That’s a nice new Linux server you got there… it would be a shame if something were to happen to it. It might run okay out of the box, but before you put it in production, there are 10 steps you need to take to make sure it’s configured securely. The details of these steps may vary from distribution to distribution, but conceptually they apply to any flavor of Linux. By checking these steps off on new servers, you can ensure that they have at least basic protection against the most common attacks.
Are you filing your taxes online this year? As e-filing and internet connected tax software becomes more and more standard, the security of the sites accepting your sensitive information becomes more and more important. You've probably heard about some of the various data breaches facing the tax industry, including one of the IRS in May of 2015, potentially exposing hundreds of thousands of tax records. UpGuard's external risk grader measures the security of a company's internet presence. We ran ten tax-related websites through to see how they stacked up and the results are interesting. Perhaps most interesting of all, IRS.gov received a rare perfect score of 950 out of 950. Tax software websites such as TaxSlayer fared well too. But as we'll see, the external information is just the tip of the iceberg.
There's no arguing that internet retailers have it tough these days: web server vulnerabilities, expiring SSL certificates, PCI DSS compliance, and a host of other issues keep the most vigilant of etailers on their toes—all this, mind you, against a harsh backdrop of increasing cyber threats. Even still, a handful manage to slip up when it comes to the most basic security measures, putting both their infrastructures and the data security of customers at risk. The following is a list of 11 online retailers who should know better.
People commonly use the phrase “security through obscurity” to refer to the idea that if something is “hidden” or difficult to find, it becomes more secure by virtue of other people not knowing it’s even there to be exploited. But in reality, security through obscurity usually means that the only people who find obscure resources are the people looking to exploit them for a way in. This is why visibility, rather than obscurity, increases security. Our website risk grader provides people with an easy way to view a website's security rating by offering visibility into their internet-facing footprint. This also allows businesses to monitor their own improvement over time.
Another regular season is underway as teams—fresh from spring training—dive head first into a sea of possibilities: will the Cubs win a World Series this year? How about those Mariners? Who will be this year's Hall of Famers? For fans, another question is increasingly becoming the subject of bar room chatter: which team will be hacked this season?
Your medical records live in a database or file system on servers somewhere, on someone’s network, with someone’s security protecting them. A recent PBS article about cyber security in the healthcare industry reports that over 113 million medical records were compromised in 2015. Medical records, perhaps even more than financial data, are the epitome of sensitive, private data, yet the healthcare industry has reported breach after breach, with over a dozen separate breaches already logged in March of this year.
When it comes to Flash, the only thing you hear more about than its ubiquity are its problems. Despite denunciations from some of technology’s biggest names, Adobe’s Flash player still seems to be everywhere. For almost ten years now, people have been dealing with the security warnings, critical updates and browser incompatibilities for which Flash is infamous. Yet even now, 0-day exploits of Flash’s seemingly unending vulnerabilities threaten users as third-party Flash ads on otherwise trusted websites are used to breach security.
In the last few years, sports betting websites like DraftKings and FanDuel have exploded in popularity and controversy. Anyone who watched last year’s NFL season shouldn’t be surprised that those two sites alone spent over $200M on national television advertising in 2015, amounting to around 60,000 commercials. At the same time, betting sites have been in the news due to their questionable legality and the lawsuits being brought against them from various parties. With March Madness in full effect, people are turning to online gambling sites to place their bets. Aside from the increasing legal resistance these companies face, should users be concerned about the security of sharing their information with these sites? As it turns out, it depends on the site.
Cyber attackers are, above all else, opportunists—malware and viruses require time and resources to develop and are therefore created with the greatest returns in mind. In terms of operating systems, Windows typically gets a bad rap for security—the price of popularity, as it were. But as other OS platforms have whittled down Windows' market share in recent years, cyber attackers have had an increasingly broad playing field for exploitation.
If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself. However, if you're one of the customers whose credit card and personal information was stolen, the difference is negligible.
The usability of software is usually defined in relation to the efficiency with which people can manipulate it. Is it time-saving, intuitive, likable? But often overlooked is how usability indirectly affects security, especially when dealing with enterprise software. The basic thesis is this: an application that's easier to use, easier to configure and manage both initially and over time, will also be more resilient than an application that's difficult or frustrating, even if the two have identical feature sets. This is because in practice, software is rarely, if ever, used in an ideal fashion.
First circulated in 2009, the CIS Critical Controls are used by both the U.S. and U.K. governments as the preeminent framework for securing critical infrastructures. Consisting of 20 security controls that cover areas from malware defense to incident response and management, the CIS Critical Controls offers a prioritized set of security measures for assessing and improving a firm's security posture. Though not a cybersecurity panacea, the controls help to address the vast majority of security issues faced by organizations today.
Amazon.com suffered a glitch today leaving its website inaccessible for approximately 13 minutes. Seem like a paltry number? Only if these lost minutes aren't translated to sales revenue losses. And while outages with the company's AWS cloud computing offering are not uncommon, Amazon's online retail division—as well as all retailers that transact online—have much at stake literally every minute their websites stay up—or go down.
According to the recently released 2016 Data Breach Investigations Report (DBIR) digest, produced annually by Verizon to help educate the industry, companies spent hundreds of billions of dollars last year as a result of cybersecurity incidents.
Chances are you’ve browsed to an online IT community looking for information about a technology. But taking full advantage of them means understanding how they work and what they can do for you. Interaction with a tech community usually happens for one of three reasons:
The high likelihood of falling victim to security compromises has led firms to adopt more digitally resilient strategies. Unfortunately, these measures do not address the ominous threat of natural disasters looming on the horizon. A myriad of business continuity solutions exist to mitigate the effects of natural disaster-induced downtime, but there's no telling at the end of the day how digitally-dependent organizations will fare when catastrophic events of unprecedented proportions occur.
RSA 2016 is underway with the tagline "Where The World Talks Security," but for the most part it’s just that—a lot of talk. Attendees, speakers and vendors have come from all over the world to share insight and new products with their security-minded peers, and there will certainly be a few novel takeaways as in years past, but who is serious about security and who is just putting on a show for potential clients and investors?
On February 28th 2016, “grey-hat security research group” TeaMp0isoN breached Time Warner Cable’s Business Class customer support portal with a SQL injection attack, defacing the site and snatching a database dump with more than 4,000 records including usernames, email addresses and (encrypted) passwords.
The Sony Pictures hack is turning out to be quite an intricate saga of misdeeds. From the tools and methods used to the ever-expanding sphere of destruction attributed to the Lazarus Group, ongoing forensics are shedding light on strikingly similar advanced persistent threat (APT) campaigns targeted at various other media, finance, and manufacturing firms around the global. And while the sophistication of the attackers' tooling and methods is certainly to be reckoned with, the apparent emergence of DevOps-like enablement in the digital underworld is arguably greater cause for concern.
Fortune recently published an article listing the airlines with the best in-flight wifi service. Coming in at the top of the list with the most onboard wifi connections globally were 3 American carriers: Delta, United, and American Airlines, respectively. But what defines best? Security is clearly not part of the equation, as one journalist famously discovered last week on a domestic American Airlines flight. But then again, if we're talking about wifi and commercial aircraft, all airlines get a failing grade.
We've all heard the saying: hindsight is 20/20. This applies to many scenarios but is seldom the case when it comes to IT security: most organizations develop shortsightedness when it comes to data breaches—even those that may be happening right under their noses. Like a vehicle's side and rearview mirrors, retrospective security improves visibility by eliminating blind spots using past trends and historical data.
Buffer overflowing—or the stuffing of more data into a block of memory than allocated—has been one of the more common security vulnerabilities to be exploited in recent years. Last week Google and RedHat security researchers discovered a particularly distressing buffer overflow vulnerability in one of the key underpinnings of the internet: the glibc DNS bug. And while the glibc team has provided a fix for most Linux distros, it's questionable whether the flaw can be eradicated any time soon, especially given the ubiquity of Linux systems and the GNU Project's implementation of the C standard library.
As the digital economy has matured, so has the recognition that cyber risk cannot be eliminated; it must be managed. Insurance is the mechanism by which we distribute risk so that rare but catastrophic events don't ruin the unfortunate person (or company) that they happen to. Accurately pricing cyber insurance, however, is still in its infancy. Comparing the methods for assessing cyber risk to those used in property and casualty insurance points the way forward for better methodologies.
The answer is simple: because it's highly profitable. Credit card numbers are still the best we've got for transacting digitally and health records are 10 times more valuable on the black market. And despite efforts from the infosec community at large, cybercrime continues to increase in frequency and severity. The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?
With the rate of data breaches increasing along with the complexity of modern IT infrastructures, the cyber insurance industry has been experiencing significant growing pains. Cyber risk determination had historically been done with employee surveys or contextual information about industries at larger. Without reliable data on an organization’s actual working state, many insurers came to realize there was no way to formulate a fair and accurate cyber insurance policy, especially for more complex and ever-changing IT environments.
From day one at UpGuard, we have been all about visibility. Before you can automate, validate desired or detect unwanted changes, you must first know what your infrastructure looks like; you must have a starting spot. We take the same approach to assessing cyber risk.
For as much as "cyber risk" sounds like a 1990's board game involving robots, cyber risk is actually serious business—in fact, it is continually becoming more important as organizations old and new find themselves relying on a variety of connected technologies and services. And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation. So what is cyber risk, and what can be done about it?
In what is being described as a landmark case, Nevada-based casino operator Affinity Gaming is suing cybersecurity firm Trustwave for inadequately investigating and containing a 2014 data breach. The lawsuit not only marks the first time a security firm is sued over post-breach remediation efforts—it also highlights the complexities around managing cyber risk for high risk organizations in today's threat landscape.
As the saying goes, there are two certainties in life: death and taxes. As we all look ahead to 2016, it’s clear that a third certainty has entered the mix: breaches.
Call it an experiment gone wrong: a bug in a test feature of the OpenSSH client was found to be highly vulnerable to exploitation today, potentially leaking cryptographic keys to malicious attackers. First discovered and announced by the Qualys Security Team, the vulnerability affects OpenSSH versions 5.4 through 7.1. Here's what you need to know about bug, including remediation tips.
One of our main objectives is to explain the costs of unplanned outages and help you prevent them from ever occurring in the first place. It's never merely time and money lost—customer trust and your reputation take hits, too. We've written many articles about it and work with companies on improving their service reliability every day.
Yes, it's that time of the year again. Time for global electronics vendors and eager enthusiasts from far and wide to converge at the world's largest annual consumer electronics/technology tradeshow. CES 2016 is in full swing, and IoT innovations have unsurprisingly taken center stage once again. Of course, who can forget the debut of Samsung "Smart" Fridge at last year's show, followed by the publicized hacking of the device soon thereafter. Judging by this year's exhibitor turnout, consumers can expect to see more hacked IoT devices making headlines in 2016. The following are the top 7 hackable IoT devices to watch out for at CES this year.
The election year is officially underway, but for non-voters and the apathetic—another reason not to register to vote has surfaced: on December 20th, 2015, a security researcher discovered a publicly exposed database of 191 million voter registrant records—names, addresses, dates of birth, phone numbers, party affiliations, state voter IDs, and more—posted online and freely accessible.
2015 may have come and gone, but the effects of last year's data breaches are far-reaching—for both millions of consumers and internet users as well as the companies and organizations whose systems were breached. Such events are no less devastating in terms of brand damage, and 2016 will undoubtedly bring forth a heightened collective security awareness in both organizations as well as consumers.
The figures are staggering: 21.5 million records containing social security numbers, names, places of birth, addresses, fingerprints, and other highly sensitive personal data—stolen by cyber attackers.
It's been barely a month since the VTech data breach resulted in the theft of over 6.4 million children's records, and yet another massive compromise affecting kids' data privacy is upon us—this time involving venerable children's toy and accessory brand Sanrio (of Hello Kitty fame). The data leak resulted in the exposure of details from more than 3 million user accounts: first/last names, birth dates, genders, countries, and email addresses, all openly available to the public. With children becoming prime targets for cyber criminals seeking low hanging fruit, companies that deal with and manage minors' data are increasingly under pressure to bolster their security controls and practices.
Last week was a busy one for leading network and security appliance manufacturers FireEye and Juniper Networks. Critical flaws were discovered in hardware products from both vendors, bringing the distressing but unavoidable question to the forefront once again: what recourse is there when the very security mechanisms in place to protect our data assets are themselves highly flawed?
As you may recall, earlier last month HP completed its division into two parts: an enterprise focused products/services entity—HP Enterprise (HPE)—and a personal computing/printing firm known as HP, Inc. CEO Meg Whitman gave a nod to DevOps-enabled organizations such as Vimeo and Uber at the initial announcement of the split half a year ago at HP’s Discover conference, presumably setting the course for a newly DevOps-focused HPE in helping companies scale ideas to valuation. How does an IT giant go about transforming itself from an aged enterprise monolith to an agile, open, service-oriented solutions provider for today's business IT environments?
There can be absolutely no question anymore that DevOps isn't just a fad—it's here to stay, it's a big deal, and it's coming to the enterprise. Speakers from relatively new companies like SurveyMonkey and Docker took the stage at the 2015 DevOps Enterprise Summit in San Francisco alongside old standards like IBM and General Electric to prove that the transition to a DevOps culture in established enterprises is not only possible, but probably inevitable.
What's the difference? The former offers no legal recourse, at least for now. Just in case you've been de-sensitized by the recent ongoing barrage of security compromises, the latest data breach involving electronics and educational toy manufacturer VTech is sure to instill new fear in the hearts of parental consumers, putting at stake the one thing they arguably hold nearest and dearest: the safety of their children.
Methodologies and frameworks may come and go, but at the end of the day—tools are what make the IT world go 'round. DevOps is no exception: as the term/practice/movement/[insert-your-descriptor-here] rounds its 6th year since entering public IT vernacular, a bounty of so-called DevOps tools have emerged for bridging development and operations, ostensibly to maximize collaborative efficiencies in the IT and service delivery lifecycle. Subsequently, a common issue these days is not a dearth of competent tools, but how to integrate available tooling into one cohesive toolchain.
Polylithic, vendor-neutral, platform agnostic. Microsoft may not exactly come to mind when hearing these descriptors, but it will soon enough—if recent developments are any indication. And despite the software behemoth's DevOps zeitgeist purveyance as of late, open source initiatives have always been alive and well inside Redmond’s hallowed walls.
At the start of the year, the FBI issued an alert warning internet users about the rising threat of ransomware, detailing its dramatic increase in both frequency and sophistication. Looks like the feds were on point: as it stands, 2015 has turned out to be a record year for data hostage-taking. So what can be done to defend oneself against this new insidious threat to data sovereignty?
There's a classic line (one out of many) in the movie Casino by DeNiro's character Ace Rothstein: "Since the players are looking to beat the casino, the dealers are watching the players. The box men are watching the dealers. The floor men are watching the box men. The pit bosses are watching the floor men. The shift bosses are watching the pit bosses. The casino manager is watching the shift bosses. I'm watching the casino manager. And the eye-in-the-sky is watching us all.”
By now, you've probably heard of software-defined networking (SDN): the emerging IT paradigm that abstracts networking hardware into programmable components for unprecedented data center agility and flexibility. In the same vein, parallel infosec developments currently underway are transforming rigid and complex physical security architectures into highly-adaptable, easily-managed, and ubiquitous mechanisms for IT security. This is software-defined security (SDSec)—a new model of infosec that just might save us from digital armageddon.
Advertising-based revenue models may be a standard facet of today's internet businesses, but firms peddling free/freemium services are still on the hook for providing strong information security to their user bases. In fact, they arguably have an even greater responsibility protect user data than paid-for services. So how do events like yesterday's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
UpGuard's platform for integrity monitoring can exorcise your vulnerability demons automatically and painlessly. Try it on us this Halloween-- no money, crucifixes, holy water, wooden stakes or garlic cloves required.
The Network Time Protocol (NTP) has been seeing quite a bit of publicity this year, starting with the NTP Leap Second Bug in June promising—but greatly under delivering—digital calamity of Y2K proportions. Ultimately, the fallout resulted in little more than sporadic Twitter interruptions, but last week newly discovered critical vulnerabilities in the timeworn clock synchronization protocol have increased the urgency of recent NTP-hardening projects like NTPSec.
It's practically a national tradition that Americans collectively spend about one year out of every four obsessing over the group of people who are in the running for a job which is undoubtedly awful to actually have. Every part of their campaign is put under heavy scrutiny—their clothes, their hair, their past, their associations—and today, their websites. Let's examine how candidates are fairing online using data from tools such as BuiltWith, Alexa, Google and Twitter.
Known vulnerability assessment– evaluating a machine's state for the presence of files, packages, configuration settings, etc. that are known to be exploitable– is a solved problem. There are nationally maintained databases of vulnerabilities and freely available repositories of tests for their presence. Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common? Why, according the Verizon Data Breach Investigation Report, were 99.9% of the vulnerabilities exploited in data breaches last year over a year old?
UpGuard's core functionality solves a really basic problem– how is everything configured and is it all the same across like nodes– by scanning configuration state and visualizing anomalies. We're pretty happy with how we've solved that problem so we've started expanding to other fundamental problems that deserve elegant solutions. One of those is vulnerability management. Sure, there are ways to detect vulnerabilities today, but they suck to use and are over-priced. Since we have the core architecture in place to scan and evaluate machine state, testing for vulnerabilities is a natural addition.
Though the widely publicized failure of the ObamaCare website (a.k.a Healthcare.gov) back in October of 2013 has all but faded from memory, the public sector’s persistent lag in technological innovation coupled with recent calamitous data breaches means there is no shortage of press fodder for critics. What will it take for the U.S. government to transcend its current dearth of agility and innovation?
The banking and finance sector has been hit particularly hard by cyber attackers this year—the month so far has seen disclosures from Scottrade, E-Trade, and Dow Jones regarding customer data breaches. It’s become readily apparent that industries dealing in the world’s most sensitive and critical data are poorly poised to defend against the rising threat of cyber crime.
Researchers at Trend Micro have discovered a new zero-day vulnerability in the much-maligned Adobe Flash Player that leaves users vulnerable to remote attacks. The exploit code is being used by the politically-motivated cyberespionage group Pawn Storm in a widespread spear phishing campaign targeted at various government entities. Adobe has yet to patch this vulnerability and will likely issue an emergency fix in the next couple days. Here's what can be done in the interim to protect yourself.
By now, news of the Experian/T-Mobile hack has traveled far and wide, stirring up public ire and prompting demands for a broader investigation around the data breach. And while the event is just one of many high profile compromises to make headlines lately, it stands out from the rest for a number of reasons. How does the rising tide of cyber threats impact consumers in a world that revolves so heavily around credit?
Microsoft announced on Tuesday that a serious remote code execution flaw in Internet Explorer could allow remote attackers to gain access to Windows systems. Unfortunately, no versions of Windows are spared from this critical flaw, and users are highly recommended to patch their systems immediately to avoid being exploited.
Frequent fliers and international travelers are well familiar with these seatback devices (i.e., in-flight entertainment consoles) that serve as the only connection to the outside world while cruising at 30,000 feet. Soon, however, wifi on commercial flights will be generally available, rendering these devices obsolete—at least to the average laptop-toting flyer. This raises a series of concerns around their future obsolescence and resulting security gaps, as well as the potentially grave consequences of compromised wifi networks on planes.
The insurance industry has been consistently targeted for cyber attacks as of late, for good reason: sensitive data is at the heart of every process—from handling health insurance claims to archiving medical histories. And because medical records are worth ten times more than credit card information on the black market, firms handling said data are required to take extra precautions in bolstering information security. However, every once in a while hackers are granted freebies—as was the case recently with Systema Software, a small insurance claims management solution provider.
Done wrong, as they often are, company values are bullshit. They are bullshit in the sense Harry Frankfurt defines in On Bullshit: empty assertions designed only to satisfy some tactical need, worse even than lies in their distance from the truth. "When an honest man speaks, he says only what he believes to be true; and for the liar, it is correspondingly indispensable that he considers his statements to be false. For the bullshitter, however, all these bets are off: he is neither on the side of the true nor on the side of the false. His eye is not on the facts at all, as the eyes of the honest man and of the liar are, except insofar as they may be pertinent to his interest in getting away with what he says."
Integration capabilities these days serve as a litmus test for a software solution’s longevity: the degree to which it can play well with others ultimately determines how much long-term value can be realized from the platform. Monolithic solutions are falling to the wayside as enterprise complexity—both from a business and IT infrastructure perspective—requires an ecosystem of complementary tools to effectively manage today’s environments.
Though still a relatively new player on the market, group messaging upstart Slack has steadily expanded its footprint into the business and enterprise arena with its polished, streamlined offering for team collaboration. For the uninitiated, Slack is essentially a tool for collaborating amongst teams—chat rooms on steroids, if you will. And like UpGuard, Slack’s integration capabilities are among its most lauded features. When used in conjunction with each other, the two together can give organizations a highly effective feedback loop for staying on top of system/configuration changes and vulnerabilities.
Technology professionals walk a perpetual tight rope between innovation and security—new computing paradigms emerge and IT security scrambles behind to catch up. Nowhere is this more evident than in cloud computing and the rising frequency of data breaches targeting cloud infrastructures. And as computing enters another transitional epoch—namely the age of the Internet of Things (IoT)—similar challenges are emerging, but with much more at stake this time around.
A rising concern amongst IT professionals is the degree to which security vendors and products are themselves susceptible to compromises. This past weekend critical flaws were discovered in the products of not one, but two leading security vendors: FireEye and Kaspersky Labs. Because all systems are exploitable—even security products—a layered approach to security is crucial for maintaining a strong security posture in today’s cyber landscape. Enterprises heavily reliant on a single monolithic solution are best advised to diversify their security strategies to combat ongoing threats.
For those still holding out for a better alternative to SSL, it’s time to give up the ghost. Though implementations like OpenSSL have seen many a vulnerability as of late, the protocol remains the best ubiquitous technology we have for end-to-end encryption. And with Google’s announcement last year regarding SSL’s impact on a website’s search rankings, the question stands: why are so many organizations still holding out on implementing SSL site-wide?
From rudimentary topologies to multi-cloud deployments, UpGuard was designed to provide end-to-end visibility for all types of infrastructures. Our platform gives organizations unprecedented macro and micro-level visibility in even the most complex and heterogeneous IT environments. And now—with UpGuard’s powerful new Search feature—identifying and locating items of interest or concern is as easy as typing text into a search box.
In a news flash buried beneath a slew of other notable security news items, UCLA Health revealed last week it was the victim of a massive data breach that left 4.5 million patient records compromised. Like previous attacks on Anthem and Premera Blue Cross, the intrusion gave hackers access to highly sensitive information: patient names, addresses, date of births, social security numbers, medical conditions, and more. And while matters around healthcare IT have taken center stage as of late, the ineffective security at leading institutions of higher education and research is equally distressing.
For those of you harboring secrets behind a website paywall, a word of warning: your skeletons are now easy targets for cyber criminals and nefarious 3rd parties around the globe. The recent data breach and compromise of 3.5 million Ashley Madison user accounts may turn out to be largest case of broad-scale extortion the world has ever seen, but for many—the outcome is hardly surprising.
Oracle released a critical patch on Tuesday to fix a whopping 193 new security vulnerabilities across its line of database solutions and products. Included in the update are fixes to 25 vulnerabilities in the Java platform alone, including a new high-risk, zero-day vulnerability already used in several high-profile, yet-to-be publicized attacks.
The OpenSSL Project Team announced a high severity bug in their open source implementation of SSL today that could allow the bypassing of checks on untrusted certificates (read: man-in-the-middle attacks). Find out which versions of OpenSSL are impacted, and what you need to patch this critical vulnerability.
For those of you planning on enjoying the sunset on June 30, 2015—an extra second of bliss awaits, compliments of the Earth’s inconsistent wobble. However, if Y2K sent you running for the hills, start packing again. Analysts predict technological fallout ranging from undeliverable tweets to outright digital armageddon, but for faithful IT folks with more grounded concerns like SLAs and business continuity, keeping critical systems up and running trump all other concerns. Fortunately, resolving potential issues related to the Leap Second Bug is a fairly straightforward matter—as long as you know what to look for and where to find it.
Full stack development is all the rage these days, and for good reason: developers with both front-end web development skills and back-end/server coding prowess clearly offer substantially more value to their respective organizations. The ability to traverse the entire stack competently also makes interacting and cooperating with operations and security an easier affair—a key tenet of DevOps culture.
Networking giant Cisco recently released its Annual Security Report highlighting trends in data breaches and threats from the previous year, and its findings—while similar to other recent reports (e.g., Verizon DBIR, Trend Micro Security Roundup)—offer some unique insights regarding the current threat landscape. No stranger to IT security, Cisco details in its report shifting patterns in cyberattack methods, emerging vulnerabilities, and best practices on how to mitigate future threats.
Sports is big business, and where money and competition collide—laws will be broken. This aptly describes the latest hack involving the St. Louis Cardinals and Houston Astros, though admittedly—it sounds more like a teaser for a Hollywood blockbuster. Corporate espionage in sports has largely been a nascent phenomenon but will soon become commonplace as intrusion methods grow in sophistication and data moves into the cloud.
The short answer: it’s not. This was certainly the case for Kaspersky Labs, who announced yesterday that its corporate networks were hacked using a sophisticated advanced persistent threat (APT) dubbed Duqu 2.0. Though the word “sophisticated” is used rather liberally these days when describing data breaches, this new threat is by all accounts the most advanced of its kind.
The question is indeed a contentious one, never failing to incite heated arguments from all camps. Many ways exist to cut the cake in this regard—WhiteHat Security took a stab at it in a recent edition of its Website Security Statistics Report, where it analyzed statistics around web programming languages and their comparative strengths in security.
When it comes to IT security, how do you roll? Many tools exist, but the fact is that in most cases, to do it right— you have to roll your own. This is especially true in today’s environments, where infrastructures can vary widely in composition from organization to organization. The truth is that factors such as degree of DevOps and Agile adoption, skill set of IT staff, corporate culture, and even line of business come into play when crafting a security solution for an organization. How well these tools align with the organization ultimately dictate the success and failure of a company’s security architecture. And when existing tools don’t fit or don’t work well, sometimes the only option is to build them yourself.
Databases—like all IT assets—are subject to drift that can wreak serious havoc across an organization’s infrastructure. Furthermore, the usual suspects are in play when it comes to database drift: manual ad-hoc changes, frequent software updates/patches, and general entropy, among others. Undetected malicious activity and attempts to compromise database security are also growing causes of database configuration drift. Monitoring for these unexpected changes should therefore be a critical component of any information-driven organization’s configuration management (CM) activities. To this end, UpGuard is happy to announce that support for database node types is now available.
Home Depot. Target. Neiman Marcus. Albertsons. Michaels. Most Americans have shopped at one of these national chains recently. If you’re one of them, your credit card information may already be on the black market. And if you’re a retailer using a POS system, proposed legislation like the The Consumer Privacy Protection Act may hold you financially accountable in the event of a data breach. Here’s the skinny on RAM scraping, and what can be done to prevent it.
Every year, Verizon compiles data from a list of prominent contributors for its annual report highlighting trends and statistics around data breaches and intrusions from the past year. The 70-page Data Breach Investigations Report (DBIR) covers a myriad of data points related to victim demographics, breach trends, attack types, and more. Reviewing these shifting security trends can give indications as to how well-postured one’s organization is against future threats. And just in case you’ve got your hands full patching server vulnerabilities, we’ve done the legwork of expanding on a few critical key points from the report.
Today, a new vulnerability called VENOM was announced in CVE-2015-3456. It stands for “Virtualized Environment Neglected Operations Manipulation” which sounds, frankly, like an indictment of anyone aloof enough to let it sneak up on them. And wading through other blog posts on the subject—with their snake-related clipart and all—is like looking through the first few pages of the book when you visit a tattoo shop. Here’s the gist from its discoverers at CrowdStrike:
The Ponemon Institute just released some unsurprisingly bleak findings in its annual study on healthcare data privacy/security, including data showing deliberate criminal attacks now accounting for most medical data breaches. The report goes on to illustrate how the healthcare industry— sitting on a treasure trove of valuable data— is ill-equipped to counter these attacks. Perhaps forward-thinking enterprise healthcare leaders should start considering DevSecOps as a viable strategy for surviving the perils of the information age.
Technology giant Lenovo has come under heavy criticism again for subjecting users to undue security risks– this time in the form of three vulnerabilities discovered by researchers at security firm IOActive. Flaws in Lenovo's System Update service– a feature that enables users to download updated drivers, software, and security patches from Lenovo-- enables hackers to surreptitiously slip malware onto user’s laptops and systems through a man-in-the-middle attack. Lenovo has since issued a patch for these vulnerabilities, but it’s doubtful the PC giant will regain consumer credibility any time soon.
Yesterday, open source content management system (CMS) WordPress made headlines with the announcement of yet another critical zero day vulnerability. The newly discovered flaw is markedly different than other WordPress vulnerabilities surfacing as of late― in this case, the problem exists in WordPress’ core engine and codebase, rather than 3rd party plugins and extensions. WordPress.org was quick to release a patch to fix the vulnerability and has since advised users to upgrade to WordPress 4.2.1, the latest version of the CMS.
In a widely publicized report released last week titled "FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen," the US Government Accountability Office (GAO) details the potential vulnerabilities and dangers of offering in-flight wifi services during air transit. By essentially granting customers IP networking capabilities for their devices, airlines may be opening up their avionics systems for attacks:
Whenever there's a lot to lose, UpGuard is the solution to ensure correct configuration state. Often this means working the enterprises in banking, transportation, and ecommerce, but the Internet of Things introduces risks to the most mission critical system of them all: your home.
As a group of concepts, DevOps has converged on several prominent themes including continuous software delivery, automation, and configuration management (CM). These integral pieces often form the pillars of an organization’s DevOps efforts, even as other bigger pieces like overarching best practices and guidelines are still being tried and tested. Being that DevOps is a relatively new paradigm - movement - methodology - [insert your own label here], standards around it have yet to be codified and set in stone. Organizations are left to identify tools and approaches most suitable for their use cases, and will either swear by or disparage them depending on their level of success.
If you're one of the unfortunate ones who woke up to a frantic text from their boss this morning, there's some small consolation: today's OpenSSL vulnerabilities probably aren't as horrific as Heartbleed! Hooray, great job everyone! The bad news is that you still have to patch your environment, and before you can even do that—do you even know what you've got? There's a kind of configuration "fog of war" over IT that's been a fact of life for as long as IT has been around, especially in established environments. Sure, you could manually dig into each machine and run openssl version, or spend the afternoon scripting a solution if you're fancy, but that amount of work will only get you through today. You need to make room in your tool chest for a universal configuration scanner and system of record.
Sarbanes-Oxley (SOX) compliance—it’s like checking for holes in your favorite pair, but with consequences beyond public embarrassment. For publicly traded companies, the ordeal is a bit like income tax preparation for the rest of us: a painful, time-consuming evil that—if not carried out judiciously—may result in penalties and fines. Throw in an additional bonus of prison time for good measure, if you’re a C-level executive and discrepancies are found on your watch. Yes, the SEC is serious about SOX compliance, and you should be, too—especially if you’re in IT.
Audits are one of life’s greatest pleasures, right up there with root canals and childbirth. Firms love them, too; alongside tax audits-- financial audits, records audits, and compliance audits make life splendid for businesses. Unfortunately, compliance is an unwieldy but necessary evil-- that is, unless you’re America’s 2nd biggest health insurer.
We rewrote the UpGuard agent as a connection manager to reap the benefits of agentless monitoring. Why get rid of agents? Because agents must be updated. They are like a free puppy–it's easy to take them home but you have to feed them, take them to the vet, and clean up after them for years afterward. The new connection manager allows for an agentless architecture while keeping all SSH/WinRM activity behind your firewall. It's fast, light, easy to maintain, and secure.
Microsoft has announced a vulnerability in Samba, the widely used SMB/CIFS protocol for Windows/*nix interoperability. The vulnerability exists in versions 3.5.0 to 4.2.0rc4 and allows malicious clients to manipulate the host such that clients can execute code via a netlogon packet.
We know you're sick of updating OpenSSL so we'll keep this short. There is a new SSL vulnerability named FREAK with a published proof of concept. FREAK affects a significant portion of websites, including big names like American Express and the NSA. Like POODLE, FREAK takes advantage of support for legacy cryptographic protocols.
In Part 1 of this article, we presented an overview of Amazon AWS and UpGuard, and discussed how the two marry the best in cloud computing and DevOps. We also learned how UpGuard is not just the premier solution for configuration monitoring, control and automation of AWS offerings like EC2 and S3, but can also work with any number of RESTful services. But enough waxing philosophical—time to put theory into action. And what better way than to follow a fictional organization as it sets up UpGuard monitoring for its AWS cloud infrastructure?
It's not pleasant to think about, but the fact is that when we go to work we are expected to do things. But what are the things that need doing? If we can answer that question without hours of meetings or dozens of emails we can finish our work and do...other things. UpGuard's new Tasks feature provides a lightweight project management system designed especially to maintain quality in a rapidly changing environment.
Over the years, Amazon has become the poster child for all things cloud-related, and for good reason: as one of the initial vendors to embrace the cloud computing paradigm, they were the first to offer widely accessible commercial cloud infrastructure services when it launched EC2 and S3 as part of AWS back in 2006. And now, almost a decade later, the tech giant continues to dominate with a 27% market share of the cloud services market. It's therefore not surprising that for many, Amazon comes to mind first when thinking of cloud computing.
When we set out to create a cloud-based tool for configuration monitoring, we used the tools we knew and wrote UpGuard using JRuby. For our application, JRuby had many good qualities: getting started only required a one line install, the agent only needed to talk out on port 443, and it was platform agnostic. Using JRuby we demonstrated the value of system visibility, attracted our first cohort of customers, and raised the funds to expand UpGuard. Now we're not only scrapping that agent, we're moving away from agent-based architecture altogether. Here's why.
In a recent episode of the Enterprise Initiatives podcast, our own debonair cofounder Alan Sharp-Paul sat down with host Mike Kavis to talk DevOps, and especially one particularly memorable blog post in which Alan advised that's not wise to look before you leap and "don't automate what you don't understand." That point has been known to cause some contention among certain DevOpserati who often maintain the movement is primarly based on a cultural shift coupled with automation.
This week Qualys announced a vulnerability in certain versions of glibc that is now being called GHOST. The vulnerability allows remote execution of code by calling gethostbyname() and is considered critical. We won't cover what others have already said: you can read the original Qualys post here, a summary from ZDNet here, and advice on updating your OS version here. If you aren't sure what version of glibc is used on every one of your Linux machines, read on. We have created a one-click solution for validating the security of all your nodes.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.