Author Archives: Bob Sullivan

It’s 10 p.m.: Do you know where are your apps are?

Larry Ponemon

Larry Ponemon

Ponemon Institute is pleased to present the results of Application Security in the Changing Risk
Landscape sponsored by F5. The purpose of this study is to understand how today’s security
risks are affecting application security. We surveyed 605 IT and IT security practitioners in the
United States who are involved in their organization’s application security activities.

The majority of respondents (57 percent) say it is the lack of visibility in the
application layer that is preventing a strong application security. In fact, 63 percent of respondents say attacks at the application
layer are harder to detect than at the network layer and 67 percent of
respondents say these attacks are more difficult to contain than at the network

Following are key takeaways from this research.

Lack of visibility in the application layer is the main barrier to achieving a
strong application security posture. Other significant barriers are created by
migration to the cloud (47 percent of respondents), lack of skilled or expert
personnel (45 percent of respondents) and proliferation of mobile devices (43 percent of

The frequency and severity of attacks on the application layer is considered greater than
at the network layer. Fifty percent of respondents (29 percent + 21 percent) say the application is attacked more and 58 percent of respondents (33 percent + 21 percent) say attacks are more severe than at the network layer. In the past 12 months, the most common security incidents due to insecure applications were: SQL injections (29 percent), DDoS (25 percent) and Web fraud (21 percent).

Network security is better funded than application security. On average, 18 percent of the IT security budget is dedicated to application security. More than double that amount (an average of 39 percent) is allocated to network security. As a consequence, only 35 percent of respondents say their organizations have ample resources to detect vulnerabilities in applications, and 30 percent of respondents say they have enough resources to remediate vulnerabilities in applications.

Accountability for the security of applications is in a state of flux. Fifty-six percent of
respondents believe accountability for application security is shifting from IT to the end user or
application owner. However, at this time responsibility for ensuring the security of applications is dispersed throughout the organization. While 21 percent of respondents say the CIO or CTO is accountable, another 20 percent of respondents say no one person or department is responsible.

Twenty percent of respondents say business units are accountable and 19 percent of
respondents say the head of application development is accountable.

Shadow IT affects the security of applications. Respondents estimate that on average their
organizations have 1,175 applications and an average of 33 percent are considered mission
critical. Sixty-six percent of respondents are only somewhat confident (23 percent) or have no
confidence (43 percent) they know all the applications in their organizations. Accordingly, 68
percent of respondents (34 percent + 34 percent) say their IT function does not have visibility into all the applications deployed in their organizations and 65 percent of respondents (32 percent + 33 percent) agree that Shadow IT is a problem.

Mobile and business applications in the cloud are proliferating. An average of 31 percent of
business applications are mobile apps and this will increase to 38 percent in the next 12 months. Today, 37 percent of business applications are in the cloud and this will increase to an average of 46 percent.

The growth in mobile and cloud-based applications is seen as significantly affecting
application security risk. Sixty percent of respondents say mobile apps increase risk (25
percent) or increase risk significantly (35 percent). Fifty-one percent of respondents say cloud based applications increase risk (25 percent) or increase risk significantly (26 percent).
Hiring and retaining skilled and qualified application developers will improve an
organization’s security posture. Sixty-nine percent of respondents believe the shortage of
skilled and qualified application developers puts their applications at risk. Moreover, 67 percent of respondents say the “rush to release” causes application developers in their organization to
neglect secure coding procedures and processes.

Cyber security threats will weaken application security programs, but new IT security and
privacy compliance requirements will strengthen these programs. Eighty-eight percent of
respondents are concerned that new and emerging cyber security threats will affect the security
of applications. In contrast, 54 percent of respondents say new and emerging IT security and
privacy compliance requirements will help their security programs. According to respondents,
there are more trends expected to weaken application security than will strengthen security.
The responsibility for securing applications will move closer to the application developer.

Sixty percent of respondents anticipate the applications developer will assume more responsibility for the security of applications. Testing for vulnerabilities should take place in the design and development phase of the system development life cycle (SDLC). Today, most applications are tested in the launch or post-launch phase (61 percent). In the future, the goal is to perform more testing in the design and development phase (63 percent).

Do secure coding practices affect the application delivery cycle? Fifty percent of
respondents say secure coding practices, such as penetration testing, slow down the application delivery cycle within their organizations significantly (12 percent of respondents) or some slowdown (38 percent of respondents). However, 44 percent of respondents say there is no slowdown.

How secure coding practices will change. The secure coding practices most often performed
today are: run applications in a safe environment (67 percent of respondents), use automated
scanning tools to test applications for vulnerabilities (49 percent of respondents) and perform
penetration testing procedures (47 percent of respondents). In the next 24 months, the following practices will most likely be performed: run applications in a safe environment (80 percent of respondents), monitor the runtime behavior of applications to determine if tampering has occurred (65 percent

Submarine builder declares ‘economic warfare’ as plans for ship said to be hacked; now what?

Bob Sullivan

Bob Sullivan

Get used to another term in world of computer hacking: “economic warfare.”

A French firm building multi-billion-dollar submarines for Australia and several other nations says it was the victim of economic warfare after some of its schematics for similar subs being built for India were released online, allegedly by hackers.   The data was published by Australian media

The firm, DCNS, is currently bidding for military contracts in Poland and Norway. For the India gig, it had beaten out German and Japanese firms.

An embarrassing data leak would obviously hurt the French firm’s bid for more deals — in addition to perhaps imperiling the security of its current projects.

“DCNS has been made aware of articles published in the Australian press related to the leakage of sensitive data about Indian Scorpene,” the firm said on its website. “This serious matter is thoroughly investigated by the proper French national authorities for Defense Security. This investigation will determine the exact nature of the leaked documents, the potential damages to DCNS customers as well as the responsibilities for this leakage.”

Right now, there’s only speculation about how much the allegedly stolen data might impact the security of the ships when they arrive in India — and the security of similar DCNS ships in Malaysia and Chile.

But DCNS immediately suggested that rivals might be to blame for the leak.

“Competition is getting tougher and tougher, and all means can be used in this context,” a company spokesperson said to Reuters. “There is India, Australia and other prospects, and other countries could raise legitimate questions over DCNS. It’s part of the tools in economic warfare.”

It’s clearly too early to know, however, if simple corporate espionage is to blame — or there might be some military advantage to be gained from publication of the documents.  Given that the alleged hackers send the data to a media outlet, it’s also possible their motivation was political.

The incident does highlight the asymmetrical nature of digital “warfare,” however.  A billion-dollar project involving thousands of employees can be derailed by a single person with a digital file and a the e-mail address of a journalist.

“If this was economic warfare as speculated, we can expect more attacks like this on a global scale,” said Scott Gordon, COO at file security firm FinalCode. “Hacktivists are motivated by reputational, economic and political gains from capitalizing on businesses’ and countries’ inability to secure sensitive, critical documents— tipping the scale in favor of other contenders in future military action and contracting situations.”

It also shows how hard it is to keep data under wraps when multiple third-party contractors have to share information in large projects.

“Sharing files, such as the 22,000-plus pages of blueprints and technical details on DCNS’s Scorpene submarines, is a necessary collaboration between government, contractor and manufacturing entities,” Gordon said. “But the exposure of these Indian naval secrets illustrates how lax file protection has opened a door to new data loss risks—and how even confidential military information can be exfiltrated and exposed by a weak link in the supply chain.”

From hunted to hunter

Larry Ponemon

Larry Ponemon

The purpose of the “Don’t Wait: The Evolution of Proactive Threat Hunting” survey, sponsored by Raytheon, is to examine how organizations are deploying managed security services to strengthen their security posture. The research also looks at the critical success factors, barriers and challenges to having a successful relationship with managed security services providers.

We surveyed 1,784 chief information security officers and other senior IT security leaders in North America, Europe, Middle East and Asia Pacific[1] who are familiar with their organizations’ managed security service practices. Managed security services providers (MSSPs) are engaged by organizations to manage and strengthen their IT environment’s security by providing services including security information and event management (SIEM), network security management (NSM), endpoint detection and response (EDR), incident response, forensics and more.

Security tools such as anti-virus, firewalls, intrusion detection and sandbox technologies, are built upon the assumption that attackers adhere to a known set of tools and tactics. Today, while a majority of MSSPs focus on these traditional, reactive tools, some provide more advanced, proactive services. Proactive threat hunting services can effectively find sophisticated and damaging threats, including previously undetected attacks, and stop them before businesses suffer damage.

In this study, 56 percent of respondents use an MSSP and 22 percent say they plan to engage an MSSP in the future. Part 2 of this report provides analysis of the 56 percent who are engaged with a provider. In many cases, it is a serious security incident such as a data breach that motivates companies to engage an MSSP to strengthen their security posture.

A key takeaway is that organizations using MSSPs understand the primary benefits of leveraging external expertise. Eighty percent view MSS as essential, very important or important to their overall IT security strategy. Figure 1 shows the primary reason to have an MSSP is to improve security posture (59 percent). This is followed closely by the need to reduce the challenge of recruiting and retaining necessary talent (58 percent) and the lack of in-house security technologies (57 percent).

The following are the seven most salient research findings.

 1. MSSPs help companies achieve a stronger security posture. With evolving cyber threats, organizations face the critical challenge of lack of expertise, personnel and resources. MSSPs are seen as filling these gaps to improve their security.

Many organizations worldwide still typically wait until after a breach before the money is allocated to engage an MSSP. Two-thirds of organizations not currently using an MSSP say that the top trigger would be a significant data loss resulting from an IT security incident.

A breach would confirm that the organization’s risk of compromise is high, so it becomes a priority.

2. A shift from reactive services to proactive services offered by providers and demanded by organizations is occurring but is still in the early stages. The lack of proactive threat hunting services could be contributing to the daily barrage of media headlines about data breaches in organizations worldwide. It highlights a need for organizations to be doing more to protect their networks from the most insidious threats. Currently, MSSPs offer cybersecurity assessment (39 percent), integration services (31 percent) and digital forensics and incident response (DFIR) engineering and/or assessment (28 percent). Only 16 percent say their MSS offers proactive threat hunting to find advanced threats based on behaviors and anomalies.

3. Interoperability with security intelligence tools such as SIEM is essential or very important. When asked what characteristics of MSSPs are essential or very important, the number one feature is high interoperability with the company’s security intelligence tools, such as SIEM (73 percent). Also critical are speedy deployment (65 percent), round-the-clock threat monitoring and management (63 percent), a tried and tested service offering (62 percent) and scalability of services (61 percent). Not as critical are compliance with data protection requirements (52 percent) and indemnification for service failures (36 percent)\

Whether organizations use MSSPs or not, interoperability/integration between MSSP and the customer is top priority. Those currently not using one say it is difficult to find MSSPs that would support or integrate with their systems and requirements. Fifty-three percent list difficulty finding vendors strong in interoperability as the reason they choose not to outsource.

4. MSSPs provide insights about security events and a better understanding of the external threat environment. Sixty-five percent of respondents believe their MSSP leverages insight gained from monitoring a large number of security events from a global customer base and 53 percent say the MSSP helps to better understand the external threat environment through the collection and analysis of information on attackers, methods and motives. More than half (51 percent) say it effectively mitigates the risks after they are identified.

5. MSSPs have identified existing software vulnerabilities that are more than three months old. Fifty-four percent of respondents say their MSSPs identified exploits of existing software vulnerabilities greater than three months old, and 45 percent say exploits of existing software vulnerabilities less than three months old have been discovered. They also revealed Web-borne malware attacks (51 percent). New threats are often going undetected because typical providers are not actively identifying new threats but importing threats identified by industry into their toolsets.

6. Responsibility for relationships with MSSPs is shifting. Fifty-nine percent say responsibility for the MSSP is shifting from IT to the lines of business. Today, however, the IT (43 percent) or IT security professional (15 percent) owns their organizations’ relationships with MSSPs. This represents a trend that MSS services are not considered a commodity but a strategic element and competitive advantage companies can foster. One reason for this shift is that in many organizations the CEO and board of directors now have a responsibility to the shareholders to ensure that companies are protected.

7. A lack of visibility into the outsourcer’s IT security infrastructure is a barrier to successful outsourcing of security services. Fifty-one percent say a lack of visibility into the outsourcer’s IT security infrastructure is the main hindrance to a successful approach to outsourcing. Other barriers are inconsistency with the organization’s culture (49 percent) and turf or silo issues between the organization’s IT security operations team and the outsourcer (46 percent).

To read the rest of this report, click here


[1] The countries represented in these regions are: United States, Canada, United Kingdom, Denmark, France, Germany, Netherlands, Brunei, Kuwait, Saudi Arabia, Oman, Qatar, UAE, India, Australia, Japan, Singapore and South Korea.


New worries about ransomware — attacking smartphones

Bob Sullivan

Bob Sullivan

There’s been a scary increase in successful ransomware attacks against large organizations this year. Specifically, hospitals have found themselves at the mercy of hackers who demand ransom payments to unlock critical system files. Recently, there have been signs that these criminals have moved on to universities, too. The University of Calgary admitted to Canadian media last month that it paid $20,000 ransom “to address system issues.”

But individuals have something new to worry about. A new report from Kaspersky Lab says its detection rate for mobile ransomware — malicious software targeting smartphones and demanding ransoms — quadrupled in one year.

It’s easy to see why phone ransomware would work. Consumers fly into a panic when their phone battery dies; imagine what it’s like to see a message saying your phone is locked, and a $100 payment is required to unlock it.

Kaspersky says some ransomware criminals simply require that mobile victims type in a iTunes gift card number to free the device. I’ve written recently about the increases use of Apple card payments for fraud.

A combination of easy, anonymous payments and off-the-shelf copycatting software tools makes mobile ransomware a new and potentially dangerous threat, both to consumers and to the companies that employ them.

The numbers tell the story: From April 2014 to March 2015, Kaspersky Lab security solutions for Android protected 35,413 users from mobile ransomware. A year later the number had increased almost four-fold to 136,532 users.

It’s unclear from the report how users encounter mobile ransomware in the first place, though at least some get it when visiting porn sites and are tricked into downloading and installing malicious software.

“The extortion model is here to stay,” Kaspersky says in its report. “Mobile ransomware emerged as a follow-up to PC ransomware and it is likely that it will be followed-up with malware targeting devices that are very different to a PC or a smartphone. These could be connected devices: like smart watches, smart TVs, and other smart products including home and in-car entertainment systems. There are a few proof-of-concepts for some of these devices, and the appearance of actual malware targeting smart devices is only a question of time.”

Kaspersly offers these tips to consumers:

Back-up is a must. If you ever thought that one day you would finally download and install that strange boring back-up software, today is the day. The sooner back-up becomes yet another rule in your day-to-day PC activity, the sooner you will become invulnerable to any kind of ransomware.

Use a reliable security solution. And when using it do not turn off the advanced security features which it most certainly has. Usually these are features that enable the detection of new ransomware based on its behavior.

Keep the software on your PC up-to-date. Most widely-used programs (Flash, Java, Chrome, Firefox, Internet Explorer, Microsoft Windows and Office) have an automatic updates feature. Keep it turned on, and don’t ignore requests from these applications for the installation of updates.

Keep an eye on files you download from the Internet. Especially from untrusted sources. In other words, if what is supposed to be an mp3 file has an .exe extension, it is definitely not a musical track but malware. The best way to be sure that everything is fine with the downloaded content is to make sure it has the right extension and has successfully passed the checks run by the protection solution on your PC.

Keep yourself informed of the new approaches cyber-crooks use to lure their victims into installing malware.

The state of SMB security: 10 findings

Larry Ponemon

Larry Ponemon

No business is too small to evade a cyber attack or data breach. Unfortunately, smaller organizations may not have the budget and in-house expertise to harden their systems and networks against potential threats. In fact, only 14 percent of the companies represented in this study rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. Moreover, the introduction of cloud applications and infrastructure and more mobile devices is creating more security risks that will stretch these companies’ resources.

Ponemon Institute is pleased to present the results of the 2016 State of Cybersecurity in Small and Medium-Sized Business sponsored by Keeper Security. We surveyed 598 individuals in companies with a headcount from less than 100 to 1,000.

Some 55 percent of these respondents say their companies have experienced a cyber attack in the past 12 months, and 50 percent report they had data breaches involving customer and employee information in the past 12 months. In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets. In addition, disruption to normal operations cost an average of $955,429.

The following 10 findings reveal the state of cybersecurity in smaller businesses.

  1. The most prevalent attacks against smaller businesses are Web-based and phishing/social engineering.
  1. Negligent employees or contractors and third parties caused most data breaches. However, almost one-third of companies in this research could not determine the root cause.
  1. Companies are most concerned about the loss or theft of their customers’ information and their intellectual property.
  1. Strong passwords and biometrics are believed an essential part of the security defense. However, 59 percent of respondents say they do not have visibility into employees’ password practices such as the use of unique or strong passwords and sharing passwords with others.
  1. Password policies are not strictly enforced. If a company has a password policy, 65 percent of respondents say they do not strictly enforce it. Moreover, the policy does not require employees to use a password or biometric to secure access to mobile devices.
  1. Current technologies cannot detect and block many cyber attacks. Most exploits have evaded intrusion detection systems and anti-virus solutions.
  1. Personnel, budget and technologies are insufficient to have a strong security posture. As a result, some companies engage managed security service providers to support an average of 34 percent of their IT security operations.
  1. Determination of IT security priorities is not centralized. The two functions most responsible are chief executive and chief information office. However, 35 percent of respondents say no one function in their company determines IT security priorities.
  1. Web and intranet servers are considered the most vulnerable endpoints or entry points to networks and enterprise systems. The challenge of not having adequate resources may prevent many companies from investing in the technologies to mitigate these risks. Web application firewalls, SIEM, endpoint management, network traffic intelligence are not considered very important in current security strategy. At a minimum anti-malware and client firewalls are considered the most important security technologies.
  1. Cloud usage and mobile devices that access business-critical applications and IT infrastructure will increase and threaten the security posture of companies in this study. However, only 18 percent of respondents say their company uses cloud-based IT security services and most password policies do not require employees to use a password or biometric to secure access to their mobile devices.


Download the full report here.

Cardinals’ ‘hacker’ gets nearly four years in jail (for ‘cheating’ in baseball?) — don’t you be next

Bob Sullivan

Bob Sullivan

Baseball has long celebrated cheating, but electronic cheating just sent a former team front-office worker to prison for nearly four years.

Former St. Louis Cardinals scouting director Chris Correa, who earlier pled guilty to using old passwords to access a former team’s scouting database, was sentenced to 46 months in jail on Monday. Correa broke into the Houston Astros’ computer systems repeatedly, stealing data. He had previously worked for the Astros.

Correa has been dubbed a hacker by sports media, but he simply made educated guesses to break into his old team’s computer database, mainly to download scouting intelligence that might help the Cardinals gain insight into players the Astros wanted to draft or trade for.

The long sentence was tied to the economic loss “suffered” by the Astros…and here things get confusing. According to, federal prosecutors essentially calculated how much money the Astros spent developing the data in their player database.

Assistant U.S. Attorney Michael Chu, who handled the hearing, listed the formula used to arrive at $1.7 million.

“But since much of the data that we looked at focused on the 2013 draft, what we did was we took the number of players that he looked at by 200 and we divided that by the number of players that were eligible to be drafted that year, and we multiplied that times the scouting budget of the Astros that year. That comes to $1.7 million,” he said.

That kind of loss meant a sentence of 36-48 months, according to federal guidelines.

That kind of jail time sounds like a lot for what some might consider the equivalent of stealing a third-base coach’s signs…particularly when you hear about rapists getting 6-month sentences…but it is not out of line with many computer criminal punishments.

There has long been debate about fairness in hacker sentencing, a debate that reached fever pitch after Aaron Swartz for “hacking” research and received a 30-year sentence and ultimately committed suicide.

Again, Correa is no hacker.  When I talked to Morey Haber, vice president of technology at BeyondTrust, he sharply defended the sentence.

“Yes, there is a certain amount of cheating that goes on (in sports), but that’s during the game,” he said. “This is corporate espionage. It’s no different from hacking a bank…It’s no different than if you went from Lockheed Martin to Northrup Grumman (and hacked into your old employer)….It’s not acceptable and courts are sending a strong message.”

Whatever you feel about Correa’s sentence — and hanging questions about whether or not he could have been the only one who knew about all this — there are three really important lessons to learn from the Cardinals hack.\

First, Correa actually told the judge during a hearing that he started breaking into Astros computers because he was afraid they were doing the same thing to him.  That may or may not be true. But “hacking back,” however tempting, is a crime. And it can steal several years from your life.

Second, using an old password to log into your old company — or slight variations of that — might seem like a fairly innocent thing to do. Maybe you forgot a contact phone number, or there’s a document (you wrote!) that you’d like to see one more time.  This kind of “hacking” can feel like no crime at all. It’s just a few keystrokes.

Doing that can also cost you years of your life.

Finally, to you Astros-like companies out there.  Passwords can be easily guessed.  And they can be really easily guessed by former employers who know the password tendencies of your current employees.  Look at this section of the court transcript that describes the ‘hack.’

“It was based on the name of a player who was scrawny and who would not have been thought of to succeed in the major leagues, but through effort and determination he succeeded anyway. So this user of the password just liked that name, so he just kept on using that name over the years. … Kind of like Magidson123… Or Magidson1/2,1/4,1/3.

Have a smarter authentication system than that. At least change the indicator once in a while. (That’s a baseball joke.)

Risky business: How company insiders put high value information at risk

Larry Ponemon

Larry Ponemon

Ponemon Institute is pleased to present the results of Risky Business: How Company Insiders Put High Value Information at Risk, sponsored by Fasoo. The purpose of this study is to understand what activities put business-critical information at risk in the workplace.

Based on the findings of this research, employees and other insiders often lack the information, conscientiousness and guidance needed to make intelligent decisions about the information they have access to and share. In fact, companies are more confident they can stop external attackers from accessing confidential information than their own employees and contractors.

We surveyed 637 IT and IT security practitioners who are familiar with their organization’s approach to securing confidential information contained in documents and files. All organizations represented in this research use document and file-level security tools. In the context of this study, high value information could be trade secrets, new product designs, merger and acquisition activity, confidential business and financial information, and employee information. The loss or theft of such information would be catastrophic for a company and affect its sustainability.

Safeguarding high value information in organizations is a two-way street. Employees need to be responsible and follow data protection policies and safeguards in place. In turn, companies need to have the tools, expertise and governance practices to protect sensitive and confidential information.

According to the study, the majority of organizations represented in this research (56 percent of respondents) say they do not educate employees on the protection of documents and files containing confidential information. In addition, most companies do not conduct an audit to determine if the use and sharing of confidential documents and files are in compliance with regulations and policies. Those companies that did conduct an audit discovered deficiencies in their document or file security practices.

Very few organizations are prepared to stop the leakage of high value information. Only 27 percent of respondents say they have the ability to restrict the sharing of confidential documents and files among employees and only 36 percent believe they can restrict the sharing of files with third parties. Similarly, 28 percent of respondents say their organizations have the ability to manage and control employee access to confidential documents and files.

The following are key takeaways from this report according to these topics:

 High value information is at risk
 The challenge of plugging the leaks of high value information
 Reverse the insider risk

High value information is at risk

Company insiders cause data breaches. The primary cause of data breaches experienced by companies in this study was the careless employee (56 percent of respondents) followed by lost or stolen devices (37 percent of respondents) or system glitches (28 percent of respondents). In contrast, only 22 percent of respondents say external attackers or malicious/criminal insiders (17 percent of respondents) caused the breach.

Companies lack the technologies to detect company insider risk. Sixty-eight percent of respondents say they do not know where their confidential information is located and 61 percent of respondents say their organizations do not have visibility into what confidential documents and files are used and/or shared among employees.

Technologies focus on the perimeter and not on preventing access to unencrypted files. The primary enabling security technologies used in the document and file collaboration environment are identity and access management tools or two-factor authentication. Far fewer organizations are using technologies to manage encryption keys so only the business can access unencrypted files. Enterprise file sharing solutions and technologies that enable organizations to obtain data location when using cloud services are not used frequently .

The sales department and human resources are most likely to put high value information at risk. The sales function and human resources pose the greatest risk to both structured and unstructured information assets . C-level executives also pose great risk to unstructured information assets. The research and development function is the most careful in protecting both structured and unstructured data.

Employees use document and file sharing applications vulnerable to data leakage. Fifty-eight percent of respondents say employees use free versions of consumer file sync and share applications. Only 36 percent of respondents say employees use enterprise-grade file sharing on private cloud.

Education and policies are not in place to provide guidance on appropriate access and sharing practices. Fifty-six percent of respondents say their organizations do not educate employees on the protection of documents and files containing confidential information and 50 percent of respondents say they do not have a policy for the acceptable use of document and cloud or Web-based file sharing applications by employees.

The sharing of files and documents is unsecured. Sixty-nine percent of respondents say files and documents are shared using unencrypted email and 58 percent of respondents say they share files using a cloud-based, commercial file-sharing tool. Only 30 percent of respondents say they use encrypted email and 31 percent of respondents use file transfer protocol (FTP).

Both company-assigned and employee-owned mobile devices are used to access and share confidential documents and files. Only 29 percent of respondents say their organization restricts the use of company-assigned mobile devices such as smartphones and tablets from accessing and sharing confidential documents and files with other employees and third parties. Fifty-four percent of respondents say their organization restricts the use of employee-owned (BYOD) mobile devices such as smartphones and tablets to access and/or share confidential documents and files with others.

Audits are rarely conducted, but they do reveal security deficiencies. Only 23 percent of respondents say their organizations conduct an audit to determine if the use and sharing of confidential documents and files are in compliance with regulations and policies. However, 69 percent of respondents say the audits reveal security issues that need to be addressed.

The challenge of plugging the leaks of high value information

Organizations get low scores for their ability to stop a potential data breach by employees and third parties. Only 41 percent of respondents say their organizations are highly effective in preventing the leakage of confidential documents and files by careless employees and 43 percent are highly effective in preventing the leakage of confidential documents and files by third parties such as vendors and business partners.

There is no clear responsibility for securing documents and files with confidential information. According to 37 percent of respondents, no one person in their organization has ultimate authority for ensuring the security of confidential information in documents and files. Chief information officers and end users have responsibility, according to 35 percent of respondents, respectively. Only 18 percent of respondents say the chief information security officer is responsible.

Organizations struggle to determine the appropriate level of confidentiality of documents and files. Only 17 percent of respondents rate their organizations as highly effective in determining the appropriate level of confidentiality of documents and files. Typically, organizations determine confidentiality by data type (71 percent of respondents), policies (65 percent of respondents) or data usage (59 percent of respondents). Only 13 percent of respondents say they determine confidentiality by who has access to the document or by a content management system (16 percent of respondents).

Stopping unauthorized access is a challenge for companies. Only 15 percent of respondents say their organizations are highly effective in setting employee/user permissions to access confidential documents and files and only 17 percent of respondents say they are successful in curtailing the use of unapproved/insecure document and file collaboration tools.

Reverse the insider risk

Company insiders frequently do stupid things with confidential information. According to 78 percent of respondents, employees frequently do not delete confidential documents or files that were no longer needed or required for use and 51 percent of respondents say employees frequently are sharing files and documents not intended for them. Forty-four percent say very often employees are forwarding confidential files or documents to individuals not authorized to receive them.

Organizations are willing to allow workers to have their confidential information on their home computers and devices. Almost half of respondents (48 percent) say they believe there are situations when it is acceptable for employees to transfer or retain confidential documents or files to their home computer and personally owned tablet or smartphone. Surprisingly, a lack of policy enforcement is an acceptable reason to transfer or retain confidential documents or files to a home computer or personally owned mobile device.

Who owns the company’s proprietary and high value information? If an employee, who is a software programmer, develops applications for a client company and then reuses the same source code in projects for other companies, does that employee have some level of ownership in the work and invention? Fifty percent of respondents say they do. However, if the employee does not receive advance permission from the client company to reuse the source code, 42 percent of respondents say this is a serious infraction and 19 percent of respondents say it is a minor infraction.

The unethical use of a competitor’s proprietary information occurs frequently. Forty-seven percent of respondents say they are aware of situations when recently hired employees bring confidential documents from former employers that are a competitor of their organization. Thirty-seven percent of respondents say they believe this happens very frequently (22 percent of respondents) or frequently (15 percent of respondents). However, 45 percent of respondents do not view the use of a competitor’s business confidential information as an infraction against the company.

To access the full report, click here:

State official: Please stop falling for ransomware attacks — you’re costing the taxpayers big bucks

Bob Sullivan

Bob Sullivan

How bad has the ransomware problem become?  The state auditor of Ohio held a press conference yesterday because local government agencies keep falling for ransomware attacks. And a firm that tracks domain activity found a 3,500% increase in ransomware-related domain name registrations in the past quarter.  Hacker love to cut and paste, so imitation is the surest sign that something is working.

Recall the high-profile, alarming ransomware attacks earlier this year on hospitals.  These “your money or your data” crimes can do a lot of damage quickly, and confused organizations brought to their knees by missing mission-critical data often pay up.  Of course, smaller organization with less IT resources are at greater risk.

Here’s what’s going on in Ohio.  Auditor of State Dave Yost issued a warning on Thrusday to treasurers, fiscal officers and others responsible for spending public money that cybercrimes targeting government are “on the rise.” And he offered these examples.

  • An investigation continues in an eastern Ohio county after the county’s court data was attacked by ransomware on May 31. A virus had encrypted the court’s data and hackers demanded $2,500 for the key to unlock the information. Because a recent copy of the data wasn’t available, the county agreed to pay the $2,500. (Note: Because the transaction is ongoing, we are not identifying the county.)
  • A similar ransomware attempt was made April 5 in Vernon Township (Clinton County). That cyberattack did not result in the payment of any ransom because the township’s data was backed up.
  • In Peru Township (Morrow County), the township fiscal officer’s computer began screeching on March 9 before a notice appeared on the screen advising that a solution was available by calling an 800 number. The township paid $200 to stop the attack.

In separate, non-ransomware incidents,  an employee at Big Walnut Local School District in Delaware County was tricked into issuing a check for $38,520 to a hacker. The money was recovered before it was lost. The Madison County Agricultural Society wasn’t as lucky; it was scammed out of $60,491 through someone posing as the IRS, collecting back taxes.

“We’ve all seen and heard about the criminals who try to steal our personal funds. These scammers would like nothing more than to get their sticky fingers on our tax dollars, too,” Yost said. “We need to be vigilant because they are becoming increasingly sophisticated in how they attempt to steal money through the internet.”

Yost is right.  Network security firm Infoblox reported last week that hackers were falling over each other to set up websites related to ransomware scams.  The firm tracks domain registrations as a way of monitoring the Internet for threats, and it says it found a 35-fold increase in newly observed ransomware domains from the fourth quarter of 2015.

“There is an old adage that success begets success, and it seems to apply to malware as in any other corner of life.
In the first quarter of 2016, there were numerous stories in the news about successful ransomware attacks on both
companies and consumers,” the firm said.  “We believe the larger cybercriminal community has taken notice.”

According to the FBI, ransomware victims reported costs of $209 million in the first quarter, compared to $24 million for all of 2015.

“Unless and until companies figure out how to guard against ransomware – and certainly not reward the attack – we expect it to continue its successful run,” Infoblox said.

Yost said all the crimes began with some variation of phishing, and urged all government employees to be on alert.

“The internet is the tool of choice for criminals, and we need to make it as difficult as possible for thieves to access community treasure chests,” Yost said.

The best way to do that, as Vernon Township showed above, is to keep good backups.

Third-party risks, and why tone at the top matters so much

Larry Ponemon

Larry Ponemon

Tone at the Top and Third Party Risk was sponsored by Shared Assessments and conducted by Ponemon Institute to understand the relationship between tone at the top and the minimization of third party risks. We surveyed 617 individuals who have a role in the risk management process in their organizations and are familiar with the governance practices related to third party risks.

A key takeaway from the research is that accountability for managing third party risk is dispersed throughout the organization. Not having one person or function with ownership of the risk is a serious barrier to achieving an effective third party risk management program.

In the context of this study, tone at the top is a term used to describe an organization’s control environment, as established by its board of directors, audit committee and senior management. The tone at the top is set by all levels of management and has a trickle-down effect on all employees of the organization. If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are more likely to uphold those same values. As a result, such risks as insider negligence and third party risk are minimized.

Participants in this research agree with this assessment. We asked respondents to rate the importance of tone at the top based on a scale of 1 = not important to 10 = very important. The very important responses (7+) are shown in Figure 1. As shown, 83 percent of respondents believe a positive tone is very important to minimizing business risks within their organization and 78 percent of respondents say it is very important to reducing risks in third party (supply chain) relationships.

A positive tone at the top is thought to provide the following benefits, according to respondents:

  • Reduces the risks of working with third parties that are not trustworthy (71 percent of respondents);
  • Incorporates such values as integrity, ethics and trustworthiness in relationships with third parties (66 percent of respondents); and
  • Increases employee and third party awareness of the importance of security, data protection and business resiliency (43 percent of respondents).

The following are key takeaways from the research:


  • Third party risk is considered serious and is increasing. Seventy-five percent of respondents agree that third party risk is serious. Further, 70 percent of respondents say the third party risk in their organization is significantly increasing (21 percent of respondents), increasing (20 percent of respondents) or is staying the same (29 percent of respondents).
  • Third party risk is increasing because of a changing threat landscape. Disruptive technologies such as the Internet of Things (IoT) and migration to the Cloud are expected to increase third party risk. Sixty percent of respondents believe IoT increases third party risk significantly (35 percent + 25 percent), and 68 percent of respondents believe migration to the Cloud will increase risk (36 percent + 32 percent).
  • Cyber attacks and the IoT are expected to have the most significant impact on an organization’s third party risk profile. Seventy-eight percent of respondents say cyber attacks will have a significant impact on the risk profile and 76 percent of respondents say the IoT will have a significant impact. Cloud computing, mobility and mobile devices and big data analytics will have a significant impact, according to 71 percent, 67 percent and 51 percent of respondents, respectively.
  • Despite the seriousness of third party risk, it is not a primary risk management objective. The top two risk management objectives are to minimize downtime (56 percent of respondents) and minimize business disruptions (37 percent of respondents). As discussed above, cyber attacks are expected to have a significant impact on the risk of third party relationships. However, only 27 percent of respondents say a top objective is to prevent cyber attacks. Further, only 8 percent of respondents say improvement of their organization’s relationship with business partners is a top risk management objective for their organizations.
  • The consequences of not managing third party risk can be costly. In the past 12 months, organizations represented in this research spent an average of approximately $10 million to respond to a security incident as a result of negligent or malicious third parties.
  • Third party risk management programs are mostly informal and not effective. As discussed previously, reducing third party risk is considered serious but very few respondents say improvement in third party relationships is a top risk management objective. Thus, the incentive among the various business functions to create a comprehensive program for risk management is low. Only 29 percent of respondents say their organizations have a formal program.
  • The lack of formal programs affects the ability to mitigate third party risk. Respondents were asked to rate the effectiveness of their organizations in mitigating or curtailing third party risk from 1 = not effective to 10 = very effective. Only 21 percent of respondents say their organization’s effectiveness in mitigating or curtailing third party risk is considered highly effective (7+ on the scale of 1 to 10).
  • No one function owns the third party risk management program in organizations represented in this study. Accountability for the third party risk management program is dispersed throughout the organization. Twenty-three percent of respondents say the compliance department is most responsible for managing third party risk and 17 percent of respondents say it is the information security function. Only 9 percent of respondents say risk management has ownership of the risk.
  • Most C-level executives are not engaged in their organization’s third party risk management process. Only 37 percent of respondents agree that the C-level executives in their organization believe they are ultimately accountable for the effectiveness of third party risk management. As a possible consequence of this lack of engagement, 50 percent of respondents do not believe the risk management process is aligned with business goals, which are most likely determined by senior management.
  • Boards of directors are not actively engaged in risk management activities. Similar to the perceived lack of accountability on the part of C-suite executives, only 40 percent of respondents say their boards of directors are significantly involved (17 percent) or have at least some involvement in overseeing risk management activities (23 percent).
  • If boards of directors are engaged, it is mostly to conduct reviews. Fifty-two percent of respondents say the board mainly reviews management’s analysis of the effectiveness of a risk assessment and 42 percent of respondents say the board reviews and approves plans to address any risk management or control weakness. Only 25 percent of respondents say they are actively working with management to establish the vision, risk appetite and overall strategic direction for third party relationships.

To read the full research, visit

The day my bank, yet again, blocked me from my money for ‘security’ — and why two-factor tools aren’t ready for prime time

Bob Sullivan

Bob Sullivan

How can a bank – or any organization — become less secure in its attempts to become more secure?  Let me tell you how.

Security must do two things: Protect and enable.  If your security doesn’t enable people to do what they have to do, they will inevitably circumvent it, creating all sorts of exception conditions as they do. And that is the path to perdition (and hacking).

Security often fails because people who design security are much better at throwing up roadblocks than they are creating pathways.  Both are equally important if a security scheme is to work.

This month brought yet another story chronicling theft of millions of passwords by hackers, once again highlighting the importance of implementing “not-just-passwords security” at places that really matter.

But I’m about to turn off two-factor authentication at my bank, right at the moment when everyone seems hell bent to turn it on. Why?  Because it doesn’t make me safer if it doesn’t work; it just prevents me from accessing my money.

I’ve run into classic 21st Century Red Tape headaches with my bank recently as I try very hard to use its two-factor authentication scheme.  I often don’t like single-anecdote stories, but occasionally they illuminate larger problems so perfectly they are worth telling. So here goes.

A quick review:  Two-factor authentication adds a strong layer of security to a service by requiring two tests be met by a person seeking access — a debit card and a PIN code, for example, representing something you have and something you know.  Online banks and websites are slowly but surely nudging everyone towards various forms of two-factor authentication, because it really does make life harder for hackers.

Most of these two-factor forms involve use of smartphones, as they have become nearly ubiquitous. Log on to a website at a PC, confirm a code sent to your phone.  Something you have (the phone) and something you know (the password). Simple, but elegant, and far harder for bad guys to crack.

And it’s great, when it works. But what about when it doesn’t work?

Here’s a simple problem. Consumers get new phones all the time. If the code is tied to the physical handset, the code doesn’t work any longer. What then?

Turns out this can be a really vexing problem. (Readers of this column know why I had to get a new smartphone recently)

I’ve been a USAA banking customer for decades. The financial services firm has ranked atop customer satisfaction surveys seemingly forever, and for good reason:  It really does take good care of members.

At least it did, until it tried to implement two-factor security. I try not to be hypocritical, and follow my own advice, so I turned on USAA’s flavor of two-factor pretty early on. It’s a solid design: A Symantec app loaded onto your smartphone offers a temporary token — a 6-digit code — that changes every 30 seconds. The token is tied to the physical handset. Only a person who knows your PIN and can access the token on that handset can log into the website. You can see all the layers of protection that creates.

Sure, it’s a tiny hassle to pull out the phone every time you want to log on to the website — a larger hassle if your phone battery is dead. But that’s a fair price to pay for security.

However, the hassle becomes immense when it becomes time to change handsets.   So immense that as I type this, I cannot access my bank…and have no idea when I will be able to do so.(UPDATE: I was able to fix my login woes 24 hours later.) And that’s happened twice to me in the past year. Why? Chiefly because USAA is not set up to deal with the problem of new handsets.

To review: When I tried to access the website it demanded a token from my phone — a token that was no longer valid because I had a new phone.  When I tried to use the phone’s app to access my accounts, USAA asked for a password because it didn’t recognize the phone.  I didn’t have a password, I had a token — an invalid token.  You get the picture.

All that is a predictable technology hiccup that’s not the end of the world.  The real problem came next.

A call to customer service seemed to be my last available option, but that was dismal, too.  At various times I wasn’t been able to get through to customer service phone lines. What’s much worse, however, is what happened when I did get through.

People change phones roughly every two years, so this new handset problem must come up often enough.  Yet it’s obvious to me USAA operators are not ready to handle the problem when consumers call.  Each time I have reached an operator, I had to spend a lot of time explaining the problem — and remember, I do this for a living.  The first successful call today, the operator merely changed my mobile application login settings after putting me on hold for minutes.  When I protested that, she said she had to transfer me to a special department, and then the phone went dead.

After a second call and wait, the operator was sympathetic, but put me on hold quickly and wasted a lot of time trying to set me up with a new phone number.  It took a while before I could convince her that “new phone” meant “new handset” not “new number,” a mistake I will correct in future calls. We eventually agreed that all I needed was someone to turn off two-factor and issue me a temporary password so I could go in and re-establish the connection between my handset and my account.  But after another long hold, and transfers to two other operators, I was told that, sadly, they were having trouble issuing temporary passwords and asked if I could call back in an hour or so.

I’ve left out many steps in this saga.  At each stage, of course, I was subject to strict authentication questions. That’s fine — I was asking for a new password, after all.  But at the end of my fruitless journey through tech support, when I asked if I could somehow get express treatment when I called back just to find out if I could get a temporary password, I was told, “no.”  So I will have to once, again, convince a primary operator who I am, and that I am having token problems and that I need a temporary password.  There is obviously no “token problem” script, ready for my problem.

My experience last time was similar, so I know I am not just the victim of bad luck.

The last time this happened, I was sure to give the operator who finally liberated my account some specific feedback — there needs to be a tidy process for dealing with people who get new handsets.    Obviously, that hasn’t occurred. And so, the first thing I will do when I can access my account is disable the token. (I’ll use another form of two-factor). While I am afraid of hackers, I’m more afraid of not be able to access my money because my bank has poorly implement a security solution.

When I called USAA as a reporter to discuss my experience, the firm owned up to the challenges of implementing two-factor security.

“You’ve encountered an experience we are aware of,” said Mike Slaugh, Executive Director, Financial Crimes Prevention, at USAA. “What we’re working on here is a way to make that experience better. … Multi-factor authentication for us at USAA and the industry in general, it’s important.  (Making this experience better) is top of mind for us as we work to help members protect  themselves.”

USAA is hardly the only firm having trouble dealing with two-factor issues.  Independent security analyst Harri Hursti told me about the foibles consumers face when dealing with two-factor authentication that relies on text messages.

“The moment you start traveling, all bets are off. Text messages over roaming are far from reliable – they either are never delivered, or they experience regular delivery delays over 10-15 minutes, which are the most typical time-out limits on the websites,” he said. Hursti, who was in Portugal when I interviewed him, said he was late paying an electricity bill this month because of two-factor pain points.  “Basically, in order to do banking when travelling internationally, you need to start that by turning all security off. And yet you are knowingly getting into increased security risk environment.”

Gartner security analyst Avivah Litan says these kinds of implementation and customer service issues not only threaten adoption of two-factor security, they actually create more pathways for hackers.

“Two factor, in this case, actually weakens security – rather than strengthens it,” she said. “I always tell our clients that their security is only as strong as its weakest link and surely, when they disable two factor authentication on the account, they likely ask the account holder to verify their identity by answering those easily compromised challenge questions, which any criminal who can buy data on the dark web has access to.  Therefore this is an easy way for criminals to get access to your account.  So not does two factor authentication without proper supporting processes serve to annoy and greatly inconvenience good legitimate customers, it also does little to keep the bad guys out for this and other reasons.”

As Litan is fond of saying, there’s a fallacy that “harder is better” in security.  It “doesn’t keep bad guys out, but it annoys good guys.”

Perhaps this problem isn’t *that* common yet, as uptake on two-factor is still relatively small (USAA acknowledged that, and it’s common across the industry). Don’t worry: With each password hack, more and more people will turn on two-factor.  If companies blow the implementation, consumers will just as quickly turn it off again.  And we might lose them for several years.

Protect and enable, or we’re all at greater risk.