Data breaches are up 75% in two years

Data breaches are up 75% in two years, finds a report from the Information Commissioner (ICO).

The study, carried out by Kroll, took into account an array of personal data, including health, financial and employment details.

Access to this data was made possible under the Freedom of Information Act, in addition to some ICO data being publicly available.

Incorrect Recipients

Kroll found that over 2,000 reports received by the ICO within the last year could be attributed to human error, compared to just 292 that were deliberate cyber incidents.

Of the reports that were possibly caused by human error, the most common breach types were identified as emails to incorrect recipients (447), data posted or faxed to incorrect recipients (441), and loss or theft of paperwork (438).

As for purely cyber-related attacks without human involvement, the most frequent type within the last year was unauthorised access (102).

Additionally, the health sector was revealed to be the most common source of data breach reports, yielding a total of 1,214, with general business (362), which yielded the highest increase percentage over the past two years (215%), following behind.

GDPR an Important Factor

Kroll said that the increase in reports indicates a correlating increase in transparency on the part of companies as a result of the EU General Data Protection Regulation (GDPR)’s introduction back in May.

“Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force,” explained Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, “so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK.

“The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.

“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20 million or 4 per cent of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”

The Importance of Automation

Commenting on the finds from Kroll, Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland, said that companies need to support users, helping them become “the strongest link, not the weakest.”

She said: “This needs to go beyond just providing users with security and privacy training and awareness. There also needs to be mechanisms in place to identify and prevent internal data leakages from occurring.”

Ms Armstrong-Smith went on to explain the role of automation in possibly improving data security.

“Automation is helping organisations to detect and respond to changes and adapt policies to protect people and to enable them to be compliant. Not only this, but automation can help organisations react quicker and respond to a breach should it happen.

“They can do it proactively, report it in a timely and compliant way, and ensure they take control of events, rather than the other way around.

“To be truly effective when it comes to protecting personal data requires a mix of people, processes and technologies: all of which have to be carefully aligned so that everything fits together properly.

“At the end of the day, security alone cannot stop a breach, it requires a cultural shift to embed data governance throughout an organisation.”

Parallels

Parallels Mac Management 7 Feature Focus: macOS Imaging via USB Boot Loader

macOS Imaging via USB Boot Loader

The latest release of Parallels® Mac Management for Microsoft® SCCM brings several highly demanded features. The ability to boot from a USB drive during operating system deployment is one of them.

Network OS deployment with task sequence support was implemented in Parallels Mac Management a few years ago, and it worked perfectly—in most cases. But if your NetBoot server and a Mac were located in different subnets, then you could have troubles.

OSD required imaging Mac computers to be booted over the network. The nature of the NetBoot protocol requires broadcasting DHCP packets. For some of our customers, it was not so easy to configure their network to pass such packets across subnets.

In Parallels Mac Management 7, we added the ability to create a bootable media (USB flash drive or external HDD) to eliminate the need for the network boot from the macOS image deployment process.

The use of the new functionality is pretty simple:

You create a bootable USB media on a Mac using the command line utility from Parallels Mac Manager distribution.

This bootable media contains only a boot image and the binaries of the Parallels Task Sequence Wizard, which will guide you through the process of OS deployment.

When you need to image a Mac, you boot it from this bootable media, and proceed with the familiar process of choosing and executing a suitable task sequence.

All the task sequences you have created before, as well as other content used in these task sequences, can be used with USB boot loader without any changes. And, of course, the good old ability to boot over the network is still there, so you can always choose which way to use in each case. Another exciting feature will be covered next week!

Boldon James

What are the different types of cyberthreat intelligence?

Cyberthreat intelligence: It’s a growing business (and buzzword) that provides many market opportunities. Consuming threat intelligence data is valuable for organizations to improve their security posture and strengthen their protection, detection and response capabilities.

But there are some sharks in the water. Before you dive deeper into threat intelligence, explore the clear distinction between data and intelligence: Data is a value that is the result of a measurement or an observation. Intelligence, however, is the result of analyzing data and then disseminating it to the right audience.

If you talk to vendors who are trying to sell you threat intelligence information, make sure that they are referring to relevant cyber threat intelligence — and not just a big pile of data.

The Different Types of Threat Intelligence

The use of intelligence isn’t something new. However, it’s not all about cyber threat intelligence. Threat intelligence has been used throughout human history — and has been collected from several different sources.

  • Human intelligence (HUMINT):The most obvious type of intelligence, which is gathered from humans using interpersonal contact (directly or indirectly). It can also happen more covertly, via espionage or observation.
  • Signals intelligence (SIGINT):Gathers information via the interception of signals. These signals can be communication between people (COMINT), electronic intelligence (ELINT) or foreign instrumentation (FISINT), which is the interception of foreign electromagnetic emissions.
  • Open-source intelligence (OSINT):Collects information from publicly available sources. This data includes news, social media and public reports. Open-source intelligence, however, is not related to open-source software. The concept of OSINT has existed for years. Yet, the growth of instant communications and the capabilities for large-scale data correlations and data transformations have made it more valuable, especially for the computer security community. OSINT includes social media intelligence (SOCMINT), which is the collection of intelligence based on social media channels, conversations and signals.
  • Geospatial intelligence (GEOINT):Collects information from geospatial data, including GPS data and maps. This information can provide additional geographical contextual information on threats. Do not underestimate the possibilities of false flags and be prudent about using GEOINT information for geographical attribution.
  • Financial intelligence (FININT):Gathers information about the financial capabilities or motivation of the attackers. In the context of law enforcement, FININT is often used to detect suspicious financial transactions.
  • Tech intelligence (TECHINT):Gathers intelligence on equipment and material to assess the capabilities of the opponents. TECHINT allows you to update your protection measures to counter the use of this equipment or material.
  • Market intelligence (MARKINT):Collects intelligence to understand the market of a competitor or adversary.
  • Cyber intelligence (CYBINT):The collection of data via different intelligence-collection disciplines. In a lot of cases, CYBINT will collect data from SIGINT, OSINT and ELINT. This data will also occasionally come from SOCMINT, HUMINT, GEOINT and other intelligence disciplines.

Start with a Cyberthreat Intelligence Program

Cyberthreat intelligence feeds the detection, prevention and response processes within your computer security program. It is complementary to the incident response (IR) process and helps in reducing the organizational risk. It will support your security operations center (SOC) and provide the necessary input to fulfill requests for information (RFIs) from your management board, directors or other departments.

It also provides the essential context data to prioritize the most critical attacks and continuously update your protection measures. It’s the information that allows you to detect incidents earlier and investigate them to understand the scope — and, possibly, the intentions of the attackers.

Here are three questions to ask before starting your program:

  1. Is there room in the budget?This might sound like a no-brainer, but it’s easily forgotten. A cyberthreat intelligence program will almost always be a cost center. You can measure its performance, but (unless you’re in the business of selling the threat data) it’s not going to generate additional revenue. Don’t forget that besides the cost of the initial startup of the program, capital expenditure (CAPEX), you will need to budget for the operational expense (OPEX). Tooling, subscriptions and the like will not be the biggest chunk of the budget, however. The center of a strong program is personnel.
  2. Are the essential IT processes already developed? It doesn’t make sense to spend time on providing threat intelligence information to other IT departments if they are not able to act on the information. Having intelligence without a follow-up action is about as valuable as not having intelligence at all. Being able to increase protection measures quickly, evaluate vulnerabilities and apply the relevant patches — or search for signs of an intrusion — are just some of the processes that need to be already in place.
  3. Is there access to system, network or application data?A lot of the data that is needed to verify threat intelligence information already resides in your network. Data from firewalls, proxy servers, domain name system (DNS) logs, intrusion prevention and detection events, application logs, antivirus systems and other security controls give you valuable information about what’s going on inside your network. Focusing on the outside threat feeds and threat data — and then not being able to validate this with internal information — is not efficient and will probably cause frustration.

Every cyberthreat intelligence program should include both operational and strategic components. A robust operational component will give you the ability to identify incidents; contribute to the investigation of incidents; and tune the protection and detection controls. A strong strategic component will help you build relationships with other communities and organizations, including information sharing and analysis centers (ISACs); other threat-sharing communities; and vendors and providers of restricted information sources (i.e., sources that provide non-public information for your specific equipment or sector).

The strategic component will identify new trends, evolving threats, emerging technologies and new standards. It will also provide you the necessary information to be able to do adversary attribution, identify attack campaigns and understand the attacker tools. It will also offer architecture recommendations toward your IT department.

Build Your Team
There’s a chicken-and-egg problem: You need a team to run the tools and gather the data. You need tools and data to support your team.

Good threat intelligence analysts can overcome this problem by starting with only a few sources, automating the process and then expanding the number of sources. Start with building the team, which will not happen overnight. In most cases, the team will grow organically. Some teams will not have full-time members — and they may only be able to spend part of their time on threat intelligence.

Find people with different backgrounds, preferably with demonstrated skills in security operations and analytic mindsets. Technical expertise relevant to your equipment and some hands-on experience is essential. Your team members will need to be able to talk to different audiences and write concise, understandable reports. Executive communication skills and excellent writing skills will be necessary.

Find Your Data Sources
Identify the data sources that define your threat landscape; document how these sources will be used; and assign roles and responsibilities within the team for collecting, assessing and distributing the information. Your organization’s internal information can be one of the most valuable threat data feeds to analyze (via threat hunting).

After all, the best source of intelligence is still your own data. Identify a limited set of sources for which you get regular, complete and valuable data and that are most useful for your organization. DNS logs, proxy logs and endpoint anti-malware event data can comprise a treasure cave of information, for example.

Searching for anomalies without a starting point will be difficult. You need to be able to gather malicious domain names, file hashes and other indicators of compromise. You can receive this data by consuming the information that comes from threat intelligence sharing platforms or by actively participating in threat-sharing groups. You can then use the collected information to identify attacks targeting your network quickly. Additionally, this information will help with composing internal threat information reports.

Measure Your Success
When you start your program, you have to define the stakeholders and goals. There should be a good understanding of reports: What is the frequency of the reports? Who receives them? Who should act on them? Who will provide feedback and input?

Measuring success is difficult without describing key performance indicators (KPIs). Make sure these are relevant to your organization and your team. How many intelligence reports has your team produced? What was the feedback from intelligence consumers? Make sure your intelligence reports include a feedback cycle so you can measure the satisfaction of your stakeholders.

Don’t be afraid also to include some easy-win metrics. You can list the number of indicators seen in your network or the number of attacks stopped because of an update of protection measures based on threat data. Of course, metrics can be dependent on the expectations of your stakeholders.

You can also measure the success of the program by looking at the maturity. The lowest level of maturity is a team without a plan and no time reserved to spend on threat intelligence. Increased maturity is having a small number of IT staff spending a limited amount of time per week on threat intelligence. Maturity can then further increase by having more staff spending more time on threat intelligence. A team with medium-level maturity will have dedicated staff members for threat intelligence, whereas a mature team has different dedicated staff members and a team leader for threat intelligence.

Five Helpful Tips for Your Cyberthreat Intelligence Program

  1. Understand your business or sector. Threat intelligence that isn’t relevant to your business, sector or environment is going to drain your resources without providing lots of valuable return.
  2. Define your focus and priorities at the beginning of the program. Covering everything is impossible. Don’t get buried by the information. There is always more information to gather — and you cannot simply consume it all.
  3. Remember that a threat intelligence program is an ongoing (and repeating) process. Be prepared to include feedback loops and ensure service improvements.
  4. Prepare to automate things. If you only rely on the manual processing and dissemination of information, then your cyberthreat intelligence program will not grow easily. Your ability to ingest data and act upon it in an automated fashion will greatly increase the success of the program.
  5. Put a basic data classificationprocess in place. This will enable you to consult other departments if you are allowed to share information outside your organization. Implementing something like traffic light protocol, which is explained in detail by the Computer Emergency Readiness Team, can ensure that sensitive information is only shared with the appropriate audience.

Starting with a cyberthreat intelligence program isn’t hard if you make the time to plan. Make sure you hook up to an existing threat intelligence sharing community and learn from their experience when starting your own program.

STATA

Export tabulation results to Excel—Update

It’s summer time, which means we have interns working at StataCorp again. Our newest intern, Chris Hassell, was tasked with updating my community-contributed command tab2xl with most of the suggestions that blog readers left in the comments. Chris updated tab2xl and wrote tab2docx, which writes a tabulation table to a Word file using the putdocx command.

To install or update your tab2xl command, type

. net install http://www.stata.com/users/kcrow/tab2xl, replace

To install the new tab2docx command, type

. net install http://www.stata.com/users/kcrow/tab2docx

tab2xl now allows weights, if, in, formatting of the cells, and two-way tabulations. Once installed, you can type

. sysuse auto, clear(1978 Automobile Data) . tab2xl rep78 foreign in 1/50 [fweight=mpg] using testfile, col(1) row(1)file testfile.xlsx saved

to produce

To write the table to a Word document, you must first open a .docx file using the command putdocx begin, type your tab2docx command to append the table to your file, and then save the document using putdocx save filename. For example, typing

. sysuse auto, clear(1978 Automobile Data) . putdocx begin . tab2docx rep78 in 1/50 [fweight=mpg] . putdocx save testfile.docx

will produce

Chris did an excellent job updating tab2xl and coding tab2docx, making it easier for you to create tables for inclusion in a Word file.

Empower Identity-Driven Security by Automating Incident Response

Empower Identity-Driven Security by Automating Incident Response

Security attacks can happen in an instant. Nearly a third of people who receive a phishing email open it, according to Verizon’s Data Breach Investigations Report; and on average, these unsuspecting users click on its malicious link or attachment within a couple of minutes of receiving it. Just like that, in less than five minutes, your network, apps, data, and users can go from safe to compromised.

To stop a breach in progress before intruders get a chance to wreak havoc, security response needs to move more quickly than humans can react. Since four out of five successful breaches—as in the phishing example above—involve stolen or compromised credentials, identity management is now critical for an effective security strategy. Identity-driven security can advance your security posture by providing robust prevention and detection tools as well as enabling real-time response.

The instantaneous incident response required by today’s threat landscape is only possible in a security environment built to support it, this includes:

  • Prevention: secure your credentials by implementing strong authentication and centralized identity.
  • Detection: offer powerful visibility into user activity across environments, to spot suspicious behavior and trigger alerts.
  • Response: provide instantaneous and policy-driven actions to appropriately and effectively resolve the situation.

Okta elevates your security posture across all three areas. It provides strong authorization and centralized identity with Multi-Factor Authentication (MFA) and Single-Sign-On (SSO), to facilitate a zero trust framework. Okta also provides valuable data on suspicious activity, like excessive failed log-ins or denied MFA push notifications, via our Syslog API. Through tight integrations across leadings SIEMs or CASBs, Okta provides rich identity context to help detect as well as accelerate, or even automate, your response through step-up authentication, suspension of a user account, or another action.

This real-time response can happen in a couple of ways. It can be an automated response (where possible and appropriate), with the security tool and Okta communicating directly to generate quick corrective action. Alternatively, an alert can be routed to a security analyst to make an informed enforcement decision. Pre-built integrations with analytics engines like Splunk, workflow orchestration tools like ServiceNow, security platforms like Palo Alto Networks, CASBs like Skyhigh Networks, and thousands of other security partners allow Okta to give your security analysts the intel and tools they need to keep your enterprise safe.

Okta’s identity-driven security, fueled by the industry’s broadest and deepest integration network, offers a powerful, complete solution to effectively address security threats. With attacks happening quickly and more frequently, it’s impossible to manually safeguard your environment alone. Only a sophisticated identity solution like Okta, integrated across your security infrastructure, provides the robust prevention, reliable detection, and automated response you need to keep your enterprise safe.

For more, read our whitepaper about automating incident security response, or read our post about how to evaluate your security team’s readiness for cloud-based incident response.

Achieving Data Security through a Managed File Transfer Solution

Organizations rely on the secure storage, transfer, and accessibility of their data. The negative effects of a data breach or lagging, unreliable network can cause a domino effect across every line of business in an organization. When this happens, business comes to a standstill while IT attempts to remedy the problem – which is why organizations seek out managed file transfer (MFT) solutions for a wide range of data management issues.

Data security and productivity measures are far more successful and effective when they are preemptive, which is why MFT solutions are an effective data management tool for many IT managers, especially those in heavily regulated industries such as healthcare and financial services.

Maintaining security and compliance go hand in hand. While not every compliance measure is related to a security standard, there are still many compliance mandates that work well with keeping a network secure. MFT solutions have real-time monitoring and validation security policies and controls to answer to compliance standards for handling sensitive data. Some of the standards mandated by HIPAA, HITECH, SOX and PCI contribute to security with the following standards:

  • Protect data in transit or at rest
  • Track and audit user activity and file movement
  • Meet requirements for data wiping and sanitization
  • Monitor and alert in real-time on potential violations of security standards
  • Capture compensating controls and generate reports on compliance status

Data is the life-blood of your business and ensuring that it moves efficiently and securely (both in and outside of your organization) is critical. Yet, for something so important, many organizations are littered with non-compliant and rogue data exchange solutions, making their network ripe for security breaches and failed data transactions. The use of unsanctioned devices and applications, known as shadow IT, causes a wide range of problems for organizations, including insecure data transmission and lack of visibility and control, putting your business data at risk.

The security capabilities of a MFT solution extend beyond the process of moving or storing data. A MFT solution supports overall network security:

  • Operational visibility helps IT managers see problems before they happen
  • Automation improves efficiency and saves time, eliminating the need for manual processes, which indirectly improves security because IT professionals can redirect their efforts
  • Compliance standards bring an additional layer of security by regulating the security policies and practices that ensures that organizations are handling sensitive data securely
  • User-friendly ad hoc capabilities ensure that shadow IT practices aren’t being used to skirt IT policies

If data security and management are a key concern for your organization, contact us to learn more about how Globalscape’s MFT offering can help you achieve your data security and management requirements.