The Case Against AWS – And It’s Not AWS’ Fault

Recently the NSA, a highly secure US government entity, left an unprotected disk image loaded with classified information right out in public on AWS. The NSA left it there on an “unlisted” server, but it didn’t have a password. Thus, if you stumbled across it, or someone went looking for it (a cybersecurity person at UpGuard did just that), it was yours for the taking. I will bypass all the ironic commentary/jokes that could/should be made and get to the point: It isn’t Amazon’s fault. If you are dumb enough to put this out there unprotected, you get what you deserve. Don’t blame the highway commission because you drove into a tree at 200MPH. What it does highlight, beyond human stupidity, is the ease of doing damage because no one is there to protect you from yourself. If this were any reasonable enterprise storing these records themselves, SOMEONE would be watching or protecting things like this from occurring. A security officer would have created policy that was pushed down to IT admins who would set up specific volumes that could be used for sensitive data with permissions to access that data enforced all over the place. Someone would be an adult. It’s not AWS’ job to be your babysitter. It’s their job to give you what you pay for—in this case, a virtual machine with a virtual disk. To read the complete article, CLICK...

Read More

Advanced Malware Detection and Response and… on the Rise

Think about all of the cybersecurity industry activity with advanced malware detection and response and what comes to mind? Most people would probably focus on technology vendors like Bromium, Cylance, Damballa, FireEye, and Palo Alto Networks since these firms have garnered headlines, raised vast fortunes of VC funding, and even pushed through successful IPOs. Yup, all of these technology vendors seem to be doing just fine, but there is another parallel success story in play – albeit a rather stealthy one. Advanced malware detection and response services revenue is actually growing at about twice as fast as product revenue. Much of this growth is coming from the midmarket but enterprise organizations are also jumping on the bandwagon. According to ESG research, 60% of enterprise organizations already working with professional/managed security services have increased their use of these services “substantially” or “somewhat” over the last 2 years. To read the complete article, CLICK...

Read More
Solving Cloud Security Will Open Adoption Floodgates
Mar24

Solving Cloud Security Will Open Adoption Floodgates

According to the upcoming Verizon 2014 Data Breach Investigations Report, the time it takes for an attacker to compromise a system in three-quarters of breaches is days or less, but less than 25% of breaches are discovered in days or less. If that 75%-plus failure rate isn’t alarming enough, then there’s the recent Enterprise Strategy Group survey of security professionals that found that almost half (42%) believe that “keeping up with the latest threats and vulnerabilities” is “much more difficult” or “somewhat more difficult” than it was two years ago. Or how about security being the single biggest impediment to cloud adoption, according to Elad Yoran, CEO of security/encryption specialist Vaultive. “All of the major barriers to cloud adoption have been addressed with one exception, security.” Until that issue is addressed and enterprises can secure their data, even when it resides on systems they don’t control, they will be reluctant, and in some cases unable, to move to the cloud, he said. “In 2013 enterprises got real about cloud computing. In 2014 we will integrate it into our existing IT portfolios – whether IT likes it or not,” said Forrester Research analyst James Staten. “When this issue [cloud security] is addressed, we will see the floodgates of cloud open up,” said Yoran. “It will unleash billions of dollars in cost savings.” Unfortunately, security concerns aren’t restricted to just the bad guys. “Revelations on surveillance and data mining programs like the NSA’s Prism have highlighted the risks that companies must come to terms with when their data is stored and processed in the cloud,” stated Yoran. “Whether it’s access to corporate data by the NSA or equivalent national security agencies outside of the U.S. and other U.S. federal agencies, or compliance with regulations that mandate data protection, businesses remain responsible for maintaining the privacy and confidentiality of their data.” Staten said one solution is ‘bring your own encryption’. BYOE is a cloud computing security model that allows cloud services customers to use their own encryption software and manage their own encryption keys. This is going to be at the top of the security list for 2014 because of the whole NSA/Snowden data leak. We also expect in 2014 that other governments are going to get caught doing this [collecting data] too. BYOE works by allowing customers to deploy a virtualized instance of their own encryption software alongside the business application they are hosting in the cloud. The business application is configured so that all its data is processed by the encryption application, which then writes the ciphertext version of the data to the cloud service provider’s physical data store. It’s...

Read More

Are US Tech Companies Suffering a Slow and Agonizing Death?

Are technology companies in the United States now suffering from a slow and agonizing death? In what is being called “The Snowden Effect,” the infamous former National Security Agency contractor’s disclosures revealing the extent of NSA worldwide spying efforts have prompted companies to avoid or leave US technology firms in droves. This has been especially true with regard to US-based cloud services since it was realized that most of the largest US tech companies’ cloud computing systems have had their data accessed by the NSA. This revelation has caused approximately a ten percent drop in customers from cancelled contracts, according to a survey from industry group Cloud Security Alliance. Some argue that that President Barack Obama has added fuel to the fire of tech industry problems by emphasizing how the NSA surveillance program focuses on people outside of the United States. One of the biggest problems that plague these US companies is the perception that they are giving their data directly to the NSA. To read the complete article, CLICK...

Read More

Good News/Bad News on Cybersecurity Priorities & Spending

With the Winter Olympics in full-swing, the cybersecurity community anxiously awaits another global event, the 2014 RSA Conference. Like Sochi, the RSA Conference comes with its own controversy, but I still anticipate that most of the global information security glitterati will be in San Francisco two weeks hence. In spite of the RSA/NSA imbroglio, I for one wouldn’t be surprised if this year’s RSA Conference exceeded last year’s attendance records. Why? The year 2013 pushed cybersecurity further into the spotlight as it featured the President’s executive order, an orchestrated cyber-attack on South Korea, the Mandiant APT1 report, the NY Times and Wall Street Journal Breaches, Edward Snowden, and Target (to name a few). To read the complete article, CLICK...

Read More