So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.
How Can a Company Guarantee a Successful, Strategic Identity and Access Management Program?
The Gartner Identity and Access Management Summit is right around the corner and leaders from all over the world will be coming to try to get this question answered. Here are a few ideas from our ten years in the industry.
Strategic Identity and Access Management (“IAM”) projects can be difficult and the new challenges with mobile, social, and cloud compound the problem. Protecting the perimeter is not enough anymore. Safeguarding identities are the key to a truly secure enterprise.
The industry has seen way too many train wrecks with IAM. To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan. Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports. But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.Read More»
Today I had the opportunity to be a guest on over a dozen Fox News Radio affiliates around the county to discuss the topic of the “password pill.”
These tiny, ingestible “smart pills” may be making their way to a pharmacy near you as early as next year. These traveling sensors are in the form of pills which are swallowed and then powered on by stomach acid. They transmit low frequency signals to a wearable patch and then a smart phone app. The pill passes through the body in about 24 hours and can then be recycled! Eeww! Several companies are making these in various forms including a consumer version that would send information to your cell phone.
The technology is already FDA approved. In fact, astronauts have been using these for years to help monitor vital health indicators. We can expect the technology to be main stream for consumers by next year.
For medical applications, this would enable sending real-time data about health conditions and effectiveness of medications directly to your doctor.
For password or authentication applications, the “password pill” can act as a form of strong authentication where YOU become a form of a password. This provides stronger security than something you know or something you have (and can be stolen or misplaced).Read More»
A little background:
Now that you’ve been in the CIO’s position for your first quarter, it is time to prepare for your first review with the board of directors. The agenda for the IS presentation will cover key factors that you discovered in your operations, your accomplishments and your plans for the next year. Since this is the quarter for your next year’s budget, it should contain the funding needed to accomplish the IS plan.
One of the key factors in the review of your operations was discovering the lack of security focus and non-compliance issues that made the operations vulnerable to unwanted intrusion in your network. Listed in your accomplishments is the Security Assessment study and recommendations provided by PathMaker Group when you engaged them for a study of your IS environment. One of their recommendations was to deploy IBM’s Security products for managing Identify and Application Access in your enterprise network. This is an important undertaking as your company will replace the outdated security monitoring with IBM’s Showcase Solution to keep unwanted intruders out while making it easier for the authorized users to have easy access to their applications. As a result of PathMaker Group’s findings and recommendations, you asked them to submit a proposal for the corrective solution using IBM Security Products and PMG Professional Services to deploy them in your IS Network.
This section of your review was very well received by the board of directors and they gave you the approval to get started.Read More»
Team GhostShell has released the data acquired through more successful attacks against a wide variety of websites. Victims include the Credit Union National Association (CUNA) and several other companies and government organizations. Initial estimates put the total number of leaked CUNA website usernames and MD5 hashed passwords at around 46,500. Many of the hashed passwords have already been cracked and were included in the release. The data released also included full names and physical addresses as well as individual names tied to phone numbers.
This attack was just the latest example of what can occur when your website has not been tested thoroughly for SQL injection (SQLi) and other vulnerabilities on a regular basis. SQLi occurs when an attacker finds a vulnerable or poorly protected website and passes commands directly to the backend database. When an attack is successful the effect can be a devastating disclosure of personal information. This type of attack has been documented time and time again and remains one of the top vulnerabilities listed in the OWASP top ten. (https://www.owasp.org/) Any company that maintains sensitive information on individuals should regularly have trusted third party security firms review the current security status of their websites through penetration tests.
Best practices recommend a penetration test be conducted at least annually to ensure security of your website has not been compromised by any changes that have occurred since the last test. Many of today’s websites utilize content management system like WordPress, Drupal, Joomla, etc. Content management systems (CMS) like this are regularly tested by both users and developers to ensure their security. However many vulnerabilities found on websites today will actually stem from plugins or software add-ons installed by the end user to the CMS platform. Unfortunately not all plug-ins are properly tested for security by their developers. We at PathMaker Group have found that even after being notified of a security vulnerability many customers will not implement a fix for some time leaving their website vulnerable to attack.
Another issue that stands out from this latest attack is the ability for users to set weak, dictionary based passwords on their accounts. Many of the cracked passwords were comprised of a single lower case word found in any standard English dictionary. This is not a recommended security best practice configuration. User account passwords must be administratively required by the system to be strong in nature. For example, a reasonably strong password should contain at least 12 characters comprised of UPPERcase, lowercase, numb3rs, and $pecial characters. By allowing your users to store weak passwords, you may be allowing attackers authenticated access to your systems. This can lead to a PR nightmare for both you and your client.
PathMaker Group can provide professional security testing of your current security controls including penetration testing of your websites. Talk to us about becoming your partner in defending your most valuable assets. Click the “Contact Us” button on the right to get in touch with a security expert who can assist with your annual security testing and provide guidance on securing your business from outsider attack.
We have not included link to the data exposed by Team GhostShell due to the sensitivity of the included data and respect for those who have been affected.
CUNA has now confirmed the attack via press release: http://www.cuna.org/newsnow/12/system121012-8.html
Included is a statement from CUNA President/CEO Bill Cheney.“We do not believe any sensitive personal information from our web site was accessed, however, we are contacting all users of our website to advise them of the breach. Further, we will continue to analyze the information posted online by the (hackers) group, as well as continue to validate that no other risks exist. We will also continue to monitor our website and take increased security measures to ensure it is safeguarded.”