Category Archives: Technology Risk

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

Is outside-in the “Next Gen” of Continuous Monitoring?

Posted on by

In late 2002, the U.S. Government enacted a new law that was designed to hold each federal agency accountable to develop, document, and implement an agency-wide information security program, including for its contractors. The Federal Information Security Management Act (FISMA), was one of the first information security laws to require agencies to perform continuous assessments and develop procedures for detecting, reporting, and responding to security incidents.

With limited technological resources available for monitoring and assessing performance over time, however, agencies struggled to adhere to the law’s goals and intent. Ironically, although FISMA’s goal was to improve oversight of security performance, early implementation resulted in annual reviews of document based practices and policies. Large amounts of money were spent bringing in external audit firms to perform these assessments, producing more paper-based reports that, although useful for examining a wide set of criteria, failed to verify the effectiveness of security controls, focusing instead on their existence.

John Streufert, a leading advocate of performance monitoring at the State Department and later at DHS, estimated that by 2009, more than $440 million dollars per year was being spent on these paper-based assessments, with findings and recommendations becoming out of date before they could be implemented. Clearly, this risk assessment methodology was not yielding the outcomes the authors had in mind and in time, agencies began to look for solutions that could actually monitor their networks and provide real-time results.

Thanks to efforts by Streufert and others, it wasn’t long before “continuous monitoring” solutions existed. But, just as with all breakthrough technologies, early attempts at continuous monitoring were limited by high costs, difficult implementations and a lack of staffing resources. As continuous monitoring solutions made it into IT security budgets, organizations and agencies were challenged to make optimal use of tools that required tuning and constant maintenance to show value. False positives and missed signals led many IT teams to feel like they were drinking from a fire hose of data and the value of continuous monitoring in many cases was lost.

However, solutions today offer a number of benefits including easy operationalization, lower costs and reduced resource requirements.

buy stromectol online blockdrugstores.com/wp-content/uploads/2023/10/jpg/stromectol.html no prescription pharmacy

Many options, such as outside-in performance rating solutions, require no hardware or software installation and have been shown to produce immediate results. These tools continuously analyze vast amounts of external data on security behaviors and generate daily ratings for the network being monitored, with alerts and detailed analytics available to identify and remediate security issues.

buy tobradex online blockdrugstores.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

The ratings are objective measures of security performance, with higher ratings equaling a stronger security posture.

Used in conjunction with other assessment methods, organizations can use ratings to get a more comprehensive view of security posture, especially as they provide ongoing visibility over time instead of being based on a point in time result. The fidelity of “outside-in” assessments is very good when compared to the results of manual questionnaires and assessments because outside-in solutions eliminate some of the bias and confusion that may be seen in personnel responses. Additionally, outside-in performance monitoring can be used to quickly and easily verify effectiveness of controls, not just the existence of policies and procedures that may or may not be properly implemented.

These changes have made continuous performance monitoring and security ratings more appealing to organizations across the commercial and government space.  Organizations have learned that real-time, continuous performance monitoring can allow them to immediately identify and respond to issues and possibly avoid truly catastrophic events, as research has shown a strong correlation between performance ratings and significant breach events. Furthermore, as it becomes easier to monitor internal networks, organizations are beginning to realize the security benefits that can be gained through monitoring vendors and other third parties that are part of the business ecosystem.

buy inderal online blockdrugstores.com/wp-content/uploads/2023/10/jpg/inderal.html no prescription pharmacy

Being able to monitor and address third party risk puts us squarely in the realm of next generation continuous monitoring, something many regulators are pushing to see addressed in current risk management strategies.

Windows Server 2003 Expiration Brings Defense in Depth to Life

Posted on by

windows server 2003

The termination of support for Windows Server 2003 (WS2003) is less than four months away, leaving many enterprises in a race against the clock before the system’s security patches cease. In fact, 61% of businesses have at least one instance of WS2003 running in their environment, which translates into millions of installations across physical and virtual infrastructures. While many of these businesses are well aware of the rapidly approaching July 14 deadline and the security implications of missing it, only 15% have fully migrated their environment. So why are so many enterprises slow to make the move?

Migration Déjà Vu

The looming support deadline, the burst of security anxiety, the mad rush to move off a retiring operating system… sound familiar? This scenario is something we’ve seen before, coming just 12 months after expiration of Windows XP support.

While there may be fewer physical 2003 servers in an organization than there were XP desktops, a server migration is more challenging and presents a higher degree of risk. From an endpoint perspective, replacing one desktop with the latest version of Windows affects only one user, while a server might connect to thousands of users and services. Having a critical server unavailable for any length of time could cause major disruption and pose a threat to business continuity.

Compared to the desktop, server upgrades are significantly more complex, especially when you then add hardware compatibility issues and the need to re-develop applications that were created for the now outdated WS2003. Clearly, embarking on a server migration can be a very daunting process – much more so than the XP migration – which seems to be holding many organizations back.

Cost of Upgrading versus Staying

Moving off WS2003 can be a drain on time resources. While most IT administrators understand how to upgrade an XP operating system, the intricacy of server networks means many migrations will require external consultancy, especially if they are left to the last minute. It’s no wonder that companies this year are allocating an average of $60,000 for their server migration projects. Still, it’s a fair price to pay when you consider the cost of skipping an upgrade entirely. Legacy systems are expensive to maintain without regular fixes to bugs and performance issues.

And without security support, organizations will be left exposed to new and sophisticated threats. Meanwhile, hackers will be looking to these migration stragglers as their prime targets. For those who fall victim to exploits as a result, it’s not just financial losses they will have to deal with, but a blow to their reputation as well. It also means that companies continuing to run on WS2003 after support ends will be removed from the scope of compliance, adding other penalties that could further damage the business.

If they haven’t already, businesses still running on the retiring system should be thinking now about making an upgrade to Windows Server 2012. It’s easier said than done, of course. A server migration can take as long as six months, so even if businesses start their migration now, there could still be a two month period during which servers run unsupported. This means that organizations should be putting defenses in place to secure their datacenters for the duration of the migration and beyond.

Control Admin Rights

While sysadmins are notorious for demanding privileged access to applications, the reality is, allocating admin rights to sys-admins is extremely risky, since malware often seeks out privileged accounts to gain entry to a system and spread across the network. Plus, humans aren’t perfect, and the possibilities for accidental misconfigurations when logging onto a server are endless. In fact, research has shown that 80% of unplanned server outages are due to ill-planned configurations by administrators.

Admin rights in a server environment should be limited to the point where sysadmins are given only the privileges they need, for example to respond to urgent break-fix scenarios. Doing so can reduce exploit potential significantly. In an analysis of Patch Tuesday security bulletins issued by Microsoft throughout 2014, the risk of 98% of Critical vulnerabilities affecting Windows operating systems could be mitigated by removing admin rights.

Application Control

Application Control (whitelisting) adds more control to a server environment, including those that are remotely administered, by applying simple rules to manage trusted applications. While trusted applications run through configured policies, unauthorized applications and interactions may be blocked. This defense is particularly important for maintaining business continuity as development teams are rewriting and refactoring apps.

Sandboxing

Limiting privileges and controlling applications sets a solid foundation for securing a server migration, but even with these controls, the biggest window of opportunity for malware to enter the network – the Internet – remains exposed. Increasingly, damage is caused by web-borne malware, such as employees unwittingly opening untrusted pdf documents or clicking through to websites with unseen threats. Vulnerabilities in commonly used applications like Java and Adobe Reader might be exploited by an employee simply viewing a malicious website.

Sandboxing is the third line of defense that all organizations should have in place, at all times. By isolating untrusted content, and by association any web-borne threats or malicious activity in a separate secure container, sandboxing empowers individuals to browse the Internet freely, without compromising the network.

buy symbicort inhaler online www.scottsdaleweightloss.com/wp-content/uploads/2023/10/jpg/symbicort-inhaler.html no prescription pharmacy

Having instant web access is expected in modern workplaces, so sandboxing is ideal for securing Internet activity without disrupting productivity and the user experience.

Windows Server 2003 Migration: A Window of Opportunity

It shouldn’t take an OS end of life to spur change – especially security change. Organizations and their IT teams need to be thinking about how they can adapt their defenses, ensuring that they are primed to handle the new and sophisticated threats we see emerging every day. A migration is often the perfect time to revitalize an organization’s security strategy. With a migration process as a catalyst for reinvention, IT can lean on solutions like Privilege Management, Application Control and Sandboxing to not only lock down the migration, but carry beyond it as well, providing in-depth defense across the next version of Windows.

Travelers Stages Live Hack to Examine Realities of Cyberrisk

Posted on by

NEW YORK—Yesterday, Travelers hosted “Hacked: The Implications of a Cyber Breach,” a panel of the insurer’s top experts and outside consultants drilling down into the realities of the cyber threat.

According to Travelers’ brand new 2015 Business Risk Index, cybersecurity rose from the #5 threat in 2014 to the #2 threat perceived by business leaders, with 55% most concerned about malicious and criminal attacks.

In an exercise to show just how valid that concern it is, panelists Kurt Oestreicher, a member of the cyber fraud investigative services team at Travelers, and Chris Hauser, former Silicon Valley FBI agent and current member of the cyber fraud investigative services team at Travelers, successfully carried out a live hack. Using a fake website created for this demonstration, the experts staged an SQL injection attack—the same kind of attack as Heartbleed, these are still responsible for 97% of breaches. Using an open-source penetration testing program that Hauser described as “point and click hacking,” they easily found a way to tunnel into the site’s SQL database. The process of scanning for vulnerabilities and acting on a known exploit—in other words, conducting the actual, successful “hack”—took about two minutes, including the time Hauser spent talking the audience through the process.

The program used to conduct this hack was free, and the number of resources readily available for free or very low cost means that more everyday businesses will become victims as malicious actors face very few obstacles to attempt a hack. “As tools and techniques like this become more common, it becomes far easier to target small- and medium-sized businesses and that exposure increases, especially because there are such low costs up front,” said Oestreicher.

Every day in the United States, 34,529 of these known computer security incidents take place. Yet many go undetected, and a lot are willfully unreported. While larger breaches impact more records, the preponderance of breaches strike Main Street businesses, not Wall Street corporations. In fact, of those that are identified and reported, 62% of breaches impact small and medium-sized businesses, Travelers found. Increased awareness among this group has yet to translate into increased coverage, however. According to a survey by Software Advice, insurance penetration among this group hovers at just over 2%, a trend Mullen has seen in the field as well. “Only about 10% of those who should have that coverage actually do,” he said.

According to data from NetDiligence, those incidents that are covered by insurance break down as follows:

NetDiligence Cyberinsurance Claims by Business Sector

NetDiligence Cyberinsurance Claims by Data Type

With hefty fines, costly investigation and notification requirements, and possible lawsuits and class actions, the true costs rapidly spiral. According to Mark Greisiger, president of data breach crisis services and security practices company NetDiligence, the average cost of a breach is $733,000 for SMBs—before any possible lawsuits or fines. Per record, the cost ranges from 1 cent to $1,000, based on the type of information contained. The average legal settlement after such breaches is currently about $550,000. Yet these numbers primarily reflect incidents where insurance was in place. Without the trusted vendor agreements, for example, the cost of retaining forensic investigation services in the midst of a crisis can be up to three times higher, he reported.

Recovering from these incidents varies wildly by the type of records exposed, and the resources available to aid in the effort. “It’s a wild pain in the butt with insurance,” said breach coach John Mullen, a managing partner of the Philadelphia Regional Office and chair of the U.S. Data Privacy and Network Security Group at Lewis Brisbois Brisgaad & Smith. “Without insurance, it’s a small- and medium-sized business killer. The Main Street story is a $2 million bill and no business.”

In the 2015 Business Risk Index, Travelers also shared a more detailed view of preparedness among specific industries:

Business Risk Index Cyber Preparedness

FAA Announces Drone Testing Partnerships Beyond Current Regulations

Posted on by

Drone regulations FAA

Yesterday, the Federal Aviation Administration announced three partnerships with companies to expand the operation of unmanned aerial vehicles (UAVs) in an initiative the agency is calling the Pathfinder program.

U.S.-based drone maker PrecisionHawk will be exploring the possibilities of flights over agriculture while testing tracking and a system for drones and planes to remain aware of each other in flight to avoid collisions. CNN will be testing the use of drones for newsgathering in urban areas where drones will remain in the line of sight of operators. BNSF Railroad, owned by Warren Buffet’s Berkshire Hathaway, received permission to test drone operations outside of the operator’s visual line of sight. The company will “explore command-and-control challenges of using UAS to inspect rail system infrastructure,” the FAA reported.

“Government has some of the best and brightest minds in aviation, but we can’t operate in a vacuum,” said U.S. Transportation Secretary Anthony Foxx. “This is a big job, and we’ll get to our goal of safe, widespread UAS integration more quickly by leveraging the resources and expertise of the industry.”

To that end, Pathfinder will allow these corporate entities to research operations that push the boundaries of the recent draft rules released regarding small unmanned aircraft, namely by operating both within and without the visual line of sight requirements currently mandated by the FAA.

“Even as we pursue our current rulemaking effort for small unmanned aircraft, we must continue to actively look for future ways to expand non-recreational UAS uses,” said FAA Administrator Michael Huerta, who announced the initiative at a conference held Wednesday by the Association for Unmanned Vehicle Systems International. “This new initiative involving three leading U.S. companies will help us anticipate and address the needs of the evolving UAS industry.”

This effort is also the first step in realizing some companies’ grander aspirations for drone use, such as the package delivery applications being pursued by Amazon. That being said, the information gathered by these companies will merely provide data to inform future FAA regulations, which are still pending and may only approve broader operations in a few years. Other companies looking into similar applications that are beyond the scope of current draft regulations would still need to apply for and receive a Section 333 exemption from the FAA. While about 300 of these requests have been granted, the agency has received repeated criticism for an exceptionally slow and sometimes mystifying review process.

“The impact of the Pathfinder Program could be profound for several reasons — perhaps most importantly, it shows the FAA is serious about moving quickly to safely and practically integrate commercial drone use in the U.S.,” said Anthony Mormino, senior legal counsel at Swiss Re. “Allowing drone flights beyond the sight of a drone operator is considered the key to unlocking the true potential of commercial drone use.  This collaboration could impact the future rules promulgated by the FAA regarding the line of sight requirement for commercial drones.”

Such developments could also significantly impact insurers. As discussed in “Drones Take Flight,” the April cover story of Risk Management magazine, one of the most promising near-future applications for UAVs could be in the insurance industry in the wake of natural catastrophes or other major claim events. “Reducing or eliminating the visual line of sight limitation on commercial drone use will allow insurance companies to employ UAVs to their fullest extent in insurance underwriting and claims management,” Mormino said. “Consider that the FAA has already granted a number of insurance companies permission to test and use UAVs for insurance inspection purposes. These companies include AIG, State Farm, Erie Insurance Group, and USAA.

buy pepcid online www.gcbhllc.org/scripts/html/pepcid.html no prescription pharmacy

They plan to use UAVs, for example, to more quickly process insurance claims after natural disasters by allowing them to inspect damage —especially in remote locations—in real time.

buy zestril online www.gcbhllc.org/scripts/html/zestril.html no prescription pharmacy

Insurers also plan to use UAVs to obtain imagery and data for use in underwriting, such as roof inspections. Until the FAA mitigates the visual line of sight limitation, however, the foregoing insurance uses for UAVs will remain drastically limited. Success for the FAA’s new Pathfinder program would open the door to potentially even larger scale use of UAVs by insurance companies.”

The implications for insurers also extend to the products and pricing offered. “First, the current dearth of UAS loss data makes it difficult for insurance companies to properly price insurance policies covering drone use,” said Carol Kreiling, senior claim manager at Swiss Re. “It is therefore no surprise that only a handful of insurers actually issue stand alone drone insurance coverage, such as Zurich Insurance in Canada, and Tokio Marine in the Lloyd’s of London market. An increase in commercial use of drones in the US could provide a steady flow of data that would allow more insurers to price and issue coverage for use of UAS. On the other hand, if the Pathfinder program’s goals are fulfilled—to find ways to safely use UAVs outside a pilot’s visual line of sight—increased remote use of drones could raise risk profiles for insurance coverage.

buy tobrex online www.gcbhllc.org/scripts/html/tobrex.html no prescription pharmacy

At the conference, Huerta also announced a new smartphone app called B4UFLY, designed to help model aircraft and UAS users know if it is safe and legal to fly in their current or planned location by pairing geolocations with the relevant restrictions and requirements.

For more about drones, UAV regulations, and the potential impact these machines may have on the insurance industry, check out “Drones Take Flight,” the April cover story of Risk Management magazine.