A new report by Threat Stack and ESG (Environmental, Social Governance) raises major security concerns about the increasing public cloud environments and containers. The report reveals a notable gap in security and compliance readiness across the rapidly growing cloud-container environs.
The report discloses some significant facts as:
- 60 percent of organizations regard security and compliance a hindrance to winning new business associates.
- 57 percent of those surveyed complained of significant delays in the sales cycle blaming troubles created to meet customer security requirements.
- 31 percent of those surveyed said they were unable to cope with the growing cloud and container environments. As a result, 62 percent said theyâ€™re aiming for greater visibility into their public cloud workloads.
- 40 percent of the respondents conveyed that in the next 12 months, they will have hybrid environments, which is an increase from the current 12 percent. Meanwhile, 45 percent of organizations plan on starting to test or deploy containerized environs, which is above the current 42 percent of those who already do.
- 94 percent of respondents believe containers give negative security implications for their organizations.
As the market democratizes, companies are adopting more complex technical solutions that were earlier reserved for only software giants.
This, experts believe, has led to the creation of an opening for external as well internal threats as security teams catch up on the cloud, containers, etc.
Sam Bisbee, Threat Stack CSO feels, â€œContainers originally focused on resource isolation, offering system building blocks to address specific operational needs that could be coupled with security solutions â€“ they were not supposed to be a replacement for VMs, which is how most teams treat themâ€.
To curb the rising cyber fraud in digital transactions, a high level meeting has proposed the imposition of a token â€˜security feeâ€™ on digital payments in India.
The meeting, focused on measures to make digital transactions safer, was held on 13 September. Chaired by Home Minister Rajnath Singh, it was attended by officers from the MeITY, Home Ministry, Department of Financial Services, Department of Telecom, Reserve Bank of India and Intelligence Bureau. All major stakeholders were present to discuss and propose ways for the same.
Prasanto K. Roy, Nasscom Internet Council Head, expressed that every digital transaction could be aimed at starting a fund for creating better infrastructure to secure digital transactions.
â€œA special fund could help develop security infrastructure, hire experts and secure online transactions, though a cess on digital transactions isnâ€™t the best way of doing it,â€ he told ThePrint. He further said that there was a need for the Ministry of Finance and the Ministry of Electronics and Information Technology (MeitY) to make digital transactions cheaper and secure.
An official from the Ministry said on condition of anonymity, â€œIt was also discussed that an Act needs to be in place for regularizing digital payments, which will be looked after by the Finance Ministry, and to how fix the responsibilities of agenciesâ€.
The action came after the official figures were disclosed that indicate that cases related to e-wallets and e-payments (that were reported to banks) jumped from 13,083 cases in 2014-15 to 16,468 cases in 2015-16.
Mostly, online frauds occur when people share their passwords, 3 D secure pins, ATM pins, etc. Hence there is a need to educate people about it. â€œA standard procedure for all e-wallets needs to be in place as right now anyone can make a wallet just by downloading the app. The KYC norms need to be strengthened for safer transactions,â€ the official from the Home Ministry said.
Further, the Ministry recommended undertaking a digital transaction education campaign and creation of dedicated cyber-forensics lab. Also, training for police personnel and forensic officers needs to be in place so that they can tackle cyber fraud cases.
â€œAs of now we do not have the manpower or expertise to deal with cyber fraud cases, which is going to be challengingâ€¦we need to be prepared,â€ the Home Ministry official said.
The Intelligence Bureau proposed the Indian Government ensure the introduction of necessary software that is able to detect attempts at cyber fraud. Accordingly, the software would be incorporated by payment gateways so that customers can be alerted about suspicious activity.
â€œThere needs to be a machinery to detect out-of-bound transactions and the pattern of violations in cyber fraud cases. The machinery should be able to figure if the transaction is fraudulent by looking at its pattern and send alerts,â€ Nasscomâ€™s Roy said to The Print.
Organizations face many threats to their information systems and data. Understanding all the basic elements to cyber security is the first step to meeting those threats.
Cyber security is the practice of ensuring the integrity, confidentiality and availability (ICA) of information. It represents the ability to defend against and recover from accidents like hard drive failures or power outages, and from attacks by adversaries. The latter includes everyone from script kiddies to hackers and criminal groups capable of executing advanced persistent threats (APTs), and they pose serious threats to the enterprise.Â Business continuity and disaster recoveryÂ planning are every bit as critical to cyber security as application and network security.
Security should be top of mind across the enterprise, and come with a mandate from senior management. The fragility of the information world we now live in also demands strong cyber security controls. Management should see that all systems are built to certain security standards and that employees are properly trained. All code, for example, has bugs, and some of those bugs are security flaws. Developers are only human, after all.
The human is always the weakest element in any cyber security program. Training developers to code securely, training operations staff to prioritize a strong security posture, training end users to spotÂ phishingÂ emails andÂ social engineeringÂ attacks â€” cyber security begins with awareness.
All companies will experience some kind ofÂ cyber attack, even if strong controls are in place. An attacker will always exploit the weakest link, and many attacks are easily preventable by performing basic security tasks, sometimes referred to as â€œcyber hygiene.â€ A surgeon would never enter an operating room without washing their hands first. Likewise, an enterprise has a duty to perform the basic elements of cyber security care such as maintaining strong authentication practices and not storing sensitive data where it is openly accessible.
A good cyber security strategy needs to go beyond these basics, though. Sophisticated hackers can circumvent most defenses, and the attack surface â€” the number of ways or â€œvectorsâ€ an attacker can gain entry to a system â€” is expanding for most companies. For example, the information and the physical world are merging, and criminals and nation-state spies now threaten the ICA of cyber-physical systems such as cars, power plants, medical devices, even your IoT fridge. Similarly, the trends toward cloud computing, bring your own device (BYOD) policies in the workplace, and the burgeoning internet of things (IoT) create new challenges. Defending these systems has never been more important.
Further complicating cyber security is the regulatory climate around consumer privacy. Compliance with stringent regulatory frameworks like the European Union’sÂ General Data Protection Regulation (GDPR)Â also demands new kinds of roles to ensure that organizations meet the privacy and security mandates of the GDPR and other regulations.
As a result, growing demand for cyber security professionals has hiring managers struggling to fill positions with qualified candidates. That struggle requires organizations to have a sharp focus on areas of greatest risk.
Types of cyber security
The scope of cyber security is broad. The core areas are described below, and any good cyber security strategy should take them all into account.
Critical infrastructure includes the cyber-physical systems that society relies on, including the electricity grid, water purification, traffic lights and hospitals. Plugging a power plant into the internet, for example, makes it vulnerable to cyber attacks. The solution for organizations responsible for critical infrastructure is toÂ perform due diligenceÂ to protect understand the vulnerabilities and protect against them. Everyone else should evaluate how an attack on critical infrastructure they depend on might affect them and then develop a contingency plan.
Network security guards against unauthorized intrusion as well as malicious insiders. Ensuring network security often requires trade-offs. For example, access controls such as extra logins might be necessary, but slow down productivity.
Tools used to monitor network security generate a lot of data â€” so much that valid alerts are often missed. To help better manage network security monitoring, security teams are increasingly using machine learningÂ to flag abnormal traffic and alertÂ to threats in real time.
The enterpriseâ€™s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances. Cloud providers are creating new security tools to help enterprise users better secure their data, but the bottom line remains:Â Moving to the cloud is not a panaceaÂ for performing due diligence when it comes to cyber security.
Application security (AppSec), especially web application security, has become the weakest technical point of attack, but few organizations adequately mitigate all the OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices, and should be augmented by fuzzing andÂ penetration testing.
Rapid application development and deployment to the cloud has seenÂ the advent of DevOpsÂ as a new discipline. DevOps teams typically prioritize business needs over security, a focus that will likely change given the proliferation of threats.
Internet of things (IoT) security
IoT refers to a wide variety of critical and non-critical cyber physical systems, like appliances, sensors, printers andÂ security cameras. IoT devices frequently ship in an insecure state and offer little to no security patching, posing threats to not only their users, but also to others on the internet, as these devices often find themselves part of a botnet. This poses unique security challenges for both home users and society.
Types of cyber security threats
CommonÂ cyber threatsÂ fall under three general categories:
Attacks on confidentiality:Â Stealing, or rather copying, a target’s personal information is how many cyber attacks begin, including garden-variety criminal attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nation-state spies make confidentiality attacks a major portion of their work, seeking to acquire confidential information for political, military, or economic gain.
Attacks on integrity:Â Also known by its common name, sabotage, integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Integrity attacks can be subtle â€” a typo here, a bit fiddled there â€” or a slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers.
Attacks on availability:Â Preventing a target from accessing their data is most frequently seen today in the form ofÂ ransomwareÂ and denial-of-service attacks. Ransomware encrypts a target’s data and demands a ransom to decrypt it. A denial-of-service attack, typically in the form of aÂ distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable.
The following describes the means by which these attacks are carried out.
Attackers aren’t going to hack a computer if they canÂ hack a human instead. Socially engineered malware, often used to deliver ransomware, is the No. 1 method of attack (not a buffer overflow, misconfiguration, or advanced exploit). An end-user is tricked into running a Trojan horse program, often from a website they trust and visit often. Ongoing user education is the best countermeasure against this attack.
Sometimes the best way to steal someone’s password is to trick them into revealing it This accounts for the spectacular success of phishing. Even smart users, well-trained in security, can fall for aÂ phishing attack. That’s why the best defense isÂ two-factor authentication (2FA)Â â€” a stolen password is worthless to an attacker without a second factor, such as hardware security token, or soft token authenticator app on the user’s phone.
It’s hard to blame your enterprise if an attacker deploys a zero-day exploit against you, butÂ failure to patchÂ looks a lot like failure to perform due diligence. If months and years pass after disclosure of a vulnerability, and your enterprise has not applied that security patch, you open yourself to accusations of negligence. Patch, patch, patch.
Social media threats
Catfishing isn’t just for the dating scene. Believable sock puppet accounts can worm their way through your LinkedIn network. If someone who knows 100 of your professional contacts strikes up a conversation about your work, are you going to think it strange? Loose lips sink ships. ExpectÂ social media espionage, of both the industrial and nation-state variety.
Advanced persistent threats
Speaking of nation-state adversaries, your enterprise has them. Don’t be surprised if multipleÂ APTsÂ are playing hide-and-go-seek on your corporate network. If you’re doing anything remotely interesting to someone, anywhere, you need to consider your security posture against sophisticated APTs. Nowhere is this more true than in the technology space, an industry rich with valuableÂ intellectual propertyÂ many criminals and nations will not scruple to steal.
Executing a strong cyber security strategy requires you have the right people in place. The demand for professional cyber security folk has never been higher, from the C-suite down to the security engineers working on the front lines. Security leaders have elbowed their way into the C-suite and boardrooms, as protecting company data becomes mission critical for organizations. AÂ chief security officer (CSO)Â orÂ chief information security officer (CISO)Â is now a core management position that any serious organization must have.
Roles have also grown more specialized. The days of the generalistÂ security analystÂ are fading fast. Today a penetration tester might focus on application security, or network security, or phishing users to testÂ security awareness. Incident response may see you on call 24/7. The following roles are the foundation of any security team.
TheÂ CISOÂ is a C-level management executive who oversees the operations of an organizationâ€™s IT security department and related staff. The CISO directs and manages strategy, operations, and the budget to protect an organizationâ€™s information assets.
Also referred to as cyber security analyst, data security analyst, information systems security analyst, or IT security analyst,Â this roleÂ typically has these responsibilities:
- Plan, implement and upgrade security measures and controls
- Protect digital files and information systems against unauthorized access, modification or destruction
- Maintain data and monitor security access
- Conduct internal and external security audits
- Manage network, intrusion detection and prevention systems
- Analyze security breaches to determine their root cause
- Define, implement and maintain corporate security policies
- Coordinate security plans with outside vendors
A goodÂ information security architectÂ straddles the business and technical worlds. While the role can vary in the details by industry, is that of a senior-level employee responsible to plan, analyze, design, configure, test, implement, maintain, and support an organizationâ€™s computer and network security infrastructure. This requires knowing the business with a comprehensive awareness of its technology and information needs.
TheÂ security engineerÂ is on the front line of protecting a company’s assets from threats. The job requires strong technical, organizational and communication skills. IT security engineer is a relatively new job title. Its focus is on quality control within the IT infrastructure. This includes designing, building, and defending scalable, secure, and robust systems; working on operational data center systems and networks; helping the organization understand advanced cyber threats; and helping to create strategies to protect those networks.
If youâ€™re a small business organization, there is absolutely no reason for you to neglect cyber security. Not spending on security or relying on outdated software to protect your data – both are equally bad ideas.
Here are a few ways you should undertake to prevent damage to the reputation of your business repute:
Backups: Cyber attackers and hackers never leave an opportunity to take your data â€œhostageâ€ and demand a ransom before releasing that data. Hence, small organizations must practice backing up data in the cloud or a hybrid data centre.
Update IT Systems: As malicious attacks are evermore wreaking havoc in the cyber-verse, it is essential for organizations to protect their business data at all costs. A top to bottom evaluation with an emphasis on vulnerabilities is important. Key assets like information about property, confidential personal data, etc. must be guarded against.
Â Â Cyber security education: In any data-security effort, any individual can intentionally or not become a â€œweak-linkâ€. More often, an employee nursing grudge against the organization may compromise security. To avoid such incidences, smaller organizations can always undertake a rigorous cyber security education program.
Proper planning: Included in the data-security education program should be procedures teaching employees how to react in the event of unauthorized intrusions, example, phishing or malware attempts. A detailed incident response plan that redirects to helpdesks or IT teams can have a significant impact.
Mobile device security: A lot of times employees in small organizations use their mobile devices for work and work-related communication. The thought of data passage through unsecured channels is nightmarish enough for organizations to establish policies like â€“ (i) Categorizing and restricting the types of information that can be shared or accessed through these devices, (ii) Enforcing network access control wherein employees can access your businessâ€™s VPN and email in a reliable manner, (iii) Determining whether mobile devices provided by the business can be taken off-site.