Monthly Archives: September 2020

Bouncing back from a breach; it’s getting better

As the threat landscape continues to worsen, it is more important than ever for organizations to be able to withstand or recover quickly from the inevitable data breach or security incident. Ponemon Institute and IBM Security are pleased to release the findings of the fifth annual study on the importance of cyber resilience to ensure a strong security posture. In this year’s study, we look at the positive trends in organizations improving their cyber resilience but also the persistent barriers that exist to achieving cyber resiliency.

The use of cloud services supports cyber resilience. As part of this research, we identified respondents in this study that self-reported their organizations have achieved a high level of cyber resilience and are better able to mitigate risks, vulnerabilities and attacks. We refer to these organizations as high performers.

As shown in Figure 1, 74 percent of respondents in high performing organizations vs. 58 percent of respondents in other organizations understand the importance of cyber resilience to achieving a strong cybersecurity posture. High performing organizations are also more likely to recognize the value of cloud services to achieving a high level of cyber resilience (72 percent of high performing respondents vs. 55 percent of respondents in the other organizations). According to these high performing organizations, cyber resilience is improved because of the cloud services’ distributed environment and economies of scale.

[NOTE: We define cyber resilience as the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyberattacks. This refers to an enterprise’s capacity to maintain its core purpose and integrity in the face of cyberattacks. A cyber resilient enterprise is one that can prevent, detect, contain and recover from a myriad of serious threats against data, applications and IT infrastructure.]

In this section of the report, we provide an analysis of the global consolidated key findings. Ponemon Institute surveyed more than 4,200 IT and IT security professionals in the following countries: The United States, Australia, the United Kingdom, France, Germany, Middle East (UAE/Saudi Arabia), ASEAN, Canada, India and Japan. Most of them are involved in securing systems, evaluating vendors, managing budgets and ensuring compliance.

The complete audited findings are presented in the Appendix of the full report, published on IBM’s website. The findings there are organized into the following topics:

  1. Since 2015, organizations have significantly improved their cyber resilience
  2. The steps taken that support the improvement in cyber resilience
  3. More work needs to be done to become cyber resilient
  4. Lessons from organizations with a high degree of cyber resilience
  5. Country differences

Here is a sample of section 1:

Since 2015, organizations have significantly improved their cyber resilience

More organizations have achieved a high level of cyber resilience. In 2016, less than one-third of respondents said their organizations had achieved a high level of cyber resilience and in this year’s research the majority of organizations say they have achieved a high level of cyber resilience. With the exception of the ability to contain a cyber attack, significant improvements have been made in the ability to prevent and detect an attack.

 Improvement in cyber resilience has steadily increased since 2016. Since 2016, the percentage of respondents who say their cyber resilience has significantly improved or improved has significantly increased from 27 percent of respondents in 2016 to almost half (47 percent of respondents) in 2020.

The number of cyber attacks prevented is how organizations measure improvement in cyber resilience. Of the 47 percent of respondents who say their organizations’ cyber resilience has improved, 56 percent say improvement is measured by the ability to prevent a cyber attack.

As discussed previously, since 2015 the ability to prevent such an incident has increased significantly from 38 percent of respondents who said they have a high ability to 53 percent in this year’s research. Another indicator of improvement is the time to identify the incident, according to 51 percent of respondents. Similar to prevention, the ability to detect an attack has improved since 2015.

Expertise, governance practices and visibility are the reasons for improvement. To achieve a strong cyber resilience posture, the most important factors are hiring skilled personnel (61 percent of respondents), improved information governance practices (56 percent of respondents) and visibility into applications and data assets (56 percent of respondents). These are followed by such enabling technologies as analytics, automation and use of AI and machine learning.

Least important is C-level buy-in and support for the cybersecurity function and board-level reporting on the organizations’ cyber resilience. Currently, only 45 percent of respondents say their organizations issue a formal report on the state of cyber resilience to C-level executives and/or the board.

Having skilled staff is the number reason cyber resilience improves and the loss of such expertise prevents organizations from achieving a high level of cyber resilience, according to 41 percent of respondents. Respondents also cite the need for an adequate budget, the ability to overcome silo and turf issues, visibility into applications and data assets and properly configured cloud services are essential to improving their organizations’ cyber resilience.

To read the full report, visit IBM’s website.

Tracking the Covid tracker apps — dangerous permissions and ‘legitimizing surveillance’

Bob Sullivan

One app requires permission to disable users’ screen locks. Another claims it doesn’t collect detailed location information, but accesses GPS data anyway.  Still another breaks its own privacy policy by sharing personal information with outside companies. And nearly all of them request what Google defines as “dangerous permissions.”

Is this the latest cache of hacker apps sold in the computer underground? No. These stories arise from the 121 Covid-19 apps that governments around the world have released in an attempt to track and control the virus. Security researchers are worried the apps can be used to track and control populations — long after the pandemic has passed. And even if governments have the best intentions in mind, cybercriminals might be able to access the treasure trove of data collected by these apps. After all, they’ve been built hastily, under pressure as Covid-19 has raged around the globe.

Megan DeBlois

It makes sense to use technology to fight the virus. Contact tracing — identifying anyone a sick patient might have infected — is a staple technique to stem outbreaks. It’s easy to imagine a system that uses smartphones to ease this complicated task. But balancing public health with privacy concerns is tricky, if not impossible.

 

Volunteers who are worried about these dark possibilities recently launched Covid19AppTracker.org.  Contributors keep track of security analyses completed of each app and have made their database available for free download. Qatar’s Ehteraz app – which is mandatory, and has been already downloaded 1 million times — allows the developer to unlock users’ smartphones, according to the organization’s database.  Amnesty International’s analysis discovered a vulnerability in Qatar’s app that would have allowed hackers to access highly sensitive information collected by the app.

“The speed at which this technology is being deployed …should terrify people,” said Megan DeBlois, Covid19AppTracker.org’s volunteer product manager.  “I would argue in a lot of cases (this is) legitimizing surveillance with the lens of a public good, but without a lot of transparency.”

Most of the apps in Covid19Tracker’s database are made by governments outside the U.S. Contact tracers have been released rapidly across the E.U. and in places like Saudi Arabia and India. In the U.S., states have been slow to push out tracker apps, partly out of privacy and security concerns.

DeBlois recently presented the group’s findings at the virtual DefCon hacker convention in a talk titled “Who Needs Spyware When You Have Covid-19 Apps?

There were some obvious patterns. While EU apps were less invasive that apps generated by other governments, nearly all of them requested permissions that Google defines as “dangerous,” such as precise location information – in fact 74% of the apps in the database ask for GPS data. Fully 16 request microphone access and 44 ask for camera access. Seven try to access phone contacts.

The group’s database includes purely information apps, symptom trackers, and contact tracing. It’s not going to be easy to build a contract tracing app that respects people’s privacy, DeBlois cautioned.

“It’s really about the nature of contact tracing … The whole point is to track people, to associate linkages,” she said. “That makes it difficult to build and engineer something that works in the way everyone needs it to work.”

Contact tracing apps fall roughly into two categories — those that share all users’ location with a central, government-controlled database, and those that work by merely allowing phones to talk to each other through Bluetooth. In that model, data is only shared with a government agency after a confirmed infection. Google and Apple have recently tweaked their smartphone operating systems to encourage development of this kind of app.

“I’m cautiously optimistic about this minimalistic approach — that model has a lot of potential,” DeBlois said.

View the presentation

Still, she has other concerns.

“I’m a little bit nervous about the way the technology decisions were made,” she said. “A lot of the technology has been dictated by companies. They aren’t part of our democratically-elected government.”

The proliferation of such apps around the world should concern U.S. citizens, too, even those who don’t plan to download a U.S. tracker app, she said. The Qatar app is mandatory even for visitors, for example. That could have implications for business travelers for years to come.

“There absolutely will be implications that cross national boundaries,” she said. “For folks who do international travel, this should be on their radar.”

In the U.S. and western democracies, where use of tracker apps is expected to be voluntary, the apps will be useless unless a large percentage of citizens download them. That’s going to require a lot of trust – a trust that seems lacking in the U.S. right now.  DeBlois cited revelations made by Edward Snowden as one reason: Snowden confirmed some of Americans’ worst fears about government abuse of surveillance technology, she said.

How could U.S. health agencies overcome this lack of trust?

“It starts with transparency,” she said. “Making clear who has access to the information, for how long.  All those questions need to be answered,  And those answers need to be verified.”