Websense Insights

ATM Cyber Heist Underscores Need for DLP Technology

Joerg Sieber — Fri, 10 May 2013 13:55:00 GMT

A fascinating cybercrime story about an "unlimited operation" in New York involving the theft of debit card information from payment processors, and the resulting theft of $45 Million from thousands of ATMs by an international gang of hackers broke yesterday. What makes this story interesting is not necessarily the level of sophistication of the attack (most of the technologies used have probably been around for some time), but that it involves both cybercrime (data theft and manipulation of financial data) and good old fashioned in-person ATM withdrawals to monetize the data theft.

So far, it is unclear from the story exactly how the hackers gained access to the debit card information, or how they eliminated the withdrawal limits of the debit cards involved. One could imagine a low and slow data theft campaign that stole a few debit card numbers at a time to remain undetected. Instead, this story is a perfect example to illustrate the innovation hackers employ to turn data theft into financial gain. It doesn't always have to be high-tech from beginning to end. Sometimes all it takes is good organizational skills.

One thing is clear, regardless of what method these hackers utilized to get their hands on this financial data or modify the banking systems, sophisticated DLP (Data Loss Prevention) technology would have kept sensitive financial data secure and detect even innovative attempts of hackers to steal confidential data. These DLP technologies include solutions such as Drip DLP to protect against low and slow data theft attempts, the ability to detect data theft utilizing custom encryption, or OCR (Optical Character Recognition) to detect attempts to steal sensitive data contained in image files such as JPEGs, or GIFs.

Financial institutions (and other industries dealing with sensitive data) need to be adequately prepared against attempts to steal their data. The risks and costs associated with deploying outdated or weak DLP technology are much higher than the $45 Million stolen in this instance. How much would the loss of sensitive data cost your organization in lost revenue, legal fees, customer churn, and bad press?

Cybercrime: The Next Big Target, Your Smartphone [VIDEO]

Bob Hansmann — Tue, 07 May 2013 08:05:00 GMT

Leading analyst firm International Data Corporation (IDC) recently released a report showing two trends are increasing the risk of smartphone cyberattacks. First, Q1 2013 smartphone sales finally surpassed regular feature phone sales. Second, total smartphone sales increased 41.6 percent. So why does this increase the smartphone threat level?

Cybercriminals have always been attracted to the most popular platforms. The first widespread PC viruses were on the early Apple platforms, such as Apple II and Apple IIc. However, the threat shifted to the IBM PC the same year that IBM sales surpassed Apple PC sales. Web browser threats followed the same pattern as they often exploited Internet Explorer until Firefox and Chrome became widely used alternatives. Today, even Safari is at risk, but mainly due to cyberthreats that exploit Java and other popular common components.

Nevertheless, today's cyberattacks have a wide variety of objectives. They are not all focused on a single smartphone platform. For example, while IDC reports only a 17.3 percent overall market share for the iPhone, it is still very popular in many sectors of business making it a primary conduit to reach victims. Conversely, cybercriminals looking to attack a broader audience will likely target Android-based devices.

IDC also recently conducted the 2013 U.S. Mobile Security Survey where they interviewed 200 IT decision-makers to gauge their stance on personal mobile devices (PMDs) in the enterprise. Turns out, 62.5 percent of all respondents said their organization embraces the bring your own device (BYOD) movement. In addition, more than 50 percent of employees access corporate data on mobile devices while traveling on business.

Mobile security education, tools and best practices

Most organizations adopt BYOD to help their nomadic workforce be more productive. The problem is mobile devices, specifically smartphones, seldom have adequate mobile security software. Mobile security risks also extend to the growing use of tablets in the workspace. Mitigating this risk requires a combination of education, security tools and best practices.

Education should begin by helping users understand that the threat is real and present. No platform is safe, and all apps are suspicious. Both iTunes and Google Play have unknowingly distributed malicious apps. Also, jail-breaking a device is the height of mobile recklessness. Unfortunately, many users perceive mobile threats as 'hype' and do not respect the potential damage their device can inflict on the organization. In addition, recent surveys have revealed that 30 to 50 percent of users do not password protect their devices. The Websense 2013 Security Predictions includes a spotlight article on mobile threats. Simply sharing it may help you educate your users.

Security tools must extend beyond mobile device management (MDM) and must address both threats and data loss protection. This 3-Step Plan for Mobile Security details how to apply layered defense strategies to mobile platforms. IT can no longer settle for single solution defenses. Lost and compromised devices threaten the security of intellectual property.

To help you formulate your mobile security strategies, Websense recently recorded an interview with several executives to gauge their thoughts on mobile cyberthreats.

How have you tackled mobile security?

Upcoming Webinar: Why Java Exploits Remain a Top Security Risk

Bob Hansmann — Wed, 01 May 2013 06:05:00 GMT

Java vulnerabilities and zero-days are a serious problem in today's businesses. Frequently discovered vulnerabilities are consistently opening the door for data theft. Recent research by the Websense Security Labs found that 94 percent of computers are vulnerable to Java exploit.

On Wednesday, May 8, please join us for a "Why Java Exploits Remain a Top Security Risk" webinar. We'll cover:

The top findings of our Java vulnerability research
How these vulnerabilities are increasingly being exploited through the use of exploit kits
Why Java is so vexing to manage
Why many 'best practices' are now falling short of their original promise
And provide some specific recommendations on how to stay protected

Here is the link to the registration page for the event on Wednesday, May 8 at 10 a.m. PT / 1 p.m. ET.

How frequent are holes in Java? Well, as I write this it's been just a single day since the last Java zero-day. Earlier this month hackers used this type of exploit to crack into both Apple and Facebook.

Have any initial questions on our Java vulnerability research, Java zero-days or exploit kits? Drop a comment below, or save it for the webinar and we can discuss at that time. I look forward to discussing all of these items with you.

Part II: Five Best Practices When Facebook Liking

Bob Hansmann — Fri, 19 Apr 2013 15:27:00 GMT

Today the Facebook Like button turns three years old. It’s the perfect time to remind employees how to safely surf Facebook, specify when “liking” content.

Below I’ve detailed five best practices that you can share to mitigate the risk of using the Like button. Ultimately, to minimize risk, you want to remove opportunities for compromise. This means using real-time security technology that can examine the ever-changing content on social media pages.

Five tips for safe Facebook liking:

1. Raise the bar for Liking content. If you are a frequent “Liker,” break the habit of clicking the Like button on anything and everything.

2. If it sounds too good to be true, it probably is. Many Likejacking scams start on Facebook as a “Win a free iPad” lure.

3. Avoid voyeuristic lures such as “The Sexiest Facebook post.” This includes unlikely viral videos, like videos that claim to be of the Boston Marathon attack “AS IT HAPPENS!,” when no news sites have the content.

4. Avoid offers and surveys that mandate you like something in order to view content.

5. If you are suspicious, go to ACEInsight.com. Right click on a Like and select ‘Copy Shortcut’ to capture the link. Then paste that link into www.aceinsight.com for free real-time analysis. It will detail potential threats.

Abuse of the Like button is just one of the many flavors of today’s complex attacks. If an intended victim doesn’t click on the Like button lure, perhaps the criminal element can tempt the target to activate code that exploits a Java vulnerability or other holes in your defense. Social networks are just one of the avenues for complex attacks. Blocking access to Facebook is not going to stop the ingress of threats which may appear in other social networks, websites and emails.

The complexity of these attacks contributes to the ongoing decline of traditional signature-based defenses. Dynamic defenses, that analyze content, scripts, files, connections and other factors to make real-time decisions, are the only way to protect against the many stages of an attack. With the right security intelligence, you can even mitigate zero-day threats.

How? Click on over to our Websense ACE (Advanced Classification Engine) page and see how we approach proactive defenses and use threat intelligence to secure web, email, mobile and data.

Heck, if you are feeling like clicking, head on over to Facebook and give us a Like there: www.facebook.com/websense

Part I: What’s Not to “Like”?

Bob Hansmann — Fri, 19 Apr 2013 15:12:00 GMT

April 21st represents the third anniversary of the Facebook Like button. On the day of the launch, CEO Mark Zuckerberg said, "we are building a web where the default is social." For the Like button’s third birthday party, there are a number of groups who will cheer this socialization of the web. However, you may not Like everyone who will be celebrating.

Facebook will be partying, if only because the Like button has enjoyed much greater success than many other Facebook innovations. In an average minute, there are more than 382,000 Likes posted on Facebook. More than 2.5 million websites have integrated with Facebook via the Like button. There have now been approximately 2.7 billion unique Likes on Facebook, meaning more than 955 billion in an average year.

Many businesses will celebrate how the Like button has allowed them to easily track the interest level of the content they offer, and to connect Facebook visitors to content on their other web properties. It was recently estimated that 10,000 new websites connect to Facebook every day.

Many customers will also celebrate as they receive more value from their online experience with these businesses, making it a win-win for everyone involved. In addition, Like buttons can be used to initiate downloads, redirect users and serve as a “Like gate,” which allows users to access hidden, bonus or exclusive content.

But employees fired for ‘Liking’ content their employers disapproved of will not be celebrating. And Facebook’s own celebrations may be dampened due to a lawsuit from the widow of a Dutch programmer. Her husband reportedly patented the concept of a Like button in 1998 for use on his Surfbook social network.

These two examples bring us to another faction who is no doubt praising the introduction of the Like button. The Facebook lawyers and those arguing for freedom of speech legal protection when they use the Like button will have many reasons to make merry.

Finally, the cyber-underground will likely be partying, due to success in abusing the Like button. “Likejacking” scams have popped up periodically, almost since the introduction of the feature. Whether in a form of click fraud, or redirecting users to malware and other malicious content outside of Facebook through the ubiquity of the Like button on web pages, Like means money to cybercriminals.

Recently, Websense Security Labs blog warned of holiday-themed scams using the Like button. Similar features in Pinterest and other online services have also been abused by cybercriminals throughout the last year.

In many ways, the like button may have incidentally facilitated a step beyond Zuckerberg’s vision; a web where the default threat is social. In my next blog post, I’ll detail five best practices for Facebook liking.

Five Things CSOs Need to Know About the First NIST Cybersecurity Workshop

Lamont Orange — Mon, 15 Apr 2013 17:23:00 GMT

President Obama recently issued a Presidential Executive Order on Cybersecurity (PO 13636), which sent a wave of buzz throughout the industry. I attended the first National Institute of Standards and Technology (NIST) request for information (RFI) workshop as a representative to begin developing the NIST cybersecurity framework for implementation.

There are three goals guiding this process, and over the course of the event we got a solid start toward achieving these deliverables:

1) Identify existing cybersecurity standards, guidelines, frameworks and best practices applicable to increasing the security of critical infrastructure sectors and other interested entities.

2) Specify high-priority gaps for which new or revised standards are needed.

3) Collaboratively develop action plans by which these gaps can be addressed. The development process for this action plan will have requisite stages for continuing engagement with the owners and operators of critical infrastructure and other industry, academic and government stakeholders.

Five Key Takeaways
What do NIST and a new framework for cybersecurity mean to the private sector? It’s a clear sign that cybersecurity has moved from obscure awareness to mainstream importance. This government mandate is reflecting the need to address vulnerabilities in our cybersecurity infrastructure—both in the private and public sector.

Below I’ve detailed five key NIST workshop takeaways for any CSO:

• Our approach to cybersecurity, risk and threat management must evolve to meet a heightened new “normal” for security challenges. Each organization needs to know their enemy, know the threat and be prepared to the meet the challenges of a mobile, always-connected workforce.

• We must change behaviors, actions and the way we define the problem. The new norm for cyber intrusions comes in the form of persistent threats and data theft. We need to examine and measure the threats, risks and the ultimate business value to understand the impact of this new paradigm.

• CSOs and CISOs are struggling with how to educate the executive suite about the problem. Internal communication and crisp messaging are paramount when explaining the need for protection (here’s a link a blog post with a few tips).

• This new framework is a down payment on the cybersecurity defense program. It needs to take into consideration both foreign and domestic needs.

• Public and private sector ownership is critical. As industry leaders, we own the problem and can make recommendations on the most effective standards.

Now that the April 8th submission deadline has passed, we will reconvene in subsequent scheduled working sessions. During these meetings, we will again roll up our sleeves and put these RFI session ideas into the actual cybersecurity framework.

Stay tuned for more insight on the NIST process. Feel free to reach out to me directly at csos@websense.com

Six Steps for Deploying Data Security Controls (Part II)

Neil Thacker — Fri, 05 Apr 2013 14:34:00 GMT

Earlier this week I made my case on why it’s time to move from infrastructure-only security to infrastructure AND data security control. Below are six steps for a successful data security control implementation.

Step one: Calculate the value of your data
Without a plan, this can be the most difficult part of the process. Data values can rise and fall as quickly as financial markets. The key to solving this problem is working with your executives and information owners. Determine a simple formula to estimate the value of your data.

One of the best examples I’ve seen comes from research group, Securosis. Data value, frequency and audience is quantified within a table and allotted a score. Examples of data types include card data, PII, IP, sales data and any other specific data you are required to protect. An overall score is then defined based on the type of data. Below is an example:

By scoring the data types, you can prioritize the importance of the data. Including frequency and audience also helps determine the likelihood of data-loss and again assists when prioritizing where and when to apply an action.

Step two: Make your ROI case
To increase security spend, and roll-out new data security controls, you must demonstrate ROI. This means clearly quantifying the immense value that comes when you know where your data is, who is accessing it and how it’s being used. My colleague, Jason Clark, Websense CSO, has provided some excellent tips on how to communicate this with your C-Suite and board members in a separate Websense Insights blog.

I strongly believe it’s critical to analyze, communicate and share the financial and organizational impact of stolen and lost data.

Step three: Monitor and log your data
Next, start monitoring who has access to data and observe its movement around your network. Many organizations will turn to a data loss prevention (DLP) solution for this. The best DLP solutions have the ability to monitor the perimeter entry/exit points for data in motion and thoroughly monitor endpoints for data in use.

The initial monitoring phase should not last longer than a few weeks after deployment, even after tuning your policies to remove false positives. A good solution should quickly provide clarity into common data movement trends. Just remember, don’t forget to monitor EVERY location where your data flows, including the often-overlooked printers, scanners, mobile devices and cloud services.

Step four: Apply data security controls
I often speak with organizations that are stuck in step three monitoring and logging mode. Identifying incidents as they happen, but they are still not confident in applying controls to stop data leaving the organization. This is a mistake.

Gartner Inc. demonstrated some time ago that passive security controls were dead. The same goes for DLP used exclusively in a monitor-only deployment. It doesn’t demonstrate ROI to most businesses, especially if a significant loss or breach occurs, while you are “monitoring.” We must apply controls.

First, revisit your most valuable data. Start amending the rules and policies to begin active protection of those crown jewels. I don’t recommend enabling all block rules immediately. In my experience, I have seen that a phased approach is the most efficient way of applying data security controls.

Step five: Find your data
Once you have a score associated with each data type, and the funding, the next stage is to locate the sensitive data on your network. Based on the scoring exercise iterated above, it’s always advisable to begin this process with the most valuable data. Focusing on your crown jewels minimizes the negative impact to your network. Unfortunately, stand-alone discovery and mining services are usually expensive and take a considerable time to run.

Another option is relying on DLP solutions. Most leading DLP solutions offer a mechanism to discover, identify and fingerprint data in periodic sweeps. These sweeps can often take place daily, weekly and monthly. This process provides a marked increase in visibility and improved efficiency through identifying duplicate data and flagging it. Many organizations waste large amounts of money backing up and storing duplicated data. To a security officer, reducing the cost of this process is great additional justification for the purchase of a DLP solution.

Step six: Implement proactive protection and up employee education
As user awareness becomes more prominent, the number of blocked incidents will stabilize and the number of monitored incidents will go down. Why? A typical end user is much more aware prior to clicking on a link or sending an email if they understand that these actions will result in a block and notification. As a result, information owners and security teams gain tremendous value through proactive protection, as well as a beneficial reduction in the IT team’s workload.

Below is a graph showing proactive protection in action. The number of incidents steadily decreased when a 2,500 user enterprise activated blocked actions in October 2012.

I may have made the previous steps sound easy to implement—they should be. A data security control strategy can add more value than any technical solution deployed within an organization.

Have any questions on these steps? Feel free to leave me a comment or send an email to csos@websense.com.

Turning the Lights On… Infrastructure Security vs. Data Security (Part I)

Neil Thacker — Wed, 03 Apr 2013 15:06:00 GMT

The only thing more challenging than seeing something in the dark is explaining what you can see to others. That’s how I characterize the often-difficult process of explaining the importance of data security to your executives and employees. Clearly communicating the challenges we face protecting our organizational “crown jewels” is one of the biggest obstacles security professionals face.

I’m often asked “How is infrastructure security different from data security?” The simplest answer: infrastructure security protects the availability of your IT systems, while data security protects the confidentiality and integrity of your information.

Most companies have solid infrastructure security programs. They have traditional defenses: distributed denial of service (DDoS) attack mitigations, firewalls and intrusion prevention systems (IPS). In most scenarios, these defenses are owned by both network and security teams. Most security professionals consider this appropriate protection at the network level, but not adequate.

Many are looking to implement the next breed of solutions to build out application layer protections and take a deeper dive into the TCP/IP protocols, which provide context surrounding an event. While the additional information available with this second stage of deployment is significant—it should NOT be considered a data security control.

Here’s why: data loss prevention (DLP) is an advanced control. It protects confidentiality and integrity of your data. The value that a DLP solution offers is the advanced context, or the, “who, what, where and how,” of data storage, access and transmission. This full context is something that perimeter infrastructure defenses do not offer.

In the next blog post, I’ll provide six steps to deploying data security controls to gain necessary visibility.

Websense and F5 – Why it Matters

Ryan Windham — Tue, 12 Mar 2013 07:05:00 GMT

On February 25th, Websense and F5 announced a long-term, strategic agreement to develop the industry's most comprehensive, scalable, and real-time network security offerings. We also announced the availability of the first solution in our joint development roadmap.

Why does this matter?

Organizations today face increasingly sophisticated and targeted cyber-attacks that hit multiple attack vectors. The two primary targets are an organization's web application servers and its employees accessing the web.

Web application servers are targeted because they are public-facing and often have access to sensitive information in backend databases. As a result, they are subject to denial of service and application vulnerability and HTTP protocol exploitation attacks. In many cases, these web servers, once compromised, are used to drive redirects, host exploit kits and code, or deliver malware payloads because the site's good reputation passes traditional security defenses. Positioned in front of these web applications, F5's Application Delivery Controller is ideally positioned to thwart these types of web application server attacks. When Websense's advanced threat detection and data loss prevention (DLP) capabilities are added to this web application firewall platform, the joint solution becomes "content-aware." This provides a much higher degree of security against evolving threats.

Employees are also targeted due to their privileged access to information and their susceptibility to spear-phishing and other social engineering techniques. These attacks often lure users to web destinations that redirect to servers hosting exploit kits used to detect open vulnerabilities or open doors into the user's system resulting in silently downloaded and installed malware. Once installed, the malware often checks in with command and control centers before carrying out its instructions that may involve data theft. Websense's real-time security capabilities can detect and defend against each of these kill chain stages as utilized by advance threats.

What do both web application and employee attacks have in common? Both attempt to acquire access credentials, infect, steal sensitive data, and in many cases are components of a broader attack on an organization that may also include disrupting commercial services.

The Websense / F5 joint solutions solve this problem by protecting both web application servers and employees from cyber-attacks. The solutions enable organizations to secure their entire enterprise footprint by protecting sensitive data from both inbound attacks and outbound exfiltration. I.T. administrators have access to a consistent set of security services deployed across both gateways: the web application firewall and the secure web gateway.

This solution optimizes interoperability of the BIG-IP platform and Websense V-series and X-series appliances, bringing together the industry's most effective security defenses and the industry's most scalable networking. Meanwhile, our R&D teams are developing an on-box integration which has Websense TRITON defenses running directly on the F5 BIG-IP platform. Have any questions about the F5 and Websense partnership? Feel free to email me at F5@websense.com.

Top Five RSA Conference Observations

Brenda Santos — Mon, 11 Mar 2013 15:05:00 GMT

Security budgets have been lean, but if the recent RSA Conference is any indication of enterprise priorities, I’d say it’s a good year to be a security practitioner. With the increased attendance, one can only surmise that corporate executives and boards are tired of daily headlines about data breaches.

More than 360 vendors exhibited at the RSA Conference and more than 24,000 attendees listened to 394 sessions. Moscone center was filled with optimism and energy. The expo hall was packed with attendees looking for practical solutions to complex problems. They needed guidance they could take back to their day jobs.

Here are my top five 2013 RSA Conference observations:

• Security buzz was global: People were talking about many critical issues. Some were speaking about President Obama’s recent executive order for cyber security as well as CISPA. To no surprise, others were discussing big data and global risk—specifically China.

• Back to basics: The sessions seemed to go back to basics with people (human element), process and technology tracks. I thought this was a positive approach. It focused on our vulnerabilities, our strength, our exposures, our investment and our defenses.

• Cloud crept in: Initially I heard there wasn’t going to be much talk about the cloud at the show. However, there were numerous cloud discussions at the water cooler and rightly so. Cloud adoption is soaring. Laptop/mobile users exceed 50 percent at some companies. Many remote employees are accessing the internet and exposing vulnerable data. We have to initiate more conversations that focus on securing the data on the device, wherever it may go.

• More women in security: I enjoyed meeting other women during the meet and greet event held by the Executive Women’s Forum, founded by Joyce Brocaglia. I learned that women make up 12 percent of information security professionals. While this number may seem low, it is growing and will continue to grow in the future, which in itself is exciting.

• A bit too Comic-Con at times: Given the serious nature of the state of cyber security, I was amazed to see the array of vendor gimmicks used to entice attendees to stop at their booth. At one booth, folks dressed up like the Star Wars characters and were taking pictures with attendees. A few vendors were giving away swords that glowed, had someone dressed up like a robot, and there were 80’s arcade games. It was a little too Comic-Con for me given the state of security within the enterprise.

How do you feel this year’s conference stacked up?