All Security Pros Want for Christmas: Smarter Users, Decoy Networks

People like to see gifts from their wish lists under the Christmas tree, and security pros are no exception. Here are things some cyberwarriors would like old St. Nick to deliver to them.

The wish at the top of Ryan Kalember’s Christmas list would be a tough one for Santa to fulfill, said the senior vice president for cybersecurity strategy at Proofpoint.

“It’s probably never going to happen, but it would be fantastic to get smarter users who are less susceptible to social engineering,” he told TechNewsWorld.

Nine out of 10 data breaches start with a phishing email, Kalember noted. In order for phishing to work, a user needs to click a link, open an attachment or follow directions that lead to trouble.

“Smarter users would be wonderful if that were a thing that were actually achievable,” he said.

Social Media Visibility

Another gift Kalember would like to receive is more visibility into the threat landscape posed by social media.

Criminals have increased their targeted attacks on social media, he said. “It’s a very good way to get at somebody. It’s endemic on LinkedIn.”

Brands on social media also are being used to attack customers. For example, many brands offer customer support services on Twitter. Those services aren’t always offered 24/7. During downtimes, hackers can exploit the service accounts to lure users seeking assistance into trouble.

“Visibility into social, which is very much a wild, Wild West when it comes to security, is something I’d like under the tree,” Kalember said.

Vendor Cooperation

Another welcome gift from security solution vendors: better cooperation, he said.

“I would love it if the vendors worked together more cooperatively. That would be an abstract present that would difficult to fit under the tree,” Kalember said.

“Products in the cybersecurity world don’t work together because the vendors don’t have a strong incentive to work together. They’re trying to sell products. They’re not primarily motivated by solving the cybersecurity problem,” he observed.

An “extraordinarily well-received” gift would be “if we could have more vendors working together proactively without customers forcing vendors to work together,” Kalember added.

Gift From EU

Pritesh Parekh, chief information security officer atZuora, would like a gift from the European Union under his tree.

“I’d like the EU not to focus on data residency,” he told TechNewsWorld. “Rather, I’d like them to focus on security and privacy of data.”

Following the revelations by Edward Snowden of unfettered state-sponsored snooping by the U.S. government, European nations began imposing restrictions on storing their citizens’ data outside the physical boundaries of their nations.

As hackers have proved again and again, though, it doesn’t matter where data resides if an attacker is determined to get at it. Russian hackers have stolen data from the White House. Chinese bandits haveinfiltrated The New York Times.

“It doesn’t matter where data resides,” Parekh said. “It doesn’t make sense in the cloud world.”

Removing the residency requirement would be a gift all U.S. cloud providers would welcome because it would allow them to better compete with their overseas counterparts for data business.

Security of Things

Parekh also would like vendors making goods and services for the Internet of Things to start thinking seriously about security.

“2015 was an eye-opener for a lot of the IoT vendors. We’ve seen hacks of cars. We’ve seen hacks around medical devices. We’ve seen hacks around refrigerators, toasters — anything that’s connected,” he said.

“This isn’t just about protection of personal data. It’s about the physical security of the consumer. That’s why having IoT vendors embed security into their product life cycle is on my gift list,” Parekh added.

Better Intrusion Detection

Also on his wish list are better intrusion-detection systems to nip threats before they can blossom.

“Current intrusion systems either don’t catch most of the intrusions, or if they do, they spit out so much information that the hack gets buried in the alerts,” Parekh said.

The well-publicized data breach at Target, where payment card information for 42 million customers was stolen, is an example of intrusion-detection failure, he said.

“Target had a system to detect intrusions. It detected the intrusion, but there were like a million alerts, so they couldn’t figure out which one to look for. So the information is useless because you’re buried in alerts,” Parekh noted.

“Intrusion-detection systems have to solve the real-world problem of detecting the right alerts,” he added.

Data Correlation

Rick Orloff, chief security officer atCode42, would like to see true data correlation under his company’s tree on Christmas morning.

“If you look at any of the large security breaches that were in the news in the last year, after the breach, the company was able to come back and say, postmortem, ‘We learned what happened. Here is what it is,'” he told TechNewsWorld.

They can do that because they can do a complete data correlation during their post-incident investigation.

“Companies may have data in place, but they don’t have what they need in place to turn that data into actionable information,” Orloff said.

“The data is there. It’s just not being converted into intelligence,” he added.

Decoy Networks

Also on Orloff’s wish list is the ability to create decoy networks to identify data breaches.

“Those technologies are just starting to mature,” he said.

“People have always had honeypots, but that’s like putting a buoy in the middle of the ocean,” Orloff continued.

Honeypots are servers set up by security firms to collect malicious traffic on the Internet for analysis. Decoy networks, or honeynets, bait all the servers in the enterprise.

“If an attacker penetrates any server and tries to use the honeynet credentials, you’ll get a pretty quick alert that someone is attacking the network either internally or externally,” Orloff said.

Will these security pros find any of these gifts under their trees? They’ll have to wait until Christmas morning to find out.

Breach Diary

• Dec. 14. Kromtech, maker of MacKeeper, confirms personal data of 13 million users was placed at risk by security flaw on a server hosting its customer database.
• Dec. 14. Twitter warns some of its users that they may be the targets of a cyberattack sponsored by a nation-state.
• Dec. 14. The University of Washington agrees to pay $750,000 to the Office for Civil Rights of U.S. Department of Health and Human Services to settle a 2013 data breach case involving the health information of 90,000 patients.
• Dec. 14. Databreaches.com reports security researcher Chris Vickery discovered data leaks in fitness app iFit and the Hzone dating app for HIV-positive singles.
• Dec. 14. The Georgia Department of Human Resources releases a report on data breach placing at risk personal information of 6 million voters in the state. The breach was caused by a former employee of the secretary of state’s office circumventing standard policies and procedures.
• Dec. 15. British police arrest a 21-year-old man in connection with a data breach at VTech that compromised data on 6.4 million children.
• Dec. 15. Connecticut dry cleaning chain Swiss Cleaners warns patrons a data breach of its systems has placed at risk payment card transactions made at the company’s eight locations between December 2014 and October 2015.
• Dec. 16. Target disables its shopping app after security firm Avast reports a flaw in the software that could be exploited to obtain personal data of users.
• Dec. 16. Verizon releases data breach report on the healthcare industry. It includes finding that 45 percent of all healthcare breaches result from lost or stolen devices.
• Dec. 16. The European Union releases a draft framework for data sharing and collection, including a requirement that regulators be notified with 72 hours of a company discovering a data breach.
• Dec. 16. U.S. House Subcommittee on Financial Services Oversight and Investigations holds a hearing on the security and data collection practices of the Consumer Financial Protection Bureau.
• Dec. 17. Juniper Networks announces it found a flaw in its software that allows an attacker to decrypt VPN traffic. It has found no evidence the flaw was exploited and has released patch to address the problem.
• Dec. 17. LifeLock pays $100 million to settle a complaint by Federal Trade Commission that the company failed to comply with a court order requiring it to secure personal information of consumers and abstain from deceptive advertising.
• Dec. 17. Safeway reveals it discovered credit card skimmers at five of its stores. The devices were discovered during routine maintenance and only a few payment cards were affected.
• Dec. 17. Landry’s announces it has launched an investigation into reports that some of its patrons found unauthorized charges on their payment cards after using them at some of its restaurants.
• Dec. 17. Optus, which runs Freelancer.com, confirms a third-party service provider posted to a public website a spreadsheet containing confidential company information. The data of 31,150 customers was involved in the incident, Crikey reports.
• Dec. 17. BitSight releases a study of 30,000 companies that finds businesses that have at least one instance of BitTorrent running on their systems were more likely to have signs of botnet or other compromises.
• Dec. 18. The Democratic National Committee suspends access to its voter information database to the presidential campaign of Sen. Bernie Sanders after its staffers exploited flaw in DNC system to compromise data belonging to rival Hillary Clinton.
• Dec. 19. The DNC restores access to its voter information database to Sanders’ presidential campaign but says it will continue to investigate the breach that allowed the campaign to gain unauthorized access to Clinton campaign data.

Upcoming Security Events

• Jan. 16. B-Sides New York City. John Jay College of Criminal Justice, 524 West 59th St., New York. Free.
• Jan. 18. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Registration: $25.
• Jan. 21. From Malicious to Unintentional — Combating Insider Threats. 1:30 p.m. ET. Webinar sponsored by MeriTalk, DLT and Symantec. Free with registration.
• Jan. 22. B-Sides Lagos. Sheraton Hotels, 30 Mobolaji Bank Anthony Way, Airport Road, Ikeja, Lagos, Nigeria. Free.
• Jan. 26. Cyber Security: The Business View. 11 a.m. ET. Dark Reading webinar. Free with registration.
• Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
• March 18. Gartner Identity and Access Management Summit. London, UK. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.
• June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.