Archive

Archive for the ‘data governance’ Category

Guarding against supply chain attacks—Part 1: The big picture

October 16th, 2019 No comments

Every day, somewhere in the world, governments, businesses, educational organizations, and individuals are hacked. Precious data is stolen or held for ransom, and the wheels of “business-as-usual” grind to a halt. These criminal acts are expected to cost more than $2 trillion in 2019, a four-fold increase in just four years. The seeds that bloom into these business disasters are often planted in both hardware and software systems created in various steps of your supply chain, propagated by bad actors and out-of-date business practices.

These compromises in the safety and integrity of your supply chain can threaten the success of your business, no matter the size of your operation. But typically, the longer your supply chain, the higher the risk for attack, because of all the supply sources in play.

In this blog series, “Guarding against supply chain attacks,” we examine various components of the supply chain, the vulnerabilities they present, and how to protect yourself from them.

Defining the problem

Supply chain attacks are not new. The National Institute of Standards and Technology (NIST) has been focused on driving awareness in this space since 2008. And this problem is not going away. In 2017 and 2018, according to Symantec, supply chain attacks rose 78 percent. Mitigating this type of third-party risk has become a major board issue as executives now understand that partner and supplier relationships pose fundamental challenges to businesses of all sizes and verticals.

Moreover, for compliance reasons, third-party risk also continues to be a focus. In New York State, Nebraska, and elsewhere in the U.S., third-party risk has emerged as a significant compliance issue.

Throughout the supply chain, hackers look for weaknesses that they can exploit. Hardware, software, people, processes, vendors—all of it is fair game. At its core, attackers are looking to break trust mechanisms, including the trust that businesses naturally have for their suppliers. Hackers hide their bad intentions behind the shield of trust a supplier has built with their customers over time and look for the weakest, most vulnerable place to gain entry, so they can do their worst.

According to NIST, cyber supply chain risks include:

  • Insertion of counterfeits.
  • Unauthorized production of components.
  • Tampering with production parts and processes.
  • Theft of components.
  • Insertion of malicious hardware and software.
  • Poor manufacturing and development practices that compromise quality.

Cyber Supply Chain Risk Management (C-SCRM) identifies what the risks are and where they come from, assesses past damage and ongoing and future risk, and mitigates these risks across the entire lifetime of every system.

This process examines:

  • Product design and development.
  • How parts of the supply chain are distributed and deployed.
  • Where and how they are acquired.
  • How they are maintained.
  • How, at end-of-life, they are destroyed.

The NIST approach to C-SCRM considers how foundational practices and risk are managed across the whole organization.

Examples of past supply chain attacks

The following are examples of sources of recent supply chain attacks:

Hardware component attacks—When you think about it, OEMs are among the most logical places in a supply chain which an adversary will likely try to insert vulnerabilities. Moreover, these vulnerabilities can be inserted into the end product via physical access as a physical component is being transported or delivered, during pre-production access in a factory or manufacturing facility, via a technical insertion point, or other means.

Software component attacks—Again in 2016, Chinese hackers purportedly attacked TeamViewer software, which was a potential virtual invitation to view and access information on the computers of millions of people all over the world who use this program.

People perpetrated attacks—People are a common connector between the various steps and entities in any supply chain and are subject to the influence of corrupting forces. Nation-states or other “cause-related” organizations prey on people susceptible to bribery and blackmail. In 2016, the Indian tech giant, Wipro, had three employees arrested in a suspected security breach of customer records for the U.K. company TalkTalk.

Business processes—Business practices (including services), both upstream and downstream, are also examples of vulnerable sources of infiltration. For example, Monster.com experienced an exposed database when one of its customers did not adequately protect a web server storing resumes, which contain emails and physical addresses, along with other personal information, including immigration records. This and other issues can be avoided if typical business practices such as risk profiling and assessment services are in place and are regularly reviewed to make sure they comply with changing security and privacy requirements. This includes policies for “bring your own” IoT devices, which are another fast-growing vulnerability.

Big picture practical advice

Here’s some practical advice to take into consideration:

Watch out for copycat attacks—If a data heist worked with one corporate victim, it’s likely to work with another. This means once a new weapon is introduced into the supply chain, it is likely to be re-used—in some cases, for years.

To prove the point, here are some of the many examples of cybercrimes that reuse code stolen from legal hackers and deployed by criminals.

  • The Conficker botnet MS10-067 is over a decade old and is still found on millions of PCs every month.
  • The criminal group known as the Shadow Brokers used the Eternal Blue code designed by the U.S. National Security Agency as part of their cybersecurity toolkit. When the code was leaked illegally and sold to North Korea, they used it to execute WannaCry in 2017, which spread to 150 countries and infected over 200,000 computers.
  • Turla, a purportedly Russian group, has been active since 2008, infecting computers in the U.S. and Europe with spyware that establishes a hidden foothold in infected networks that searches for and steals data.

Crafting a successful cyberattack from scratch is not a simple undertaking. It requires technical know-how, resources to create or acquire new working exploits, and the technique to then deliver the exploit, to ensure that it operates as intended, and then to successfully remove information or data from a target.

It’s much easier to take a successful exploit and simply recycle it—saving development and testing costs, as well as the costs that come from targeting known soft targets (e.g., avoiding known defenses that may detect it). We advise you to stay in the know about past attacks, as any one of them may come your way. Just ask yourself: Would your company survive a similar attack? If the answer is no—or even maybe—then fix your vulnerabilities or at the very least make sure you have mitigation in place.

Know your supply chain—Like many information and operational technology businesses, you probably depend on a global system of suppliers. But do you know where the various technology components of your business come from? Who makes the hardware you use—and where do the parts to make that hardware come from? Your software? Have you examined how your business practices and those of your suppliers keep you safe from bad actors with a financial interest in undermining the most basic components of your business? Take some time to look at these questions and see how you’d score yourself and your suppliers.

Looking ahead

Hopefully, the above information will encourage (if not convince) you to take a big picture look at who and what your supply chain consists of and make sure that you have defenses in place that will protect you from all the known attacks that play out in cyberspace each day.

In the remainder of the “Guarding against supply chain attacks” series, we’ll drill down into supply chain components to help make you aware of potential vulnerabilities and supply advice to help you protect your company from attack.

Stay tuned for these upcoming posts:

  • Part 2—Explores the risks of hardware attacks.
  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Guarding against supply chain attacks—Part 1: The big picture appeared first on Microsoft Security.

How to avoid getting caught in a “Groundhog Day” loop of security issues

October 8th, 2019 No comments

It’s Cyber Security Awareness Month and it made me think about one of my favorite movies, called Groundhog Day. Have you ever seen it? Bill Murray is the cynical weatherman, Phil Connors, who gets stuck in an endless loop where he repeats the same day over and over again until he “participates in his own rescue” by becoming a better person.

Sometimes it can feel like we’re caught in our own repetitious loops in cybersecurity—I even did a keynote at RSA APJ on this very topic a few years ago. The good news is that we can get out of the loop. By learning lessons from the past and bringing them forward and applying them to today’s technologies, outcomes can be changed—with “change” being the operative word.

If companies continue to do things the same way—in insecure ways—attackers will come along and BOOM you’re in trouble. You may resolve that breach, but that won’t help in the long run. Unless the source of the problem is determined and changed, just like Phil Connors, you’ll wake up one day and BOOM—you’re attacked again.

How security experts can help organizations protect against cybercrime

We can learn from past mistakes. And to prove it, I’d like to cite a heartening statistic. Ransomware encounters decreased by 60 percent between March 2017 and December 2018. While attackers don’t share the specifics about their choice of approach, when one approach isn’t working, they move to another. After all, it’s a business—in fact it’s a successful (and criminal) business—bringing in nearly $200 billion in profits each year.1 We do know that ransomware has less of chance of spreading on fully patched and well-segmented networks and companies are less likely to pay ransoms when they have up-to-date, clean backups to restore from. In other words, it’s very likely that robust cybersecurity hygiene is an important contributor to the decrease in ransomware encounters. (See Lesson 1: Practice good cybersecurity hygiene below.)

The bad news of course is that attackers began to shift their efforts to crimes like cryptocurrency mining, which hijacks victims’ computing resources to make digital money for the attackers.1 But that’s because cybercriminals are opportunists and they’re always searching for the weakest link.

One of the best ways to thwart cybercrime is to involve security experts before deploying new products and/or services. A decade ago, this wasn’t typically done in many organizations. But with the rise of security awareness as part of the overall corporate risk posture, we’re seeing security involved early on in deployments of modern architectures, container deployments, digital transformations, and DevOps.

When security experts connect the wisdom of the past—such as the importance of protecting data in transit with encryption—to the technology rollouts of today, they can help organizations anticipate what could go wrong. This helps you bake controls and processes into your products and services before deployment. The people who have already learned the lessons you need to know can help so you don’t wake up to the same problems every (well, almost) day. When security experts carry those lessons forward, they can help end your Groundhog Day.

In addition, involving security experts early on doesn’t have to slow things down. They can actually help speed things up and prevent backtracking later in the product development cycle to fix problems missed the first time around.

Security can help anticipate problems and produce solutions before they occur. When Wi-Fi networking was first being deployed in the late 1990s, communications were protected with Wired Equivalent Privacy (WEP). But WEP suffered from significant design problems such as the initialization vector (IV) being part of the RC4 encryption key that were already known issues in the cryptographic community. The result was a lot of WEP crackers and the rapid development of the stronger Wi-Fi Protected Access (WPA) set of protocols. If designers had worked with crypto experts, who already had designed a solution free of known issues, time, money, and privacy could have been saved.

Traditional technology thinks about “use” cases. Security thinks about “misuse” cases. Product people focus on the business and social benefits of a solution. Security people think about the risks and vulnerabilities by asking these questions:

  • What happens if the solutions are attacked or used improperly?
  • How is this product or workload going to behave in a non-perfect environment?
  • Where is your system vulnerable and what happens when it comes under attack?

Security also remembers lessons learned while creating threat models to head off common mistakes at the past.

Rita: I didn’t know you could play like that.

Phil: I’m versatile.

Groundhog Day (1993) starring Bill Murray as Phil and Andie McDowell as Rita. Sony Pictures©

Example: Think about designing a car. Cars are cool because they can go fast—really fast. But if you had some security folks on the team, they’d be thinking about the fact that while going fast can be thrilling—you’re going to have to stop at some point.

Security are the kind of thinkers who would probably suggest brakes. And they would make sure that those brakes worked in the rain, snow, and on ice just as well as they worked on dry pavement. Furthermore—because security is obsessed (in a good way) with safety—they would be the ones to plan for contingencies, like having a spare tire and jack in the car in case you get a flat tire.

Learning from and planning for known past issues, like the network equivalent of flat tires, is a very important part of secure cyber design. Machine learning can provide intelligence to help avoid repeats of major attacks. For example, machine learning is very useful in detecting and dismantling fileless malware that lives “off the land” like the recent Astaroth campaign.

Top practices inspired by lessons learned by helping organizations be more secure

Thinking about and modeling for the types of problems that have occurred in the past helps keep systems more secure in the future. For example, we take off our shoes in the airport because someone smuggled explosives onto a plane by hiding it in their footwear.

How DO you stop someone who wants to steal, manipulate, or damage the integrity of your data? What can you do to stop them from trying to monetize it and put your company and customers in jeopardy of losing their privacy? I’m glad you asked—here are four lessons that can help your organization be more secure:

Lesson 1: Practice good cybersecurity hygiene—It may not be shiny and new, but cybersecurity hygiene really matters. This is perhaps the most important lesson we can learn from the past—taking steps to ensure the basics are covered can go a very long way for security. That 60 percent decrease in ransomware encounters globally mentioned earlier is most likely due to better cybersecurity hygiene.

Lesson 2: Schedule regular backups—With regular backups (especially cold backups, held offline), you always have an uncompromised version of your data.

Lesson 3: Use licensed software—Licensed software decreases the likelihood that bugs, worms, and other bad things won’t be infiltrating your infrastructure. Deploying necessary patching that makes systems less vulnerable to exploit is part of keeping the integrity of your licensed software intact.

Lesson 4: Lean into humans “being human” while leveraging technological advances—For example, acknowledge that humans aren’t great at remembering strong passwords, especially when they change frequently. Rather than berating people for their very human brains, focus on developing solutions, such as password wallets and passwordless solutions, which acknowledge how hard strong passwords are to remember without sacrificing security.

Rita: Do you ever have déjà vu?

Phil: Didn’t you just ask me that?

Groundhog Day (1993) Sony Pictures©

Admittedly, we can’t promise there won’t be some share of Groundhog Day repeats. But the point is progress, not perfection. And we are making significant progress in our approach to cybersecurity and resilience. Above are just a couple of examples.

I’d love to hear more from you about examples you may have to share, too! Reach out to me on LinkedIn or Twitter, @DianaKelley14. Also, bookmark the Security blog to keep up with our expert coverage on security matters.

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

1Cybercrime Profits Total nearly $200 Billion Each Year, Study Reveals

The post How to avoid getting caught in a “Groundhog Day” loop of security issues appeared first on Microsoft Security.

Follow the latest privacy and online safety news

July 26th, 2011 No comments

The official Twitter account for the Microsoft Privacy team has relaunched at twitter.com/MSFTPrivacy.

@MSFTPrivacy was launched for us to engage in real-time with our privacy community.  We will use this channel to talk about privacy issues, while raising awareness of Microsoft’s approach to addressing concerns through our data governance policies. Here are recent updates you might be interested in:

Follow the Microsoft Privacy team.

The Microsoft Online Safety team also regularly tweets at twitter.com/safer_online. Here, the focus is on Internet safety for families, but we also include relevant privacy and security news.

Recent updates:

 Follow the Microsoft Online Safety team.