Don’t be Leaky: Password Management Privacy

by , on

blog post image data leak

Written by Craig Lurey, CTO Keeper Security

Password managers are critical for protecting users.  Strong passwords, auto-filling of passwords and secure sharing of information between families and co-workers has become an essential tool for millions of people.

Companies that create secure software have to be extremely careful with the type of information that is being leaked.  Data leakage doesn’t always mean that information is exposed to the entire Internet.  A data leak can also refer to information that is sent from the software application to the service provider.  

At Keeper, everything we do is Zero Knowledge – Keeper does not have the ability to decrypt any user record data.  Information stored in Keeper, even record metadata, cannot be decrypted without the user’s master password. Furthermore, encryption and decryption of records takes place on the end-user device – not on Keeper’s servers. This means that even meta-data like website URLs are not known by anyone except the user.

Here’s an example.  Back when we created our “URL Icon” feature to display a website icon next to the website address, we had to decide where this icon would come from.   Since we are zero-knowledge, we decided that the HTTP request to pull the website icon must be from the user’s device directly to the target website, not through Keeper’s server.  This was definitely more work, but in the end, we did not compromise the user’s privacy for our convenience.

 

Encrypt Everything

When downloading software applications that store your private information it’s important to know the following:

  1. Is your information encrypted? Don’t make assumptions
  2. Is the developer sacrificing convenience for security?
  3. Who is the software developer and what is their cybersecurity background?
  4. Where is the software development team located?
  5. Is the software provider’s security audited by a credible 3rd party?

 

Keeper is the only password management software provider regularly SOC-2 audited and certified. This means independent security experts are verifying that Keeper customers and systems are protected, both logically and physically, against unauthorized access.  Keeper is based in Chicago and the engineering team in Northern California is comprised of experts in cyber security, cryptography and application development.

We encourage all customers using password managers to look for the use of top-level encryption, stringent security certifications like SOC-2 that prove compliance and full transparency about their security practices.  Our detailed security disclosure can be found on our website at https://keepersecurity.com/security, there you’ll see that our customers’ privacy and security is at the top of our priority list.

 

Who’s In the Middle?

Many popular password managers on the market utilize 3rd party sync applications. It’s well known that 3rd party cloud storage providers most often do not (and cannot) encrypt their files with keys that are controlled by the user, in which case customer information could be exposed by simply clicking the wrong checkbox on the cloud storage account by making a file public. Or the provider could have a bug that makes your files publicly accessible.

We operate our own back-end solution which provides secure backup, instant sync, sharing and a host of other enterprise-grade features.

 

Questions? Ping me on Twitter @CraigLurey.

The Most Critical Element in a Company’s Incident Response Plan

by , on

server-90389_1280

This is a guest post from Infosec Institute.

 

Organizations create and deploy incident response plans while establishing procedures for handling various security incidents and breaches. Once an incident has been identified – while it is taking place or after the damage is done – organizations need to take measures to ensure it doesn’t happen again, and the corporation recovers from it, but a response plan is needed before this can happen.

 

According to a whitepaper by Bryan Cave’s Global Data Privacy and Security Team:

  • Having an incident response plan lowers the cost of data breach incidents by $17 per record
  • 50 percent of companies are not sure if their plans are effective
  • 78 percent of companies with response plans have no scheduled review or have never reviewed their plans
  • 22 percent of companies have no incident response plans in place

 

There are sections in industry regulations that state the requirements on incident response documentation. Examples include section 12.9 in PCI DSS and section 164.308(6)(i) in HIPAA. According to the Harvard Law School Forum on Corporate Government and Financial Regulation, incident response plans are needed for a variety of reasons, including these:

  • Regulators will expect organizations in heavily regulated industries (financial, government, etc.) to have threat response plans.
  • Incident response plans serve as evidence of security best practices if a company becomes a subject of regulatory proceedings.
  • The plan will prevent existing and future incidents from becoming catastrophic events which could lead to an organization’s demise or death.

 

These plans are developed by security teams consisting of one or more individuals. In the case of one individual, the person acts as the coordinator of efforts made by a number of individuals. When response efforts have been conducted, others are released from their incident dealing duties while the coordinator continues the daily responsibilities of keeping a watch out for incidents.

 

Key Elements of an Incident Response Plan

These days, organizations are overwhelmed with the complexity and volume of incident response plans, particularly overlapping elements and policies offered by “me too” security advisors. More often than not, corporations base these plans on the day-to-day strategy, rather than adopting a comprehensive approach.

For a plan to be robust, durable and successful at delivering results, it should include the following key elements:

 

1) Policy and incident definition

Arguably a key aspect of an incident response documentation is the process of designing a policy to protect resources against intrusion and classifying what constitutes an incident. It may be an insider abuse or an external cyber attack. It may be highly sophisticated such as a social engineering attack or entirely technical in nature such as a web application hack. The IT committee needs to outline the breaches that should be included under the incident umbrella. The policy should promote information flow before, during, and after an event.

 

2) Roles and responsibilities

Details of key players and what will be their specific responsibilities are needed. Contact information should be disseminated to the security team and IT management. In general, incident handlers should be able to refer to the document to quickly identify who is going to analyze which aspect of the response, followed by validation of the response, while documenting all steps taken. Examples of important players include incident response manager (coordinator of the team), incident response officer (responsible for actions of the team) and incidence response custodian (handles technical response and application support). Redundancies can be looked into if key individuals are expected to take days off.

 

3) Performance objectives

Objectives should be laid out to contain and control the event to prevent further breach of information or unauthorized access. Performance objectives could include freezing, monitoring, or closing certain vulnerability gaps, while preserving any evidence pertaining to threat vectors. Performance training could include the use of prevention tools such as change management and patch testing. CSOs should frequently update performance objectives based on experience and key lessons learned.

 

4) External support

Effective event response documentation requires an organization to have pre-existing relationships with third parties such as forensic experts and law-enforcement organizations. External support could provide emergency services to minimize the possible impact on the corporation’s security architecture. Commercial partners are especially effective in handling evidence so as to serve a strong case in the court if lawsuits are filed. Finally, external support can provide greater scalability and flexibility to incident response plans. Guidelines that spell out the values of internal response teams will also guide the response from external response teams.

 

5) Incident assessment and response review

Continuous improvement of the plan is driven by the ongoing assessment of events – that is, the ways in which the incident could occur – and then making the necessary response appraisals. For each event type, the assessment outlines the team and response operating models. These models then document response rights, such as who’ll be responsible for notifying the law enforcement agency. The response outcomes should be reviewed to find out steps that could be performed better and harden the response to improve the overall plan. This should contain review of the communications, performance objectives, crisis management, and external forensic investigation.

 

The most critical element?

As is evident above, incident response plans have several key elements that define an organization’s response to an adverse event. However, the most critical aspect of the plan determines the depth of penetration of the event into the security infrastructure as well as the plan’s success.

And that most critical element is testing.

Incident response plan testing is needed to assess the response to an adverse event against the organization’s sensitive data, infrastructure and network. It is also used to fine-tune the documentation framework, responsibilities and the effectiveness of individuals undertaking responsibilities. The test will go beyond traditional evaluation exercises by testing real-time responses to live incidents against the company’s systems.

Testing can be conducted both remotely and on the site where the infrastructure was affected because of the incident. Industry regulation requirements also include testing for incident response documentation. For example, section 12.9 of PCI DSS asks organizations to conduct an annual test, but that may not be sufficient if you want to overcome deficiencies identified in monthly or quarterly audit cycles.

As a result, you can adopt a multi-faceted approach to frequently validate that technical controls and vulnerability response are updated properly to solidify the organization’s position against damaging events.

Response testing and capability analysis services provide an external testing option for organizations that lack internal capabilities to conduct tests. Such services provide simulations based on incident intelligence on tradecraft of adversaries to assess your response procedures during an event. Beyond tabletop exercises, you and your team are primed for real-time handling of security incidents through robust testing and best practices education.

Testing will also ensure what deviations from the plan frequently occur and how to put an end to those deviations. Advanced incidents will have different containment requirements and response testing methodologies than low-level incidents. Ideally, the test report will include:

  • Testing methodology
  • Assessment of response items
  • Expected results
  • Actual results
  • Causes of deviation
  • Recommendations to remove discrepancies


Having a tested incident response plan in place prior to an event will save you money, time and reputational hits when the unthinkable happens. It will also reduce the period of time in the lifecycle when an active response is required to successfully resolve issues raised by unwelcomed events.

The Next Big Cyber Target? Hacking the Nation’s Energy Grid

by , on

power lines stock photo

The recent hacks of the IRS and the Office of Personnel Management, including other agencies, reveal the massive security vulnerabilities at the highest levels of the U.S. government. These attacks have been devastating in many ways, one in that they have exposed federal employees to identity theft. But we shouldn’t think that this is the worst hackers could do by infiltrating government agencies. Financial hardship and exposed national-security data are troubling enough, but hackers are moving onto creating nation-wide chaos and even taking lives.

 

Take the energy industry, which includes the nation’s energy grid. According to the Department of Homeland Security (DHS), more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector. Many of these attacks targeted energy companies, like power and utility companies, which emphasizes part of the problem: The nation’s energy sector is a hybrid of government- and private-entities working together. Certain government agencies are responsible for protecting the energy grid, but the energy itself comes from the private sector.

 

“Out of all of the critical infrastructure sectors reporting attacks, the most vulnerable to attacks is the energy sector,” as Michael Gomez of KPMG, a tech firm that offers cybersecurity advice to the energy industry, told The Hill newspaper last year. “Not any single sector within the energy industry is outside the scope of recent cyberattacks.”

 

In FY 2014, there were 79 hacking attempts against energy companies. And between April 2013 and 2014, 37% of U.S. energy companies admit that malware had infected their systems, according to a report from Threat Track Security. Meanwhile, HP Enterprise Security’s 2014 Global Report on the Cost of Cyber Crime found that energy utilities had suffered the highest cost of cybercrimes ($13.2 million) compared to other industries.

 

What’s really troubling is that of energy executives recently surveyed by the Aspen Institute only 27% reported feeling very or extremely vulnerable today. This doesn’t necessarily mean that energy companies aren’t equipped to ward off determined hackers, but it does suggest that they greatly underestimate the threat. But, as mentioned above, the threat has only grown in recent years and will continue to climb as more energy systems go digital. That same Aspen Institute survey found that 70% of respondents believe that the attacks are escalating. They’re right.

 

So what sort of havoc could a successful attack on the nation’s energy grid create? According to a 2015 Lloyd’s report, the cost of a devastating attack on the U.S. power grid could cost the insurance industry $71,000,000,000 in losses and the US economy a total of $1,000,000,000,000 (yes, this is one trillion dollars).  There are many factors that go into these costly amounts. First, there’s the simple threat that hackers could shut down sections of the nation’s power grid, leading to massive blackouts in major urban centers. History shows us that blackouts have a tendency to lead to higher incidents of crime, particularly if the blackout occurs during extreme weather conditions. Targeted blackouts could also impact hospitals and airports, resulting in loss of life. But the energy grid also includes power sources, like dams and power plants, which require carefully calibrated settings to avoid disaster.

 

Politicians, government officials, and executives in the industry are aware of the heightened threat. For example, in Washington both chambers of Congress are moving on legislation to better protect the energy sector from cyberattacks. In July, the House Subcommittee on Energy and Power unanimously approved a bill that would, among other things, create a program encouraging energy companies to use better cybersecurity products. In the Senate, lawmakers are working on a bipartisan bill, the Energy Policy Modernization Act of 2015, that focuses on cybersecurity and grid protection, but also would have the Department of Energy perform cyber-resilience testing to gauge the effectiveness and potential fallout of a successful hack.

 

As good as these measures are the nation’s energy sector, including both private- and government-entities, doesn’t need to wait on Washington to act. The Aspen report emphasizes that “humans [are] still the weakest link” when it comes to cybersecurity. For example, most attacks come in the form of malware, which can only infiltrate a network if a human being allows it to – usually by clicking on a link in an email. It’s the same tactic that hackers use against the ordinary person, only in this case the potential damage would be catastrophic.  

 

The Aspen Institute report notes that in recent years energy companies have bolstered their cybersecurity infrastructure through investments in network firewalls, advanced threat detection, intrusion prevention systems, and secure email gateways. The entire energy sector, including government agencies, should follow suit, as the danger of a massive attack is simply too great to ignore.

Our Cybersecurity ‘Lag Time’ is Dangerous

by , on

blog post image

In April, the FBI yanked a man off a United Airlines flight in Syracuse because the agents had reason to believe the passenger was trying to hack into the plane’s control system. Crisis narrowly averted? Not precisely. The FBI caught wind of the passenger’s hacking via his Twitter account, where he was providing real-time updates to followers. It turns out that the passenger, Chris Roberts, simply wanted to highlight cyber-security holes on today’s increasingly connected airplanes. In any event, no charges were filed.

 

About the time the FBI nabbed Roberts, the Government Accountability Office released a report that raised red flags over airplane cyber-security. Specifically, the GAO warned that commercial planes could be hacked and controlled either through the onboard WiFi or from the ground. Ominously, the report found that “a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.” In other words, the passenger’s device could be used by hackers like a digital-age Trojan Horse.

 

As everyone knows, airport security is designed around detecting physical threats – weapons, explosives, and suspicious people. Laptops are singled out, but only because they could be receptacles for explosives. Not anymore, according to the GAO. Yet has airport security evolved to meet these new threats? That’s an open question and one that the airlines say is under control. Perhaps they’re right. And perhaps they’re wrong, as Roberts claims.

As a society, we have grown too accustomed to the ‘lag time’ between detecting a cyber-security threat and protecting ourselves against it. The simple reason for this is that we – meaning government, businesses, and consumers – want to enjoy the benefits of better technology first, then worry about the inherent security threats later – if at all. We can’t afford to think like this anymore. Here’s why:

 

Government

Since 2013, there have been at least two dozen mass breaches of government computer systems, including the State Department, the White House, NOAA, and USPS. At State, for example, an inspector general report found “security control deficiencies in multiple information security program areas that were previously reported in FY 2010, FY 2011, FY 2012, and FY 2013.” Although none of the breaches (that we know about) has jeopardized highly classified material, this lucky break could be contributing to the ‘lag time’: Only when something really damaging is stolen will government agencies do something about it.

 

Business

According to one estimate, cyber attacks costs business $400 million a year. One recent study found that 97% of all businesses have had a cybersecurity breach. And yet, fewer than 20% of organizations have real-time insight on cyber-security risks readily available. While it’s rare for even a small-sized business to have no cyber-security measures in place, far too companies of all sizes simply don’t appreciate the risk.  Perhaps like government agencies, they’d rather not act unless something really bad happens. But how many massive hacks must there be before companies put cyber-security at the top of their priority list?

 

Consumers

In our increasingly connected world, consumers have become part of the cyber-security infrastructure. By this we mean that when consumers can access public systems, such as airplane WiFi, how well they’ve protected their device and accounts could decide whether a hacker accesses a company or government system. Yet 60% of us don’t like being bothered to change our passwords – this train of thought is dangerous. If consumers are one line of defense in our collective cyber-security, then we need to get much more serious about protecting ourselves. But, again, most of us won’t act until we’ve become victims. This puts everyone else at risk.

 

The more of our personal devices that we connect to the Internet, and which we use to access government or private systems, the more interconnected our cyber-security ecosystem becomes. We have to ditch this idea that what happens at Target or the State Department can’t happen at our company or home. Likewise, as consumers, we have to reconsider our selfish view that our unprotected device is a problem just for us. That might have been true in the past, but no longer.

Do You Need Cyber Insurance? Answer: YES

by , on

blog pic

Last year, security appliance vendor FireEye released a study showing that 97% of all organizations have had their cyber security systems breached[i]. This doesn’t mean that every one of these breaches led to massive theft of highly-sensitive data; rather it means that at least one attacker had bypassed all layers of a company’s cyber-security architecture. Most probably never knew it happened. Imagine your company’s data is under attack, corporate secrets are being accessed and employee data (name, date of birth, social security number and current address) is being stolen – and your IT team doesn’t even realize it.

If that’s a bit disconcerting, it’s supposed to be. With such high profile breaches in the news – Target, Sony, Anthem, Home Depot, etc. – it seems that no system, no matter how expensive or well-designed, can keep out a determined hacker. This is not entirely true, but it’s close. Today, state-sponsored cyberattacks are becoming well known. This is a multi-billion dollar business where, on the black market, stolen social security numbers and credit cards fetch between $15 and $30 each.  Imagine how much money a cybercriminal organization can earn in breaching a company with millions of customers and thousands of employees.  This is the main reason why every company should make Cyber Insurance part of their cybersecurity and IT budget.

“Even with the best systems in place, whether due to simple employee error or really good cyber criminals, breaches can still occur with the potential for large costs and damages,” said Steve Bridges, Senior Vice President of JLT Specialty, an insurance broker specializing in cyber insurance. “Prudent companies insure this risk to protect themselves from the huge costs that occur following a data security incident.

Lloyd’s, the British insurance company, estimates that companies lose about $400 billion globally to cyber-crime. It’s one reason that the cyber insurance industry has exploded in recent years. Last year, the industry took in $2.5 billion to protect companies from hacks. In 2013, it took in $2 billion. In 2012, it was $1 billion[ii]. You get the picture.

What companies might not understand, particularly smaller ones, is that cyber insurance isn’t only to recover whatever the cyber-crooks stole. For companies whose direct customers are consumers, which include retailers, healthcare providers and financial institutions, that stolen data are people’s credit-card numbers, health care records, financial accounts and social security numbers. Customers and stakeholders alike (i.e. banks, credit card companies and even States) are the victims just as much as the company itself and just like the company they will want redress. That means lawsuits which can amount to millions of dollars. Market aftershock for public companies could run into the billions in terms of market capitalization losses not to mention the adverse impact on its brand reputation.

Fortunately, the cyber insurance industry has been able to ramp up quite quickly to meet the challenges of hacked businesses. “Today’s policies provide coverage for post-breach, pre-claim costs (things like forensics, notification, credit monitoring, PR, etc.), defense of regulatory actions and payment of fines and penalties and defense of third party claims, including payment of damages,” said Bridges.

There are many insurance companies offering this coverage but policy language, program structure and the cost of coverage is dependent upon a company’s industry and size, network security and privacy practices and claims history.  “Large retailers often buy large limit programs with insurance towers of $100 million or more while smaller companies may buy $1 million to $5 million in limits,” said Bridges.  “Retentions (or deductibles) also impact pricing, with larger companies taking larger retentions, often in excess of $1 million.”

In industries with significant breach activity, premiums are increasing and companies are buying additional limits. This should incentivize companies of all sizes to start investigating whether cyber insurance is right for them.

The process of obtaining cyber insurance involves a typical insurance application as well as a detailed questionnaire about networks, security practices and procedures and internal controls.  This process alone is beneficial, because it may help identify internal control weaknesses and security vulnerabilities that a company may not have otherwise knew existed.  Companies who are able to demonstrate a commitment and investment of resources (people, technology, education, etc.) towards securing their systems will fare better in the underwriting process.  Those that do buy insurance are protecting their balance sheets from the potentially massive costs that can result from a large breach.  Risk management and corporate directors should at least investigate coverage and for companies in certain industries, particularly those that serve consumers and therefore have large amounts of PII (personally identifiable information), the failure to invest in cyber coverage or to buy enough coverage puts their companies finances at considerable risk.

When discussing what’s ahead for cyber insurance, Bridges commented, “in the near future, the cyber insurance industry will take a more holistic approach and many best-in-class providers will come together to help companies prevent attacks and mitigate cybersecurity risk.”   One thing that companies must remember is that cybercrime is becoming more prevalent, not less. While this has much to do with the sophistication of the cybercrooks, it also is because the new technological world we’re entering is chock-full of security risks.

A cyber-security strategy must have a contingency for when the defenses are breached – and that contingency should probably be cyber insurance.

——–

[i] http://www2.fireeye.com/rs/fireye/images/fireeye-real-world-assessment.pdf

[ii] http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/

 

Keeper Security Response to Recent Cyber Threats in the News

by , on

logo

Over the past week, there have been several new vulnerabilities reported in the news. Samsung had 600 million smartphones affected by a weakness in one of its keyboard applications, a vulnerability in the iOS keychain was reported and Lastpass, a competitor of Keeper, was hacked.

Keeper is NOT affected by these vulnerabilities.

Samsung Keyboard Vulnerability

The Keeper FastFill feature utilizes the “input method” system in Android, thereby allowing a user to switch to the Keeper keyboard when logging into apps and filling passwords.

Keeper is not affected by this vulnerability. Here’s why:

  • The Keeper FastFill feature is part of the Keeper application which is provided to users either via pre-installation on the device or download via the Google Play app store.
  • Keeper’s application and keyboard are signed by Keeper, not by Samsung.
  • The Keeper FastFill input method does not use 3rd party libraries, language packs or SDKs.
  • Keeper only communicates to the Keeper Cloud Security Vault for syncing of encrypted data via HTTPS.  HTTP and weak HTTPS ciphers are not permitted.
  • Keeper FastFill may be turned on/off by the customer at any time.
  • Keeper FastFill does not download and expand zip content that can be exploited.
  • Updates to Keeper are performed only via App Store updates.

Zero-Day iOS Keychain Flaw

This vulnerability allowed researchers to access keychain data in iOS and Mac.

Keeper is not affected by this vulnerability. Here’s why:

IPC Interception on WebSockets. This technique involves taking over a port used for communication, and stealing information sent over that port. Keeper does not send any sensitive information over WebSockets, just notifications that something happened (i.e someone wants to share a record with you, your vault updated somewhere else). The notifications do not contain any sensitive information.

Password Stealing. This technique involves a rogue app deleting a keychain entry and re-adding it under their control allowing them to see the data in the keychain from another app.  Sensitive data is always encrypted when using the keychain. The way in which Keeper uses the keychain is not vulnerable to the sequence of events performed by the researchers.

Container Cracking. This technique allows a rogue app access to the vulnerable app’s data directories. Keeper stores all sensitive data in the app’s sandboxed data folder with 256-bit AES encryption.

Scheme Hijacking. This technique allows a rogue app to intercept URL schemes that some apps rely on to pass information. Keeper only uses URL schemes to launch Keeper, and not pass sensitive information.

LastPass Hack

It has been reported that LastPass was potentially hacked. Hackers reportedly gained access to LastPass customers’ encrypted data and other information such as email and “password reminder”.

Keeper is a Zero-Knowledge Platform

This means that customer data is encrypted and decrypted at the device level – employees or third parties do not have access to customer’s records or content stored in their Keeper vault. Keys used to encrypt and decrypt data are encrypted and stored at the device level. Keeper has the most advanced protection available as described in our security disclosure page. PDKDF2 with 256-bit AES are used to protect your data. These encryption technologies are proven to be unbreakable and brute force attacks would literally take a trillion years.

Keeper’s systems are hosted with Amazon AWS and are protected against intrusion by multiple layers of protection. Firewalls, User and IP restrictions, DOS attack preventions, restricted production data access and other military-grade security products are just a few of the many protections that Keeper puts in place to ensure that all data is safe and secure.

Keeper is the only SOC-2 certified password management provider in the industry. SOC-2 compliance requires that we undergo strict code reviews, process controls and audits to ensure the highest standards of data protection are implemented.

We are Fanatical About Your Security

Keeper’s engineering team in the United States is comprised of experts in IT security, cryptography and application development. All source code is developed in-house. No third parties or contractors are involved in the software development process. Our test lab and QA systems are world-class.

Multi-Factor Authentication

To further protect customer data, we strongly encourage the use of Keeper DNA™ and Two-Factor Authentication methods available to our customers. Two-Factor Authentication provides an important additional layer of defense against unauthorized data access. To enable multi-factor authentication, login to the Keeper Web App and click on “Settings”.

 

If you have any questions, please contact our support team. Thank you for being protected with Keeper.

-Craig Lurey, CTO of Keeper Security

The Coming Mobile Malware Attack

by , on

mobile malware

Earlier this year IBM researchers learned about a new Android malware-spreading kit being sold in the Russian cybercrime world. The kit, nicknamed MazelTov, allows a cyber-crook to spread malicious mobile malware easily and effectively to Android-based apps. To use a word prevalent in the IT community, MazelTov is essentially a turnkey solution for hackers, a sort of “malware for dummies”. That’s a problem in itself; but the scary part is that MazelTov was created specifically to spread malware to millions of smartphone users. In effect, the goal is to cause a pervasive epidemic across the Android ecosystem.

 

The mobile device world has been strangely fortunate in avoiding massive malware attacks. Part of the reason has to do with the variety of mobile-device manufacturers and OS developers. That’s never been the case with desktops and laptops, the vast majority of which run Windows.  Put simply, it’s more difficult to spread a piece of malicious code between two different model smartphones running different operating systems.

 

We shouldn’t expect this lucky streak to continue. In a recent survey the IT research firm Gartner, Inc., predicted that by 2018 more than half of us will use mobile devices – smartphones and tablets – first for all online activities. That means our email, banking, shopping, and even healthcare accounts will be tied to our mobile devices. To put it another way, our phones and tablets will be the primary way we access all of our most sensitive data – the kind that we want to keep safe and secret.

 

The crooks go where the money is – and right now the “money” is on our smartphones and tablets. Earlier this month, Kaspersky Lab, which develops anti-virus software, reported that the number of malicious attacks on computer and mobile devices in the first quarter had doubled from last year.  Meanwhile, a report from Lookout found that mobile malware encounter rates shot up by 75% in 2014 within the U.S. Like barbarians looking for weaknesses in Rome’s walls, the cyber-crooks are desperate to find a crack in our mobile devices. Whether it’s MazelTov or something else, it’s only a matter of time before they do.

 

It doesn’t help that most smartphone users seem determined to let them in. To put it bluntly, most of us are negligent when it comes to mobile security. As CNN reported, a third of us can’t be bothered to use a password on our phones. Even among those of us who do, 65% use the same password for all of our accounts. It gets worse. Recently a security expert was able to bypass Google’s Security Alert system – triggered when someone tries to type their password into a phishing site – with just seven lines of code.

 

The reality is that we simply don’t take the same precautions with our mobile devices as we do with our “traditional” computers – desktops and laptops. This is a serious oversight. Last year, Arxan Technologies found that 97% of the Android and 87% of Apple iOS apps on the top 100 list have been hacked. Of the most popular free apps, 80% of Android and 75% of iOS apps have been hacked.

 

Nevertheless, some experts believe the mobile malware threat is being overhyped. For example, in a recent report Verizon found that “100 smartphones per week were infected, out of tens of millions of devices (mostly Android), for a 0.68% infection rate.”

 

That is indeed small, but to conclude from this that mobile malware isn’t (or won’t be) a problem would be a grave mistake for three reasons. First, we know what the cyber-crooks’ attention is increasingly turned toward mobile devices. Second, we know that more and more of our online activities – including accessing our most sensitive data – are done through our mobile devices. Finally, we know that most people simply don’t even have the minimal level of security on our mobile devices. We cannot afford to believe that our mobile luck will continue when all trends seem to point toward the exact opposite.

 

If you knew you were about to get robbed, wouldn’t you do everything you could to protect yourself? Now ask yourself this: If you had physical copies of all this data, such as healthcare records, credit card and bank statements, and login credentials like your Social Security Number, wouldn’t you want to keep it all locked away? The answer is obvious, which is why we need to start protecting our mobile devices as we learned to protect our desktops and laptops. The cyber-crooks are moving on, and so must we.

Top 3 Cyber Risks for Businesses and How to Manage Them

by , on

cyber risks blog post

To borrow a phrase, too many businesses are fighting the last war. In this case, the “last war” is yesterday’s cyber-security risks. But this isn’t necessarily the business’ fault. It takes a certain acuity and nimbleness to properly adjust and prepare for today’s risks, to say nothing of tomorrow’s. Even in our digital age, most businesses simply can’t maneuver that quickly. According to EY, fewer than 20% of organizations have real-time insight on cyber-security risks readily available. That’s just one reason why high-level breaches, as we’ve seen with Target, Anthem, and JP Morgan Chase, occur with such regularity. The thieves are inventing tomorrow’s risks; businesses can do little more than react.  As Darren Guccione, our CEO said on ABC Evening News, “Being reactive is a dangerous position to be in…companies need to be proactive.”

 

Further, there’s a big difference between reacting to threats and ignoring them. Listing just three of today’s biggest threats means we’ve left out many others that are also quite serious. But the three we’ve chosen will also foreshadow the type of risks we will see down the road.

 

1) The Internet of Things (IoT) will produce billions of objects that are potential threats. We’re at the very beginning of the IoT age. According to IDC, there are some 20 billion “connected” devices in the world today. By 2020, Cisco believes that number will grow to 50 billion. But because we’re talking about everyday objects, we might forget that these new gadgets are also threats. Indeed, according a McAfee report, many IoT devices are already targets, including IP cameras, smart meters and healthcare devices. An HP study on some of the more popular IoT devices found that:

  • 70% used unencrypted network service;
  • 80% (along with their cloud and mobile apps) didn’t require passwords of sufficient complexity and length;
  • And 90% collected at least one piece of personal information.

Businesses that either use or allow employees to use IoT devices can’t do much about their production. But they can ensure that they use or allow employees to use only those devices that have been approved because of their security safeguards.

 

2) Even after everything that’s been said, many passwords are still weak. Call this an oldie but a goodie. After hackers broke into celebrities’ iCloud accounts last year, it was discovered that the breach was due to weak passwords. According to annual third party “Most Common Passwords” reports, “password” and “123456” compete for the top spot almost every year. “Abc123” and “12345678” are also perennial top-five contenders. Even more troubling, 90% of the most common employee passwords can be cracked in a few hours.

This should terrify businesses, most of which allow employees to create their own passwords to access enterprise systems. Two-factor authentication systems, which more and more companies are trying to adopt, help add an additional layer of security. Yet a February survey from GFI Software found that only a third of users actually use two-factor authentication when it’s offered. As long as users are still using weak passwords without multi-factor authentication, the thieves will continue stealing the low-hanging fruit. Businesses can respond by requiring multi-factor authentication and implementing enterprise password management software that allows an administrator to enforce strong, randomly generated passwords.

 

3) Cyber-security has moved to the cloud. As with many consumers, many businesses today utilize the cloud for much of their IT and storage work. Cloud storage is great for today’s businesses because it offers less up-front investment, less maintenance and more flexibility.  A survey from RightScale found that 88 percent of enterprises today are using public cloud while 63 percent are using private cloud. Of course wherever the data goes the thieves will follow. Using the cloud is a great option for businesses, but organizations must understand that they are placing sensitive information outside their direct control.  This puts the onus on organizations to heavily research and investigate possible cloud providers to understand their security measures. This article has 12 questions that every organization should ask before contracting with a cloud provider.

 

The security industry is growing fast and into a realm of massiveness. This is because hackers have become more sophisticated, more pervasive and as we have seen in the press, state-sponsored with millions of dollars in funding.  This, coupled with the proliferation of IoT devices and connected objects, have put us into the largest-scale cybersecurity war the world has ever seen.

 

The nature of our ever-evolving digital world means that by next week this post might be out of date. We exaggerate, but only a bit. The fact is that businesses can’t assume that last year’s IT overhaul protects them from this year’s security threats. IoT devices and cloud storage are all the rage, but we can’t let our enthusiasm blind us to the reality that these technologies were not devised originally with security in mind. They were specifically designed for convenience. Security has been an after-thought, but it can’t be for your business. Make IT security a priority in your corporate budget and you’ll be off to a great start.

The Future of Identity Verification

by , on

fingerprint

“Unfortunately it’s become kind of a nightmare.” This was the verdict on today’s computer passwords from the very man who invented them back in the 1960s, Fernando Corbató. In a 2014 Wall Street Journal interview, Corbato, now in his 80s, stated the obvious dilemma confronting today’s user: “I don’t think anybody can possibly remember all the passwords that are issued or set up.” Indeed. And then there are the inherent security risks associated with the password.

Since Corbato invented the password, innovators have been trying to find a better solution to the problem of computer (or online) security. The media like to talk about “password killers” – new software or technology that will become our primary mode of identity verification. But this discussion somewhat misses the point. It’s unlikely that any one method will relieve the alpha-numeric password from guard duty. The problem is that whatever that “one method” is – and even if it’s ten times more secure than a password – it’s still just “one method” that a hacker or thief needs to overcome to access your information.

 

From Single to Multi-Factor Authentication

In other words, it won’t be “one method” that replaces the password, but multiple methods or factors that, when combined, will serve the same purpose. Just as our real identities are a collection of data points (height, weight, eye color, personality, job, etc.) so too will the verification of our identities become a combination of data points. We see this already in multi-factor authentication (MFA). Many users are familiar with two-factor authentication, which usually requires the user to know something (a password) and have something (usually a smartphone). But MFA now also includes biometric data (fingerprints, eyes, face) as well as other “tokens” the user carries that can either plug into your device or transmit a signal to the device.

Indeed, MFA is becoming more popular among businesses. In a 2014 survey from SafeNet, 37% of organizations use MFA for a majority of employees – up from 30% in 2013. By 2016, SafeNet found, 56% of organizations will require MFA for a majority of its employees.

 

Safer but Hardly Easier

Yet even as businesses appreciate the added security of MFA, consumers have been more resistant to give up the traditional password on their personal devices. In a February survey, GFI Software found that only a third of users actually use two-factor authentication when it’s offered – and it certainly isn’t a universal offering. That’s better than nothing, but it speaks to the hassle that users would rather avoid. Developers are hard at work to simplify the technology, particularly with biometric scanners, because no one wants to spend more than a few seconds logging into any particular device.

Consider two-factor authentication. In most systems, the text that arrives on your smartphone is sent mere seconds after you log in. It sounds easy, and yet a majority of users opt for convenience over security. Nevertheless, this brief insight into human nature helps us understand where we’re headed. How can we improve our security without adding more complexity or work when logging into a service?

 

The Future: Secure and Seamless

Information security in the future will become a seamless multi-factor authentication process that removes all the additional hassles and time-wasters that currently plague us. We should remember that we are swiftly entering an “Internet of Things” (IoT) world, where everyday household objects will be sensorized and connected to the Internet. There’s nothing to keep these connected objects from having additional sensors that can authenticate your identity.

To better understand an IoT world, consider your office chair. In the not-so-distant future, your standard chair will be equipped with sensors that will be able to measure a variety of biometric and location-based data points. No one who isn’t you can log into your office computer unless they pass the tests that the chair is performing automatically. Meanwhile, the iris scanner on your computer (no larger than your current web cam) instantly verifies you. Finally, your smartphone sends a Bluetooth signal to your computer as another layer of security. We’re talking layer upon layer upon layer of security. And you won’t notice a thing. All you’ll need to do is sit down, type in your password and you’re in. Just as easy as today, except that there will be a host of additional authorization steps going on in the background, to verify your identity, that you don’t have to think about.  i.e. No more multi-factor codes for you to retrieve, read or enter.

If you’re thinking this all sounds a bit too much like the movie Minority Report (or some other fantastic futuristic vision), I don’t blame you. The fact is that we are getting closer to this future than you may think – and by “we”, I mean Keeper.  Biometric scanners are getting smaller and more practical every day; the number of sensorized, connected objects in the world grows exponentially every year; and, meanwhile, the hackers and thieves have forced all of us, consumers and businesses, to better appreciate the critical need of staying safe and secure in our increasingly online and connected world. This isn’t sci-fi anymore – this is very real.

It’s called Keeper DNA™. Stay tuned….