main

SecurityService Provider

Protecting Sensitive Data: What a Breach Means to Your Business

August 29, 2018 — by Mike O'Malley0

data_falling_data_leaks-960x576.jpg

Data breaches have made big headlines in recent years, from Target to Equifax to Hudson’s Bay Co’s Saks and Lord & Taylor.  But the growing trend is actually in all the litigation stemming from data breaches. International law firm Bryan Cave analyzed the increasing trend of legal action following data breaches of all sizes. It found that in 2016 alone, there were 76 class action lawsuits related to data breaches:

  • 34% were within the medical industry
  • 95% had negligence as the most popular legal theory
  • 86% emphasized the breach of sensitive data

Our own research supports these findings. Radware’s 2018 Consumer Sentiments Survey found that 55% of U.S. consumers stated that they valued their personal data over physical assets, i.e. cars, phones, wallets/purses. In addition, Radware’s C-Suite Perspectives report revealed 41% of executives reported that customers have taken legal action following a data breach. Consequences of data breaches have extended past bad press, and include lasting effects on stock prices, customer acquisition costs, churn, and even termination of C-Suite level executives.

[You might also like: Consumer Sentiments About Cybersecurity and What It Means for Your Organizations]

Types of sensitive data vary by industry and therefore have respective attack methods. For example, the finance and commerce industry are expected to protect data such as names, contact information, social security numbers, account numbers and other financial information. Likewise, the healthcare industry is at high risk of data breaches, as medical records contain the same personal data in addition to more details that aid in identity fraud – such as doctor and prescription records, medical insurance information, and individual health attributes from height and weight to blood type.

On the surface, data breaches fall under the jurisdiction of CISO, CTOs, etc., but CEOs are now just as likely to be held responsible for these incidents; Target’s then-CEO was forced to resign following its 2013 data breach.  Other CEO’s at Sony and Home Depot were no longer in their positions within 6 months of their high profile breaches.

Laws and regulations surrounding data breaches are now moving at a faster pace due to steeper consequences, with the implementation of the European Union’s General Data Protection Regulation (GDPR) and the United States’ growing interest and demand in data privacy and protection. Security at its bare minimum is no longer realistic, and instead a competitive advantage for smart companies. C-level executives who aren’t reviewing security plans are opening themselves and their companies to significant liabilities.

How does GDPR affect me?

The GDPR’s purpose is providing protection over the use of consumers’ personal data. Companies are now held to a higher expectation to protect their customers’ data, further emphasizing the evolving consideration of cybersecurity as a necessity in business. At its strictest, companies found not having done enough can be penalized upwards of €20 million or 4% of the offending organization’s annual worldwide revenue.

Although data breaches alone are months of bad publicity in general, the wrath of consumers often stem from the delayed notification and response from the company. Companies incur this fury when they attempt to keep a data breach hidden only for it to be uncovered, resulting in increased litigation costs. The GDPR now mandates and upholds companies to the high standard of notifying data breach-affected consumers within 72 hours.

Targeted for a Data Breach

In 2013, one of the most notable, mainstream headlines focused on the data breach of Minnesota-based, retail giant Target Corporation. During the holiday shopping season, Target revealed their mass data breach of personal information, of which 40 million customers had personal financial data stolen and 70 million had general personal data (such as email and addresses) revealed. Attackers were able to exploit the company’s customer database through a third-party vendor’s stolen credentials, utilizing malware as the weapon of choice; the same malware was later utilized to attack other retailers such as Home Depot. Hackers after the finance and retail industry still utilize malware like Target’s 2013 data breach to create pathways from minimally-protected 3rd parties into more complex systems.

At the end of the investigation, Target had to pay a fine of $18.5 million across the U.S. in addition to its cumulative legal fees of a staggering $202 million for the data breach. What goes unmentioned however, is also the potential cost of lost customers from these breaches, as well as the brand reputation decline. The company must also abide to new Terms of Agreements by various State Attorney Generals that include requiring Target to employ a security leader for the creation and management of a thorough information security program, in addition to other related guidelines.

The Early Bird Avoids the Attack

Target became a lasting example of the need for cybersecurity to be implemented within a company’s architecture and business processes. The topic of protecting customer data has become its own high-profile discussion across various industries, rather than just within the technology industry. Being proactive with not only the security surrounding the company’s products/services, but also the data it collects, will be a competitive differentiator moving forward.

Radware research found that 66% of C-Suite Executives across the world, believed hackers could penetrate their networks, yet little is changed to implement protections as exhibited by the graphic below.

[You might also like: Cybersecurity & Customer Experience: Embrace Technology and Change to Earn A Customer’s Loyalty]

Sensitive data across all industries are valuable, coming at different prices in the dark net market. As data breaches are becoming more commonplace, industries have to take different levels of precaution in order to protect consumers’ personal data. For example, the healthcare industry heavily utilizes encryption to protect data such as medical records and prescription history. However, attackers are also implementing encryption attack tools in order to access this information. It is crucial for the cybersecurity systems of these organizations to be able to distinguish between valid encrypted information versus attack information encrypted with SSL, in order to prevent a breach. A comprehensively designed network infrastructure that consistently manages and monitors SSL and encryption technology through its security systems can ensure protected network and data privacy.

Transitioning cybersecurity from the hallways of IT and embedding it into the very foundation of business operations allows an organization to scale and focus on security innovation, rather than scrambling to mitigate new threats as they evolve or worse, litigating expensive class actions. In addition, this proactive approach further builds customer relationships via improved trust and loyalty. Knowing that cybersecurity is a company’s and CEO’s priority will help the customer feel more at ease with potential partnerships and strengthens the level of trust between.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

SecurityWAF

Access to Applications Based on a « Driving License » Model

July 18, 2018 — by Thomas Gobet0

application-licensing-960x640.jpg

More and more countries are modifying their policies with a new “driving license” model.

With a classic license model, drivers can be caught frequently; they just have to pay a huge amount of money to the police each time.

Since this model has lot of limitations, it was changed to a “point-based model.” Either you begin with 0 points (and you increase it based on your “mistakes”) or your points decrease. Regardless of how the model works, you’re still allowed to drive if you have below a certain number of points on your license.

DDoSSecuritySSL

The Executive Guide to Demystify Cybersecurity

June 20, 2018 — by Radware0

demystifying-cybersecurity-1-960x640.jpg

WHAT DO BANKS AND CYBERSECURITY HAVE IN COMMON? EVERYTHING

The world we live in can be a dangerous place, both physically and digitally. Our growing reliance on the Internet, technology and digitalization only makes our dependence on
technology more perilous. As an executive, you’re facing pressure both internally (from customers and shareholders) and externally (from industry compliance or government regulations) to keep your organization’s digital assets and your customers’ secure.

New cybersecurity threats require new solutions. New solutions require a project to implement them. The problems and solutions seem infinite while budgets remain bounded. Therefore, the challenge becomes how to identify the priority threats, select the solutions that deliver the best ROI and stretch dollars to maximize your organization’s protection. Consultants and industry analysts can help, but they too can be costly options that don’t always provide the correct advice.

So how best to simplify the decision-making process? Use an analogy. Consider that every cybersecurity solution has a counterpart in the physical world. To illustrate this point, consider the security measures at banks. They make a perfect analogy, because banks are just like applications or computing environments; both contain valuables that criminals are eager to steal.

 

The first line of defense at a bank is the front door, which is designed to allow people to enter and leave while providing a first layer of defense against thieves. Network firewalls fulfill the same role within the realm of cyber security. They allow specific types of traffic to enter an organization’s network but block mischievous visitors from entering. While firewalls are an effective first line of defense, they’re not impervious. Just like surreptitious robbers such as Billy the Kid or John Dillinger, SSL/TLS-based encrypted attacks or nefarious malware can sneak through this digital “front door” via a standard port.

Past the entrance there is often a security guard, which serves as an IPS or anti-malware device. This “security guard,” which is typically anti-malware and/or heuristic-based IPS function, seeks to identify unusual behavior or other indicators that trouble has entered the bank, such as somebody wearing a ski mask or perhaps carrying a concealed weapon.

Once the hacker gets past these perimeter security measures, they find themselves at the presentation layer of the application, or in the case of a bank, the teller. There is security here as well. Firstly, authentication (do you have an account) and second, two-factor authentication (an ATM card/security pin). IPS and anti-malware devices work in
concert with SIEM management solutions to serve as security cameras, performing additional security checks. Just like a bank leveraging the FBI’s Most Wanted List, these solutions leverage crowd sourcing and big-data analytics to analyze data from a massive global community and identify bank-robbing malware in advance.

[You might also like: Cybersecurity & Customer Experience: Embrace Technology and Change To Earn A Customer’s Loyalty]

THE EXECUTIVE GUIDE TO DEMYSTIFYING CYBERSECURITY

A robber will often demand access to the bank’s vault. In the realm of IT, this is the database, where valuable information such as passwords, credit card or financial transaction information or healthcare data is stored. There are several ways of protecting this data, or at the very least, monitoring it. Encryption and database
application monitoring solutions are the most common.

ADAPTING FOR THE FUTURE: DDOS MITIGATION

To understand how and why cybersecurity models will have to adapt to meet future threats, let’s outline three obstacles they’ll have to overcome in the near future: advanced DDoS mitigation, encrypted cyberattacks, and DevOps and agile software development.

A DDoS attack is any cyberattack that compromises a company’s website or network and impairs the organization’s ability to conduct business. Take an e-commerce business for example. If somebody wanted to prevent the organization from conducting business, it’s not necessary to hack the website but simply to make it difficult for visitors to access it.

Leveraging the bank analogy, this is why banks and financial institutions leverage multiple layers of security: it provides an integrated, redundant defense designed to meet a multitude of potential situations in the unlikely event a bank is robbed. This also includes the ability to quickly and effectively communicate with law enforcement.

In the world of cyber security, multi-layered defense is also essential. Why? Because preparing for “common” DDoS attacks is no longer enough. With the growing online availability of attack tools and services, the pool of possible attacks is larger than ever. This is why hybrid protection, which combines both on-premise and cloudbased
mitigation services, is critical.

Why are there two systems when it comes to cyber security? Because it offers the best of both worlds. When a DDoS solution is deployed on-premise, organizations benefit from an immediate and automatic attack detection and mitigation solution. Within a few seconds from the initiation of a cyber-assault, the online services are well protected and the attack is mitigated. However, on-premise DDoS solution cannot handle volumetric network floods that saturate the Internet pipe. These attacks must be mitigated from the cloud.

Hybrid DDoS protection aspire to offer best-of-breed attack mitigation by combining on-premise and cloud mitigation into a single, integrated solution. The hybrid solution chooses the right mitigation location and technique based on attack characteristics. In the hybrid solution, attack detection and mitigation starts immediately and automatically using the on-premise attack mitigation device. This stops various attacks from diminishing the availability of the online services. All attacks are mitigated on-premise, unless they threaten to block the Internet pipe of the organization. In case of pipe saturation, the hybrid solution activates cloud mitigation and the traffic is diverted to the cloud, where it is scrubbed before being sent back to the enterprise. An ideal hybrid solution also shares essential information about the attack between on-premise mitigation devices and cloud devices to accelerate and enhance the mitigation of the attack once it reaches the cloud.

INSPECTING ENCRYPTED DATA

Companies have been encrypting data for well over 20 years. Today, over 50% of Internet traffic is encrypted. SSL/TLS encryption is still the most effective way to protect data as it ties the encryption to both the source and destination. This is a double-edged sword however. Hackers are now leveraging encryption to create new,
stealthy attack vectors for malware infection and data exfiltration. In essence, they’re a wolf in sheep’s clothing.

To stop hackers from leveraging SSL/TLS-based cyberattacks, organizations require computing resources; resources to inspect communications to ensure they’re not infected with malicious malware. These increasing resource requirements make it challenging for anything but purpose built hardware to conduct inspection.

The equivalent in the banking world is twofold. If somebody were to enter wearing a ski mask, that person probably wouldn’t be allowed to conduct a transaction, or secondly, there can be additional security checks when somebody enters a bank and requests a large or unique withdrawal.

[You might also like: Cybersecurity & The Customer Experience: The Perfect Combination]

DEALING WITH DEVOPS AND AGILE SOFTWARE DEVELOPMENT

Lastly, how do we ensure that, as applications become more complex, they don’t become increasingly vulnerable either from coding errors or from newly deployed functionality associated with DevOps or agile development practices? The problem is most cybersecurity solutions focus on stopping existing threats. To use our bank analogy again, existing security solutions mean that (ideally), a career criminal can’t enter a bank, someone carrying a concealed weapon is stopped or somebody acting suspiciously is blocked from making a transaction. However, nothing stops somebody with no criminal background or conducting no suspicious activity from entering the bank. The bank’s security systems must be updated to look for other “indicators” that this person could represent a threat.

In the world of cybersecurity, the key is implementing a web application firewall that adapts to evolving threats and applications. A WAF accomplishes this by automatically detecting and protecting new web applications as they are added to the network via automatic policy generation.

It should also differentiate between false positives and false negatives. Why? Because just like a bank, web applications are being accessed both by desired legitimate users and undesired attackers (malignant users whose goal is to harm the application and/or steal data). One of the biggest challenges in protecting web applications is the ability to accurately differentiate between the two and identify and block security threats while not disturbing legitimate traffic.

ADAPTABILITY IS THE NAME OF THE GAME

The world we live in can be a dangerous place, both physically and digitally. Threats are constantly changing, forcing both financial institutions and organizations to adapt their security solutions and processes. When contemplating the next steps, consider the following:

  • Use common sense and logic. The marketplace is saturated with offerings. Understand how a cybersecurity solution will fit into your existing infrastructure and the business value it will bring by keeping your organization up and running and your customer’s data secure.
  • Understand the long-term TCO of any cyber security solution you purchase.
  • The world is changing. Ensure that any cyber security solution you implement is designed to adapt to the constantly evolving threat landscape and your organization’s operational needs.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Security

The Legitimacy of Cryptocurrency Has Made It Harder for Hackers

March 22, 2018 — by David Hobbs1

cryptocurrency-960x640.jpg

Last year a few noteworthy things happened in terms of cryptocurrencies. The IRS won their case against Coinbase and over 14,000 people who traded over $20,000 USD in 2015 now have to face the IRS.   Exchanges in Asia started forcing KYC (Know Your Customer) requirements on customers as did most of the rest of the world. Bitfinex decided to block all U.S. customers in November of 2017 due to regulatory issues and uncertainty. What this means is that Bitcoin and cryptocurrency is becoming harder to trade anonymously and without paying taxes. This is what happens because of legitimacy from regulation, lawful trade and taxation. I am not saying there isn’t much debate still regarding the legality, legitimacy or utility of cryptocurrencies; I’m saying 2017 had a significant change in how it is viewed.  Today, the SEC in the U.S. has been discussing forcing cryptocurrency exchanges to register with the SEC and there is no definitive answer to what this is going to mean or if it is going to happen.

Security

The Healthcare / Cyber-Security Connection

January 9, 2018 — by Radware0

healthcare-roundup-960x640.jpg

One of the businesses in the spotlight lately when it comes to cyber-attacks is healthcare – in fact, 46% of healthcare organizations experienced a data breach. The data associated with this industry is extremely sensitive and highly regulated, and also actively sought by hackers. It has even gotten to the point where we need to worry about the possibility of someone’s pacemaker or other medical device being hacked. We’ve covered this topic in much detail over the course of 2017, and below is our roundup of everything you need to know about cyber-security and healthcare.

Attack Types & VectorsSecurity

The Radware Research Roundup

December 28, 2017 — by Radware0

radware-research-roundup-960x641.jpg

As 2017 comes to a close, we decided to take a look back at a number of new attack types and threats that we saw throughout the year. Our team took a deep dive into researching and testing many of these threats to find out how they operate and how big of a threat they really were, through setting up honeypots, intentionally bricking a colleague’s device, and setting up IoT chatbots. Below are some of the highlights from our year:

Attack Types & VectorsSecurity

Do Hackers Have It Easy?

September 19, 2017 — by Shira Sagiv0

defense-pro-iot-960x540.jpg

Hackers got it easy. At least, it feels like it. They are in a growing “industry” with many, almost endless, targets to choose from. They have access to new tools and techniques, services that make it easy for them to launch an attack and lots of information and personal data at their fingertips. All of that is available today on the Darknet, and you don’t need to be a sophisticated hacker to get access and start “enjoying” it all.

Security

Blockchain and the future of IoT – Part 3

August 10, 2017 — by Pascal Geenens0

blockchain-iot-part-3-960x640.jpg

To read Part 1 of the series, click here.

To read Part 2 of the series, click here.

Blockchain in the IoT world

A blockchain implementation in the IoT world is probably not best served by a public blockchain based on Proof of Work. The inefficient consumption, not to say waste, of energy to generate Proof of Work is pretty much orthogonal with the premise of IoT devices, which have to consume less energy and are in some cases battery powered. POW comes at a severe cost and it does not add much value to the use case of a distributed ledger used within a consortium of partners. Hence the implementation based on Proof of Stake provides a better starting point for any attempt to chainify an IoT ecosystem where a consortium of partners is adopting a new business application. The security would then be based on a limited number of centralized nodes or cloud servers and by design it does not rely on independence of central trust as do the public cryptocurrencies. Most blockchain use cases I came across start from the assumption that there is a set of parties or a consortium of partners that have a common interest in a specific ledger, and while it might serve the larger public in terms of better quality and faster service, the consumer is not directly concerned with or interested in the ledger itself, only the parties who provide the service and rely on the ledger for remuneration will be.

Security

GDPR and HITECH: Can the past predict the future?

June 27, 2017 — by David Hobbs2

gdpr-hitech-compliance-960x640.jpg

In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal criminal charges were filed against the ex-employee.

Older Posts