity

Larry Ponemon

CLICK HERE TO WATCH A WEBINAR OF THESE RESULTS

Ponemon Institute, with sponsorship from BMC, conducted the study on Separating the Truths from the Myths in Cybersecurity to better understand the security myths that can be barriers to a more effective IT security function and to determine the truths that should be considered important for the overall security posture. In the context of this survey, cybersecurity truths are based on the actual experience of participants in this research. In contrast, cybersecurity myths are based on their perceptions, beliefs and gut feel.

More than 1,300 IT and IT security professionals in North America (NA), United Kingdom (UK) and EMEA who have various roles in IT operations and security were surveyed. All respondents are knowledgeable about their organizations’ IT security strategies.

Separating the truths from the myths in cybersecurity

Following are statements about cybersecurity technologies, personnel and governance practices. Participants in this research were asked if these statements are considered truthful or if they are based solely on conjecture or gut feel (i.e. myth). Specifically, respondents rated each statement on a five-point scale from -2 = absolute myth, -1 = mostly myth, 0 = can’t be determined, +1 = mostly truth and + 2 = absolute truth. The number shown next to each statement represents the average index value compiled from all responses in this study. As can be seen, all myths and truths are not equal and range from -1.04 to +0.78.

Drawing upon nonparametric statistical methods, we separated those statements that had a statistically significant positive value that was above 0 (i.e. truth) from those statements that had a statistically significant negative value at or below 0 (i.e. myth).

Truth – The test statistic confirms the following statements are mostly believed to be a fact

 

  1. There is a skills gap in the IT security field. +0.78
  2. Security patches can cause greater risk of instability than the risk of a data breach +0.52
  3. The cloud is cost effective because it is easier and faster to deploy new software and applications than on-premises +0.52
  4. Greater visibility into al applications, data and devices and how they are connected lowers and organization’s security risk. +0.45
  5. Malicious or criminal attacks are the root cause of most data breaches. +0.42
  6. A strong security posture enables companies to innovate and take risks that can lead to greater profitability. +0.33
  7. IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. +0.22
  8. Many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity. +0.09

 

Myth – test statistic confirms the following statements are mostly a myth

 

  1. Too much security diminishes productivity. -1.04
  2. A strong security posture does not affect consumer trust. (In other words, a strong security posture is considered beneficial to improving consumers’ trust in the organization.) -0.87
  3. Automation is going to reduce the need for IT security expertise. -0.55
  4. Artificial intelligence and machine learning will reduce the need for IT security expertise. -0.50
  5. It is difficult or impossible to allocate the time and resources to patching vulnerabilities because it leads to costly business disruptions and downtime. -0.41
  6. Insider threats are costlier to detect and contain than external attacks. -0.27
  7. Nation state attacks are mainly a threat for government organizations. -0.24
  8. Security intelligence tools provide too much information to be effective in investigating threats. -0.21

Discussion — the state of cybersecurity 

Senior management believes in the importance of the IT security function. Sixty-one percent of respondents say their senior management does not think IT security is strictly a tactical activity that reduces its importance in the eyes of senior management. Respondents concur that IT security in their organization is considered a strategic imperative.

Companies face a shortage of skilled and competent in-house staff. According to another Ponemon Institute study[1] , 70 percent of chief information security officers and other IT security professionals surveyed say a lack of competent in-house staff is what they worry about most when trying to defend their companies against cyberattacks. Further, 65 percent of these respondents say the top reason they are likely to have a data breach is because they have inadequate in-house expertise.

Are tensions between the IT and IT security function diminishing the security of organizations? Fifty-six percent of respondents agree that there is tension between IT security and IT operations because of a lack of alignment of their different priorities. Specifically, IT operations is more concerned with the organization’s business objectives and IT security is focused on securing the enterprise from cybersecurity threats.

However, many respondents believe that despite this tension, IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. Collaboration between these two groups can be improved through the use of tools that bring these two functions closer together and foster teamwork which will benefit the organization as a whole.

Investments in security technologies should be aligned with the overall IT strategy and not lead to complexity. While the priorities of IT security and IT operations are often not in alignment, investments in technologies are consistent with their organizations’ overall IT strategy, according to 60 percent of respondents. However, respondents believe many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity.

Technology investments are often motivated by well-publicized data breaches.  Fifty percent of respondents say data breaches that are widely reported in media can influence the decisions to purchase security technologies. While companies may purchase cyber insurance to manage the financial consequences of a data breach, only 34 percent of respondents say such a policy would reduce their investments in security technologies.

CLICK HERE TO LEARN MORE AND SEE A WEBINAR EXPLAINING THESE RESULTS

Mark Zuckerberg is the world’s front-page editor now. That’s the real problem

Bob Sullivan

Mark Zuckerberg never set out to be the world’s editor in chief, but here we are.  And sorry Mark, you are a terrible front page editor.

Hearings in Congress today dug into the weeds of why Americans feel like social media is letting them down — it was a ready-made tool for Russian election interference; it’s now silencing some voices based on vague criteria, and so on.  But these aren’t aren’t THE problem. They are just symptoms.

Two thirds of Americans get their news from social media today. Most from their Facebook wall. That’s s a very, very small window through which to see the world.  Worse yet, most of them don’t know how social media really works.  Pew just released a study showing a majority have no idea how stories are selected for Facebook’s news feed. And don’t believe they have any influence over what appears there.

That’s THE problem.

Fairly recently, a consumer reading a newspaper who didn’t like what was on the front page could do something simple, but now seems revolutionary — she could turn the page.  Over and over.  And within 10 minutes or so, she’d be exposed to hundreds of stories, neatly organized in sections.  If she were really smart, she might do this with three or four papers. More to the point, she had a pretty good understanding of why those headlines and those stories appeared in those sections.

Today, we scroll.  A supercomputer designed to hack our attention span optimizes that “front page” for “engagement,” with the goal of hypnotizing you into sticking around. There’s no sections, no priorities. Only click-bait.  And whatever Facebook has decided is important to the hypnotics that month (Live video! Puppies!) If a good story doesn’t click with the first few folks who see it, it’s dismissed into the long tail of Internet oblivion, destined to be a tree that’s fallen silently in an empty forest. This story, I’d think, will be a good candidate for that scrap heap.

I don’t begrudge that (ok, of course I do. Facebook’s algorithm changes have killed my website in recent months).  But I found this piece of Pew’s most recent survey the most troubling: Facebook offers token tools for adjusting what’s on users’ front pagea, but even these are rarely used. Fully two-thirds of users have never even tried to influence the content on their news feed. Of course, the older users get, the less likely they’ve taken an active step to change their feed, such unfollowing groups or asking that certain friends be prioritized. (Please choose “see more” of me.)

In other words, news consumption in America is dangerously passive.  And Mark Z is the most powerful front page editor in history.

This is not what Facebook set out to do; I genuinely think many at the company are horrified by this state of affairs.  I am one who believes it is an existential threat to the company — it’s very far from the Mark’s core expertise. And users will eventually revolt. In a separate Pew survey, researchers found that 42% of users had taken some kind of Facebook break recently. And 26% said they had deleted the app from their phone. Those numbers seem awfully high to me, but you get the point.  People sort of hate Facebook now for what it’s done to their lives.  That’s not a great business model.

And it’s getting worse. As Facebook works frantically to save itself, and to diffuse the bomb it’s been turned into, news feed is often shrunken. Puppy photos are back on top; interesting news stories (like this one!) are out.  Users see an even smaller selection of “follows” when they look.  You might have 500 friends, but only 25 of them appear in your feed, urban legends and empirical evidence tells us.

Why are we really here? Since the beginning of time, Facebook has refused to offer an unfiltered option that would simply list every post from every friend.  When a software maker invented a third-party app to make such a raw feed, Facebook forced it to shut down. Users would be overwhelmed by so many posts, the firm believes.  News feed must be edited.  And so, here we are.

Yes, in some ways, we did this to ourselves.  Nothing stops Americans from visiting SeattleTimes.com on their own, instead of relying on the news feed (or Google News) for their headlines. Heaven forbid, we could actually subscribe to a newspaper, too.  But, as I began this piece, here we are.  The world’s most efficient tool for connecting human beings, one of the Internet’s original killer app, has killed our curiosity.  We’re devolving into digital-made tribes, only listening to the 25 or so people who make the front page of our lives.

As the saying goes, you made this mess, Mark. You have to clean it up.