CSOonline: The top 5 email encryption tools: More capable, better integrated

I have updated my review of top email encryption tools for CSOonline/Network World this week. Most of the vendors have broadened the scope of their products to include anti-phishing, anti-spam and DLP. I last looked at these tools a few years ago, and have seen them evolve:

  • HPE/Voltage SecureMail is now part of Micro Focus, part of an acquisition of other HPE software products
  • Virtru Pro has extended its product with new features and integrations
  • Inky no longer focuses on an endpoint encryption client and has instead moved into anti-phishing
  • Zix Gateway rebranded and widened its offerings
  • Symantec Email Security.cloud has added integrations

In my post today, I talk about recent trends in encryption and more details about each of these five products.

 

RSA blog: The Digital Risk Challenges of a Smart City

One of the things that I like about our hyper-connected world is how easy it is to virtually attend just about any tech conference. Alongside most major conferences you can also find a number of interesting ancillary events. Some of these, much like the official conference sessions, are recorded for viewing later. Today’s post is about one such ancillary event, hosted by RSA – the company, not the conference. Before I talk about some of the challenges about running smart city infrastructures, let me discuss why I think Singapore is so important for IT security professionals.

You can find this post on RSA’s blog.

RSA blog: How many C-level execs own your security infrastructure?

Security expert Lesley Carhart tweeted last month, “If you’re a CEO, CFO, or CIO, you’re directly responsible for the caliber of cybersecurity at your company.” During the recent RSA conference in Singapore, RSA’s CTO, Dr. Zulfikar Ramzan, described several different C-level executives who could have direct responsibility for some portion of your security infrastructure: CEO, CIO, CSO (or CISO), CTO, and the Chief Data Officer (CDO). If three is a crowd, then this is a herd. Or maybe a pod, I never really learned those plural descriptors. And that is just the top management layer: for a large corporation, there could be dozens of middle managers that handle the various security components.

From the IT folks I have interviewed over the years, this seems sadly all too typical. And that is a major problem, because it is easy to pass the buck (or the token or packet) from one department to the next.

You can read my blog post for RSA here about how to try to collaborate and jointly own your security apparatus.

The state of our elections security

The past week has seen a lot of news stories about hacking our elections. Today I take a careful look at what we know and the various security implications, which I cover in the last paragraph. It is hard to write about this without getting into politics, but I will try to summarize the facts. Here are two of them:

Russians have tried to penetrate election authorities in every statehouse but weren’t successful — other than Illinois at being able to compromise those networks. We have evidence that has been published in the Mueller report and more recently the Senate Intelligence Committee report from last week.

A second and more troublesome collection of potential election compromises is described in a report from the San Mateo County grand jury that was also posted last week. I will get to this report in a moment.

For infosec professionals, the events described in these documents have been well known for many years. The reports talk about spear-phishing attacks on election officials, phony posts on social media or posts that originate from sock puppet organizations (such as Russian state-sponsored intelligence agencies), or from consultants to political campaigns that misrepresent themselves to influence an election.

Much of this has already been published, including this timeline infographic from Symantec.

What is new though has little to do with technology failures and more to do with how we have structured our communications and threat sharing data. The Senate report says, “often election experts, national security experts, and cybersecurity experts are speaking different languages. Election officials focus on transparent processes and open access and are concerned about introducing uncertainty into the system; national security professionals tend to see the threat first. Both sides need to listen to each other better and to use more precise language.” The report goes on to document the security failings of 21 state election boards’ operations.

One of the issues has to do with the poor security surrounding electronic voting machines. As I said, this is a well-known problem. A University of Michigan computer science professor has been studying this for years. He purchased some of these machines on eBay and set up a demonstration of how easy it was to hack the votes. Digital voting can be solved, but not easily: Estonia has been voting electronically for years because every Estonian has a digital ID card that isn’t easily hacked. (You can read my experiences with using it here – non-residents can buy one but obviously can’t vote.) You can read more about Estonia’s experience with its online voting here. It shows that digital voting doesn’t increase the overall voting population, but has become more popular since its introduction.

What the Senate report doesn’t document is what has been done since it began its research several years ago. That is the purview of the San Mateo grand jury report which posits that social media accounts of county officials — both their personal accounts as well as their official business accounts — have been compromised in the past and could be used to disrupt elections. These accounts could be used to spread false information both before and after an election. This report is quite chilling and Brian Krebs has a lot more to say about it.

Let’s talk a little more about what the state and local election agencies are doing to better secure our elections. To understand how these agencies are trying to improve their security postures, you have to follow the money.

Several years ago, Congress appropriated $380 million for state grants to improve election security. All of this money hasn’t yet been spent, although it has been allocated to the states and you can see where it is eventually going here in a very confusing report from a federal entity called the U.S. Elections Assistance Commission (EAC). The EAC is in charge of distributing these funds. A better analysis from Pacific Standard can be found in this piece. The state election authorities must match five percent of their grants and spend it all before 2023. Most of these funds are being spent on phishing awareness education, doing regular patching and system updates, and according to this report from last year, “ensuring election results have auditable paper trails, have better built-in cyber defenses and can continue to operate resiliently after a digital attack.” Illinois, Wisconsin and New York are planning to dedicate all of these funding allotments to improving cybersecurity measures. The others have proposed a mix of cyber and non-cyber improvements.

The EAC also provides a collection of various tools and best practices for state and local elections authorities, and you might want to spend some time, as I did, visiting its website and seeing the quality of its advice. On the whole, it is sound, but the problem is getting the hundreds of local officials to act on it and to work together with the feds.

One of these tools is an open-source intrusion detection system called Albert that was first developed by the U.S. Department of Homeland Security several years ago and based on Suricata IDS project. This tool has replaced Snort and has become very popular in the commercial IDS world.

States can freely implement this tool and EAC will help them with security monitoring too. This is done with an operations center that houses both one for network-level events called the Multi-state Information Sharing and Analysis Center and one for election security events. It is run by the Center for Internet Security out of an office near Albany NY. Albert sensors are now monitoring election systems that will account for 100 percent of votes to be cast in the 2020 elections. In 2016, it was only covering a third of the votes cast.

Let’s turn from elections operations to influencing how we cast our votes. For that, I will talk about a new Netflix documentary called “The Great Hack,” which is now on its streaming service. I urge you to watch it with your whole family. It mostly follows two people that you might not have heard of and their role in the Cambridge Analytica/Facebook scandal: Brittany Kaiser, a former CA employee and David Carroll, a college professor who tried to sue the company to gain access to his own data. If you can get past the annoying CGI opening credits, there is actually much meat to be gleaned here. The main thesis of the movie has to do with convincing a class of voters it calls the persuadables in swing districts to vote for a particular candidate, or not vote at all. If you don’t have time to watch the movie, you can get the main points from a TED talk by Carole Cadwalladr, one of the reporters featured in the film. Facebook knew about the abuses of its data collection and was fined by the U.S. government last week. (This article by Techcrunch summarizes these details.) Also, in last week’s news: Facebook agreed to pay two fines. First was a $5 billion fine to the Federal Trade Commission, and a second $100 million fine from the Securities and Exchange Commission, which was overshadowed but represents a more important penalty.

OK, that is a lot to grok, I admit. If you have made it this far, here are some action items for you as an individual. First, if you want to vote intelligently, consume social media carefully. Don’t repost without extreme vetting of the source; better yet, go to listen-only mode and steer clear of using social media entirely for politics. I realize that is a lot to ask. Some of you have already abandoned social media entirely. Others have selectively blocked friends who wax too often on political topics. Second, when you vote, if you can use a paper ballot do so, at least until the electronic machines have better protection. Finally, check the election security operations center website to see if your county or city elections authority is a member, and if not, urge them to join.

CSOonline: Best tools for single sign-on

I have been reviewing single sign-on (SSO) tools for nearly seven years, and in my latest review for CSOonline, I identify some key trends and take a look at the progress of products from Cisco/Duo, Idaptive, ManageEngine, MicroFocus/NetIQ, Okta, OneLogin, PerfectCloud, Ping Identity and RSA. You can see the product summary chart here.

If you have yet to implement any SSO or identity management tool, or are looking to upgrade, this roundup of SSO tools will serve as a primer on where you want to take things. Given today’s threat landscape, you need to up your password game by trying to rid your users of the nasty habit of reusing their old standby passwords.

I also look at five different IT strategies to improve your password and login security, the role of smartphone authentication apps, and what is happening with FIDO.

 

RSA blog: Taking hybrid cloud security to the next level

RSA recently published this eBook on three tips to secure your cloud. I like the direction the authors took but want to take things a few steps further.  Before you can protect anything, you first need to know what infrastructure you actually have running in the cloud. This means doing a cloud census. Yes, you probably know about most of your AWS and Azure instances, but probably not all of them. There are various ways to do this – for example, Google has its Cloud Deployment Manager and Azure has an instance metadata service to track your running virtual machines. Or you can employ a third-party orchestration service to manage instances across different cloud platforms.

Here are my suggestions for improving your cloud security posture.

CSOonline: Evaluating DNS providers: 4 key considerations

The Domain Name System (DNS) is showing signs of strain. Attacks leveraging DNS protocols used to be fairly predictable and limited to the occasional DDoS floods. Now attackers use more than a dozen different ways to leverage DNS, including cache poisoning, tunneling and domain hijacking. DNS pioneer Paul Vixie has bemoaned the state of DNS and says that these attacks are just the tip of the iceberg. This is why you need to get more serious about protecting your DNS infrastructure and various vendors have products and services to help. You have four key options; here’s how to sort them out in a piece that I wrote for CSOonline..

Dark Reading: Understanding & Defending Against Polymorphic Attacks

I first wrote about polymorphic malware four years ago. I recall having a hard time getting an editor to approve publication of my piece because he claimed none of his readers would be interested in the concept. Yet in the time since then, polymorphism has gone from virtually unknown to standard practice by malware writers. Indeed, it has become so common that most descriptions of attacks don’t even call it out specifically. Webroot in its annual threat assessment from earlier this year reported that almost all malware it has seen had demonstrated polymorphic properties. You can think of it as a chameleon of malware.

In this post for Dark Reading, I describe how polymorphism has gotten popular with both attackers and defenders alike, the different approaches that the vendors have taken, and some suggestions on keeping it out of your infrastructure.

HP Enterprise.nxt: Ways to expose your business to ransomware


No computing professional wants to encounter a ransomware attack. But these six poor IT decisions can make that scenario more likely to occur. Ransoms are not the result of an isolated security incident but the consequence of a series of IT missteps. Moreover, it often exposes poor decision-making that indicates deeper management issues that must be fixed. In this article for HPE’s Enterprise.nxt website, I discuss how these missteps can be corrected before you are the subject to the next attack.

CSOonline: What is Magecart?

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information. This is known as a supply chain attack. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT. I explain what this malware does, link to some of the more notable hacks of recent history, and also provide a few suggestions on how you can better protect your networks against it.

You can read my post for CSOonline here.