Posts

Five Ways to Evaluate your Cloud Security

In an earlier post, we spoke about how mobile and cloud hosting is transforming technology in today’s business arena. With more and more enterprises moving to the ‘cloud’ there is little doubt that the spotlight needs to be focused on making use of these solutions effectively and safely. BYOD adoption had made security concerns a priority item for many businesses and rightly so. In fact, cloud solutions are even slowly replacing conventional practices in many other situations as well, such as business presentations and this only highlights the need for you to pay special attention to your cloud security. Take a look at 5 ways in which you can do so:

1) Are the right services and information in the cloud?

Cloud solutions offer immense advantages and convenience but the fact remains that they do not do so across your entire range of technology services and information. Moving the right services and information to the cloud allows you to maximize the benefits you derive from such solutions without compromising your security and safety. In an Oracle report, Nelson, Senior Director of Cloud Security, explains how internal services that lack ‘resources, efficiency, rigor’ are ideal candidates for the cloud. He points out that these present low risk to the business while enhancing efficiency at the internal level.

2) Are you sacrificing security for speed?

A common problem, many businesses trade off security because they want to amp up speed of deployment when they switch to the cloud. The actual cost of failing to make sure adequate security is in place can be drastically high for your business. Making sure that the cloud solution has safety features should take precedence over the cloud deployment and this should be one of the first steps in evaluating your cloud’s security.

3) Is your cloud really right for you?

A surprising number of business owners are unaware that clouds can be of different kinds, each with its own set of features and specifications, each designed for a different purpose. When you are evaluating your cloud’s security you need to do so with your specific objective in mind. Only then can you really determine if it offers the kind of security that is demanded by the technology and information you will be moving there.

4) Do you have enough transparency from the cloud provider?

Moving critical data to the cloud makes you highly vulnerable unless the cloud provider employs world class security and privacy features. A critical part of evaluating your cloud security is to check if your provider offer utmost transparency, allowing you to see what security measures, are being employed and to what degree to ensure that your data/ technology is safe from unauthorized use.

5) Are there incident management processes in place?

What happens when there is a security breach in the cloud? Your cloud provider should have a clear, effective incident management and damage control plan in place so that this plan can be instantly deployed to minimize the data leak. Verifying if your provider has such a plan in place and whether it is a viable one should be one of your initial steps in evaluating cloud security.

USPS Data Breach: Neither Snow nor Rain nor Heat nor Gloom of Night Keeps Intruders from Their Appointed Rounds

Employment with the US Postal Service was once considered the benchmark of job security. The same cannot be said of the security of their personal employee data.

According to USPS officials, a recent breach affects the entire staff of 800,000 postal workers. The data exposed includes “names, dates of birth, Social Security numbers, addresses, dates of employment and other information”. Fortunately, “other information” does not include credit card numbers, though as a precautionary measure, USPS employees will be given one free year of credit monitoring.

The only compromised customer data involves “customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014 and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, e-mail addresses and other information for customers who may have provided this information.” In a formal statement, the USPS asserts that “we do not believe that potentially affected customers need to take any action as a result of this incident”. USPS officials emphasize that no financial systems within USPS facilities or USPS affiliates were affected (such as USPS.com, Click-N-Ship, the Postal Store, PostalOne!, FedEx or UPS) .  Lastly, Passport application data was not compromised.

Unlike other recent breaches involving retailers Home Depot and Target, the suspected instigators of the breach are the Chinese Government, who (along with the NSA) are notorious for their intrusion attempts on government information systems (they deny the accusation). James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies, states that “they’re just looking for big pots of data on government employees” as “a way of building their inventory on U.S. persons for counterintelligence and recruitment purposes”. He also notes that “China would be interested in amassing large sets of data that can be analyzed for previously unknown links or insights”. Lastly, Lewis notes that the Chinese Postal services, unlike the USPS, holds large amounts of data on its citizens, and that they may have incorrectly assumed the same of USPS and overestimated the nature and type of data available.

The USPS has come under fire for their reporting of the breach – particularly the fact that the breach occurred in August but was not reported until recently. House Oversight and Government Reform Committee Chairman Darrell Issa (R-CA) and House Oversight Committee Subcommittee on Postal Service Chairman Blake Farenthold (R-TX) are leading the charge. The committees released a joint statement using terse language: “…the Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter. The Committee will be seeking information about why the Administration waited two months before making the news of this attack public and preventing victims from taking proactive measures to secure their own information. We have not been told why the agency no longer considers the information classified.”  In a letter addressed to Postmaster General Patrick Donahoe (himself a victim of the attack) ranking committee member Rep. Elijah E. Cummings (D-MD), went as far as to say that “The increasing number of cyber attacks in both the public and private sectors is unprecedented and poses a clear and present danger to our nation’s security.” In reply to the critics, the USPS states that “Communicating the breach immediately would have put the remediation actions in jeopardy and might have resulted in the Postal Service having to take its information systems offline again” (the latter statement refers to The Postal Service taking systems off-line on November 8-9 as part of their intrusion mitigation efforts).

Joining the USPS in the Incident Response are the Federal Bureau of Investigation, Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. The FBI, in their own statement, urged the public to “report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.” An FAQ (Frequently Asked Questions) document is available from the USPS at http://about.usps.com/news/fact-sheets/scenario/customerFAQs_Final.pdf

Major Software Bug Could Affect Your Business

Shellshock

A vulnerability discovered in some Linux and Apple operating systems could put your business’s computers at risk. The bug was found in a software component called Bash, which is part of many instances of these operating systems. Once exploited, this vulnerability could be used by hackers to gain access to your individual systems.

About Shellshock

Going by the name Shellshock, the bug is found in Bash, a shell command line tool in Unix-based systems. Hackers have been able to remotely control users’ systems, with reports stating that exploits are currently under development to take advantage of the open access to so many systems. These exploits will allow hackers to gain user passwords and install DDoS bots.

While Windows-based PCs aren’t among the list of affected devices, businesses should be concerned about their servers, since many servers use Apache. Apache contains the Bash component. In total, experts estimate 500 million machines could be vulnerable to Shellshock.

What Can You Do?

If your machines are behind a firewall, you already have a major protection in place. Apple has assured its users that the vast majority are safe from the vulnerability, since OS X systems are safeguarded by default. Those users who have configured advanced UNIX servers may be vulnerable, however. Apple is working on a patch to safeguard those systems.

Experts are concerned that as users rush to patch affected systems, hackers will make the most of the short window of opportunity to wreak havoc on systems. The most vulnerable systems are likely those servers and applications that are running Bash without administrators being aware of it. For that reason, server administrators must take the extra effort to protect their servers.

Vendor Patches

The first thing a business can do is check with its vendors to see if a patch is available for their products. In the instances where data is stored with a third-party cloud service, businesses should be proactive in ensuring their data and devices are safe from attack. If you’d like to check to see if your computer is running Bash, this article should help.

As more information becomes available about Shellshock, businesses will be equipped to deal with the issues. For small businesses, turning server operations over to a highly-experienced cloud services provider can be a great way to ensure your systems are safe whenever vulnerabilities like Shellshock emerge. Because applications are often built by vendors, however, many businesses are often left uncertain about what technology their systems is actually running when news about vulnerabilities like this one emerges.

5 Million Gmail Usernames, Passwords Hacked! What to Do Now?

 

Gmail Hacker

The news that five million Gmail usernames and passwords were stolen alarmed many in the industry. If Google’s servers aren’t safe, whose are? But Google quickly followed up the news with an announcement that the information was taken from a website not belonging to Google. The company has searched its own systems for signs of a compromise and have found nothing.

What to Do Now

Since Gmail powers many workplace email accounts, it’s important that businesses first protect any email accounts that might contain company data. Even if one employee is using a Gmail account for work duties, that employee should take measures to ensure his account is protected. To be safe, business leaders should send instructions to all employees on safeguarding their Gmail accounts, even if they don’t use them for work purposes.

Protecting your Gmail account is easy. The first step is to change your password, which can be done by clicking the down arrow next to the gear in the top-right corner. Choose Settings, then Accounts and Import. Change Password is at the top. You’ll be prompted to enter your old password and your new one twice. Try to shoot for a “Strong” password rating. Once you’ve changed your password, you’ll be taken to another settings screen. If 2-Step Verification is disabled, click the link to set it up and go through the steps. You’ll be notified via phone call or text message every time someone tries to access your Gmail through an untrusted device.

User Security

To help their own systems remain secure, businesses should urge employees to use passwords that are difficult to guess. Administrators can set this up as a requirement on all applications and file servers, making each employee have a combination of letters, numbers, and special characters in every password.

Another trap business users fall into is that of using password keepers. This is a solution to the many passwords we’re all required to keep up with, letting users remember one strong password to access all sites and applications. While acknowledging the usefulness of such tools, it’s important that businesses explore the encryption being used by the particular password keeper being used. If your administrator is responsible for keeping up with everyone’s master password through a console, the security on the console should be investigated, as well.

The Gmail breach is yet another reminder of how vulnerable electronic systems are. If your business employs the best industry-standard software for security and encourages safe password polices, your users can stay safe during large-scale hacking attempts.

3 Things Your Business Should Learn from the Home Depot Data Breach

HomeDepot Data Breach

Experts say it may be the biggest data breach in U.S. history involving consumer credit and debit cards, with customer data stolen from more than 2,000 stores across the U.S. Home Depot is currently investigating the possible breach, which is believed to have possibly affected more than 40 million payment cards. Last year’s Target breach, which made national headlines and had a negative impact on the company’s stock, impacted more than 70,000 payment cards.

The reports are bringing concerns from consumers, who aren’t sure if their own cards may be affected. But businesses of all sizes should be concerned, as well, because the September 2nd warning of “unusual activity” to Home Depot from its bank could happen to any business. Before it happens to your organization, here are three things you can learn from the news about Home Depot’s data breach.

Data Security Should Be Tightened

While no amount of security is impenetrable, a business can protect itself by employing the latest security on each server that holds customer data. For retailers and ecommerce sites that use payment processing service providers, it’s important to contract with respected providers who employ the latest security to keep your customer data safe.

Data Breaches are Expensive

When the dust settles down on the Home Depot scandal, the company will still face months of backlash from the negative publicity. Target is still feeling the aftereffects of its December 2013 data breach, having lost the trust of the public and its investors. For months after the security issue, some customers are hesitant to use a credit card while shopping at an affected store, even after a business assures customers things are once again secure. The damage to a brand’s reputation can be financially devastating, potentially even forcing smaller businesses to close.

Microchips are Essential

Even as the news about these data breaches emerges, financial institutions are issuing cards with microchips that help prevent fraud. Merchants must upgrade to new terminals to accept these new cards, but once installed, these microchips will interact to identify the card, protecting credit card data and reducing the risk of data theft.

If your small business deals in customer payment information, it’s important to take as many measures as possible to protect that information from a data breach. Breaches can be extremely costly, potentially dooming a business to failure, so the future of a company may rest on its data protection procedures.

Are You Protected Against Credit Card Fraud? Cloud Solutions Can Help

The growth of cloud hosting in business has opened up numerous options, from the way employees are paid to the way payments are accepted. But as technology has evolved, criminals have worked hard to find new ways to work the system. The industry is always working hard to stay one step ahead of fraudsters in order to protect both merchants and their customers.

Every day in this country, credit cards are stolen and used to purchase goods. While credit card companies generally bear the brunt of the responsibility, merchants can be slapped with fees and chargebacks, especially if they fail to follow the guidelines in their agreements with various card companies. In addition to carefully scrutinizing those agreements, these cloud options could help ensure a business remains safe.

ThreatMetrix

Employing the latest fraud prevention technology, ThreatMetrix can help with both software and education to help a business reduce the risk of such crimes as account takeover, payment fraud, and fraudulent account registration. Once in place, ThreatMetrix uses cutting-edge technology to analyze online identities and their associated devices to detect suspicious activity.

Authorize.net

Authorize.net is a payment gateway, which works with a business’s existing solutions. The service is primarily designed for online payment acceptance, but it also helps safeguard businesses against fraud in accepting in-store payments or payments via telephone or mail. Having the Authorize.net seal on a website or POS system is a great way to help customers feel more secure in providing credit card information, which is a bonus for merchants.

Businesses should take as many precautions as possible to prevent credit card fraud in their stores and online. While education is an important part of that, cloud tools can add an extra layer of protection. As criminals continue to find new ways to defraud businesses, it’s important that those businesses do everything they can to keep themselves safe.

New Study Shows Businesses Are Storing Unprotected Data in the Cloud

encryptBusinesses have gotten the message: the cloud is the place to be. But in the rush to take advantage of the latest technology, many organizations may be taking costly shortcuts. Sensitive data, left unsecured, may be vulnerable to hackers through backdoor methods, according to a new study from e-Security firm Thales.

Unencrypted Data

The study revealed vast discrepancies in perceived responsibility for data security once a business migrates to the cloud. With SaaS solutions, more than half of respondents believe cloud hosting providers are responsible for security. That responsibility is believed to be shared between the provider and the users in the case of IaaS and PaaS solutions, however.

The biggest flaw in cloud security today is encryption, which is still a tricky area. Businesses like Amazon Web Services give users several options when it comes to encryption, including the service’s Server Side Encryption (SSE) support. However, some services face a challenge in ensuring the encryption is in place in a way that end users are able to see that encryption is happening.

Software Solutions

With so many businesses employing multiple cloud services, server encryption  may not be enough. When a business chooses a SaaS solution like Salesforce, Gmail, Dropbox, or any number of other cloud solutions, data is stored on the host’s server. This means it isn’t enough to check web and data hosts. A business must now also be concerned about security with instance of cloud software it uses throughout its organization.

What can businesses do? One important first step is to check with each of your solutions providers to learn the encryption available for your files. Additionally, businesses can deploy their own encryption at no charge using one of the tools on the market. A business’s cloud services provider can help steer businesses in the right direction in choosing an additional layer of protection on the device side.

Top 3 Blocked Cloud Apps in Business Today

accessToday’s professionals are traveling the globe with devices that are stocked with apps. If these devices connect to a corporate network, they pose a security danger, especially if users are freely surfing the web and downloading software to them. To safeguard networks, businesses regularly block apps from being accessed on connected devices, granting exceptions only when an app is necessary to do a user’s job. Here are three of the top blocked cloud apps in business today, along with details about the dangers they might be posing to your network.

Dropbox

Dropbox has long been the subject of warnings to security administrators, with multiple vulnerabilities having been identified over the years. The company works hard to identify and patch issues as they are identified, but many businesses have found the app too risky to allow on corporate networks.

Facebook

While all social networks pose an element of risk to businesses, Facebook has been identified as the biggest risk. Numerous scams have been identified through the site, including cross-site scripting, clickjacking, and survey scams. Cross-site scripting is particularly dangerous, since it can result in malware being installed on a user’s device.

Netflix

As consumers gravitate toward online streaming for watching TV shows, Netflix is becoming more of a problem, with day-long streaming sessions eating away at crucial bandwidth. Since many businesses now rely on that bandwidth for everything from participating in webinars to placing phone calls, Netflix’s popularity is forcing security administrators to add Netflix to its list of blocked sites and apps.

Users may feel as though they’re being hampered by having apps blocked at work. In reality, however, when a user shares space with many others, it’s important to have someone administering things to ensure things continue to go smoothly. These three cloud apps should be toward the top of every business’s list of apps to watch.

Cloud Security Experts Declare Public Cloud “Safe”

SafeWalletLogoTrust in the cloud is an acknowledged obstacle to widespread cloud adoption. As experts in a panel Wednesday said, however, the cloud has become a place where businesses can store data with confidence. The key to widespread adoption is building trust in cloud services, the panel agreed.

Top Technologists

The discussion took place at RSA 2014 in San Francisco, where some of the best and brightest information security experts in the field gather to discuss current issues facing the industry. Cloud security was a hot topic at this year’s conference, with many businesses still expressing concerns about turning their data over to cloud hosting providers.

The topic sparked hot debate at the panel, which was made up of experts from a variety of high-profile providers like Microsoft and Google. Panelists agreed that building trust is important, but they couldn’t come to terms on how cloud providers could build that trust.

Low-Risk, Big Reward

Google Apps’ Eran Feigenbaum noted that many cloud service providers give businesses more security than they’d find at their own on-premise data centers. “It’s the cloud provider’s responsibility to convince you that what they’re doing is safe and secure,” Feigenbaum said.

Cryptographer Bruce Schneier pointed out that when a business chooses to outsource cloud services, that business is outsourcing more than storage. Businesses are outsourcing expertise. He compared it to businesses hiring a tax expert to take care of their taxes and trusting an airline to take care of getting them safely to their destination.

But as businesses entrust their sensitive data to the cloud, service providers will have to work hard to win their trust. Panelists agreed that providers could begin to create that environment of trust by offering a certificate to customers that serves as proof the storage solution meets security requirement. Businesses and consumers alike will feel more comfortable if the vendor offers a guarantee with its service, panelists say.

How Cloud Computing Makes Application-Layer Security More Important Than Ever

For the past couple of decades, workplace computer users have been doubly protected, both through anti-malware and firewalls on the PC and server level. But that dual-layer protection is dissolving as workers discard desktops for mobile devices, accessing applications through equipment that may or may not have adequate spyware protection installed.

Device Safety

With the growing popularity of Bring Your Own Device (BYOD) in organizations, businesses are understandably concerned about the risks. Once a device is connected to an organization’s network, one infiltration can have disastrous repercussions. Customer data could be compromised or malware could take the network down for a time, costing the business customers and possibly damaging its reputation.

For that reason, it’s more important than ever that businesses ensure application-layer security is in place to protect them. Cloud providers are working hard to put measures in place to put Distributed Denial of Service (DDoS) and password brute-force detection measures in place for each of its accounts. These extra measures will ensure only those who are authorized to access your business’s accounts are able to get in, further safeguarding your infrastructure.

Encryption and Protection

There are several ways application-layer security can protect a business. One is to put measures in place that authenticate each access of that application on a designated network, no matter which device is accessing it. This Identification and Authentication process is used by many cloud providers. Encryption is also a popular tool for cloud service providers who employ application-layer security for their clients.

As more businesses migrate to the cloud, it’s important that they have professionals in place who can evaluate each of these required security layers in order to protect all aspects of operations. Cloud services professionals specialize in answering these questions to help put a business’s minds at ease.