Month: April 2018

CyberArk survey shows organizations are failing to secure privileged accounts and credentials in the cloud, on endpoints and across IT environments. According to the CyberArk Global Advanced Threat Landscape Report 2018, nearly half (46 percent) of IT security professionals rarely change their security strategy substantially – even after experiencing a cyber-attack. This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk. Security starts with protecting privileged accounts An overwhelming number of IT security professionals believe securing an environment starts with protecting privileged accounts – 89 percent stated that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured. Respondents named the greatest cyber security threats they currently face, including: Targeted phishing attacks (56 percent), insider threats (51 percent), Ransomware or malware (48 percent), unsecured privileged accounts (42 percent), unsecured data stored in the cloud (41 percent).  IT security respondents also indicated that the proportion of users who have local administrative privileges on their endpoint devices increased from 62 percent in 2016 survey to 87 percent in 2018 – a 25 percent jump and perhaps indicative of employee demands for flexibility trumping security best practices. The Inertia that could lead to data compromise The survey findings suggest that security inertia has infiltrated many organizations, with an inability to repel or contain cyber threats – and the risks that this might result in – supported by other findings: 46 percent say their organization can’t prevent attackers from breaking into internal networks each time it is attempted; 36 percent report that administrative credentials were stored in Word or Excel documents on company PCs; Half (50 percent) admit that their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics. Inertia and a ‘Hands-Off’ approach to securing credentials and data in the cloud create cyber risk The automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications, or to use cloud infrastructure for illicit crypto mining activities. Organizations increasingly recognize this security risk, but still have a relaxed approach toward cloud security. The survey found that: Nearly half (49 percent) of organizations have no privileged account security strategy for the cloud; More than two-thirds (68 percent) defer on cloud security to their vendor, relying on built-in security capabilities; and 38 percent stated their cloud provider doesn’t deliver adequate protection. Changing the security culture Overcoming cyber security inertia necessitates it to become central to organizational strategy and behavior, not something that is dictated by competing commercial needs. According to the survey: 86 percent of IT security professionals feel security should be a regular board-level discussion topic; 44 percent said they recognize or reward employees who help prevent an IT security breach, increasing to nearly three quarters (74 percent) in the U.S.; and Just 8 percent of companies continuously perform Red Team exercises to uncover critical vulnerabilities and identify effective responses. “Attackers continue to evolve their tactics, but organizations are faced with cyber security inertia that is tipping the scales in favor of the attacker,” said Adam Bosnian, Executive Vice President, Global Business Development, CyberArk, “There needs to be a greater urgency in building cyber security resilience to today’s attacks. This starts by understanding the expanding privileged account security attack surface and how it puts an organization at risk. Successfully battling inertia requires strong leadership, accountability, clearly defined and communicated security strategies, and the ability to adopt a ‘think like an attacker’ mindset.”

This bulletin outlines the security recommendations that NIST recently provided in Special Publication (SP) 800-125A – security recommendations for Hypervisor Deployment on Servers. The document provides technical guidelines about the secure execution of baseline functions of the hypervisor, regardless of the hypervisor architecture. In the past, a user wishing to set up a computing server generally needed to use a dedicated host with dedicated resources such as a central processing unit (CPU), memory, network and storage. Modern systems have technology that lets one create virtual machines to emulate what used to be physical, dedicated resources. This practice is known as virtualization and supports more scalable and dynamic environments. A critical component of this technology is the hypervisor, the collection of software modules that enables this virtualization and thus enables multiple computing stacks – each made of an operating system (OS) and application programs – to be run on a single physical host. Such a physical host is called a Virtualized Host and is also referred to as a Hypervisor Host. The individual computing stacks are encapsulated in an artifact called a Virtual Machine (VM). To make a VM an independent executable entity, its definition should include resources such as CPU and memory, allocated to it. The VMs are also called ‘Guests,’ and the OS running inside each of them is called ‘Guest OS.’ The resources associated with a VM are virtual resources, as opposed to physical resources associated with a physical host. The hypervisor forms part of the virtualization layer in a virtualized host and plays many of the same roles that a conventional OS does on a non-virtualized host, or server. Just as a conventional OS provides isolation between the various applications, or processes, running on a server, the hypervisor provides isolation between one or more VMs running on it. Also, like an OS, the hypervisor mediates access to physical resources across multiple VMs. Therefore, all other functions needed to support virtualization – such as emulation of network and storage devices and the management of VMs and the hypervisor itself – can be accomplished using kernel-loadable modules, although some hypervisor architectures accomplish these tasks using dedicated VMs. The hypervisor can be installed either directly on the hardware, or bare metal (Type 1 Hypervisor), or on top of a fullfledged conventional OS, called Host OS (Type 2 Hypervisor). Here, we discuss the baseline functions of a hypervisor, how these functions are distributed in a hypervisor, and how this information is used to develop security recommendations that provide assurance against potential threats to the secure execution of tasks involved in the hypervisor’s baseline functions. Hypervisor baseline functions It might appear that all activities related to the secure management of a hypervisor and its hardware host – collectively called the hypervisor platform – should simply consist of established best practices for any server class software and its hosting environment. However, closer examination reveals that the unique functions provided by the Hypervisor Platform require a dedicated set of security considerations. These functions are called hypervisor baseline functions (HY-BF) and are labeled HY-BF1, HY-BF2, HY-BF3, HYBF4, and HY-BF5. They are described below: HY-BF1: VM process isolation Scheduling of VMs for execution, management of the application processes running in VMs (e.g., CPU and memory management), and context switching between various processor states during the running of applications in VMs; HY-BF2: Devices mediation & access control Mediates access to all devices (e.g., network interface card [NIC], storage device such as IDE drive etc). One mediation approach is to emulate network and storage (block) devices that are expected by different native drivers in VMs by using emulation programs that run in the hypervisor kernel; HY-BF3: Direct execution of commands from guest VMs Certain commands from Guest OSs are executed directly by the hypervisor instead of being triggered through in terrupts and context switching. This function applies to hypervisors that have implemented para-virtualization instead of full virtualization; HY-BF4: VM lifecycle management This baseline function involves all functions from creation and management of VM images, control of VM states (start, pause, stop etc), VM migration, VM monitoring, and policy enforcement; and HY-BF5: Management of Hypervisor This baseline function involves defining some artefacts and setting values for various configuration parameters in hypervisor software modules including those for configuration of a Virtual Network inside the hypervisor. NIST SP 800-125A provides detailed security guidance based on an analysis of threats to the integrity of all the above functions. The only exceptions are the set of guidelines for configuration of virtual network (subset of HYBF5), which are covered in a separate document (NIST SP 800-125B). The above functions are carried out by different hypervisor components, or software modules. There are some minor differences among hypervisor products in the way that they distribute these functions. The mapping of these functions to hypervisor components and the location of these components within a hypervisor architecture are described in the table below: Approach for developing security recommendations Developing security recommendations for the deployment and use of a complex software such as the hypervisor requires knowledge of potential threats which, when exploited, would affect the three basic security properties – confidentiality, integrity, and availability – of hypervisor functions. The approach adopted for developing security recommendations for the deployment of hypervisors in NIST SP 800125A is as follows: Ensure the integrity of all components of the hypervisor platform, starting from the host BIOS to all software modules of the hypervisor. This action is accomplished through a secure boot process, outlined as recommendation HY-SR1; Identify the threat sources in a typical hypervisor platform. The nature of threats from rogue or compromised VMs is briefly discussed in SP 800-125A; and For each of the five baseline functions HY-BF1 through HY-BF5 (except for HY-BF3, the direct execution of certain commands from guest VMs by the hypervisor), identify the different tasks under each function, and for each of the tasks, identify the potential threats to the secure execution of the task. The countermeasures that will provide assurance against exploitation of these threats…

Access management can be defined as the process of granting authorized users the rights to use a service, while preventing access to non-authorized users. Following are the key access management growth factors over the next five years. GDPR deadline fast approaching Traditionally, finance, banking, insurance, government, utilities and other heavily regulated end-user sectors have focused on identity- and accessmanagement solutions. However, over the past year there has been growth in non-traditional markets. Not only have the manufacturing and retail sectors become more security conscious, but the increase in the number of data breaches and the looming legislation around General Data Protection Regulation (GDPR) in May 2018 has also piqued renewed interest in security and identity and access management (IAM) solutions. ● Highlight ● The global access management market is projected to increase from $5.4 billion in 2016 to $9.6 billion in 2021. ● Companies with 5,000 or more employees are projected to contribute the largest revenue growth to the access management market over the next five years. ● Over the past year, there has been growth in non-traditional market sectors such as manufacturing and retail. Smaller organizations using access management solutions Access management solutions have traditionally been deployed by larger organizations. In fact, companies with 5,000 or more employees are projected to contribute the largest revenue growth over the next five years, increasing from $4.38 billion in 2016 to $5.4 billion in 2021. The proportional importance of this segment is forecast to decline from 80 percent of total access management revenue in 2016 to around 56 percent in 2021. Small and medium-sized enterprises (SMEs) will steadily increase the amount of access management solutions they deploy. For example, revenue from companies with between 1 and 499 employees is projected to increase from $109.6 million in 2016 to $705 million in 2021. This segment managed to grow from 2 percent of total revenue in 2016 to 7.3 percent in 2021. The introduction of more cloud solutions within the access management market is likely to help SMEs, in particular, because cloudbased access management solutions can be more cost effective and scalable for small and medium enterprises. On-premises hybrid and cloud solutions As there are still a lot of applications running on premises at companies, a significant portion of larger organizations still want some on-premises solutions. Larger organizations are more likely to move to a hybrid model, with some applications running in the cloud as a stepping stone toward full adoption of cloud solutions. Hybrid solutions are projected to increase from $1.1 billion in 2016 to $1.7 billion in 2021. In contrast, smaller organizations are more likely to deploy software-as-a-service (SaaS) solutions, which for them can be more cost effective than on-premises solutions. Technological developments and the battle with hackers There is a continuous battle being waged as hackers increasingly try to gain control of the networks they want to compromise. It is important for organizations to take into account people’s locations, to help detect fraudulent activity and ensure the right people have the right access, at the right time and at the correct location. Technologies like machine learning (ML) and artificial intelligence (AI) are also important weapons in this battle. Leveraging emerging technologies, such as behavioral biometrics, will help to reduce the burden on end-users and increase the validity of identity proofing. Organizations can learn a lot about how people interact with their networks, to give a full picture of how things are evolving, but these technology developments are a bit of a cat-and-mouse game. Blockchain makes security cheaper and more accessible Many organizations have isolated and centralized identity management systems, but the current landscape demands federation and single sign-on (SSO). These systems make identity management, protection and verification very cumbersome, costly and risky for industry enterprises and government agencies. Blockchain has the potential to introduce improvements that can make security more accessible and budget friendly. With smart contract capabilities, there can even be a secondary market where users benefit from sharing resources back to the network. Smart contracts automatically execute pieces of code carrying valuable data or performing other condition-based executions. A permissioned blockchain technology provides core capabilities that enable a trusted digital identity network to build and operate the following: A shared, append-only ledger, with one version of the facts shared across all permissioned network participants in real time. Smart contracts that ensure verifiable and signed business logic is executed in each transaction. Trust between known participants, to verify transactions and ensure records are valid. Privacy and security measures that grant access only to permissioned parties. Cybersecurity – Access Management Report 2018 This two-volume report provides coverage in several key areas of the identity and access management market, including access management and identity governance and administration. It provides detailed analysis of individual vertical markets from market-specific operating models to key trends and development opportunities.