Financial Services: High-risk security, by the numbers

Enterprise Security, Compliance, Vertical Series

Our latest addition to the industry-by-industry security analysis series is financial services.

Financial services companies in the U.S. lost an average of $23.6 million from cyber-security breaches in 2013, the highest average loss across 26 industries, according to a report from the Deloitte Center for Financial Services. The study by the consulting firm, entitled "Transforming Cybersecurity: New Approaches for an Evolving Threat Landscape", notes that the growth in cyber-crime has continued, if not accelerated, in the industry.

A huge majority (88%) of the cyber-security attacks against financial services firms are successful in less than one day, the report says. On the other hand, only 21% of the attacks are discovered within a day, and only 40% of the companies involved are able to restore their business within that one-day time frame.

Read More

SSL v3 vulnerability: this POODLE eats secure cookies

Enterprise Security

What this is:

  • A method to compromise communication encrypted by SSL v3 (meaning: access secure cookies, thereby gaining access to session information)

What this is not:

  • A direct method of compromising endpoints

What is required:

  • A node capable of intercepting traffic between two nodes; a “bump on the wire”

  • The nodes at each end (client and server) are willing to fall-back to SSL v3

Original announcement

Original publication

Read More

SSL v3 Vulnerability - Remedies and What You Can Do

Enterprise Security

If you are running systems that maintain SSL 3.0 compatibility, you are advised to define a Signaling Cipher Suite Value (SCSV) to prevent unintended protocol downgrades between clients and servers when both parties support a higher version of the protocol.

Disabling fallback to lower protocols is different from operating system to operating system. Here are some guidelines for the most frequently used webservers:

Read More

Shadow IT and Educational Moments

Cloud Security, DevOps

One of the most serious security challenges for enterprises today is the ease with which users can sidestep IT for the apps and information services they need. The danger is especially high when these employees are also creating and accessing confidential or regulated information. It means this data is sprawling out to apps and clouds that may not have the necessary controls to keep all of this data safe.

What makes this condition worse is that many companies don’t even believe this is going on within their organizations until they are forced to actually see it happening. For instance, just a few weeks ago I was sitting in on a live demo of a network monitoring application at a local company. The CIO there was positive that there was not any “unsanctioned” cloud apps running on their network. I told him I found that hard to believe, but would be impressed if it was so.

Read More

Manufacturing: Big Industry, Big Security Challenges

Service Provider, Reseller, Compliance, Vertical Series

In this latest installment in our series of profiles on security and compliance issues and challenges in various industries, we take a look at the manufacturing sector.

This industry, particularly if we include consumer goods, presents a broad range of companies. And of course security threats can vary depending on what types of products a company makes.

But in general, companies that make goods and equipment are particularly prone to theft of information about how they produce things, especially for high-priced or high-demand items. Given the growth of business competition worldwide, manufacturers these days should expect to be the target of theft of trade secrets and intellectual property via corporate espionage.

For value-added resellers (VARs) and managed services providers (MSPs), the opportunities to assist clients in this sector are plentiful. For one thing, it’s a huge industry. For another, it has a host of information security concerns.

Read More

Managed Service Providers: drivers for competitive advantages? Part 2

Service Provider

This is a continuation of my previous blog post which aims to discuss the near future scenario of extreme competition among Managed Services Providers (MSPs).

Differentiation among MSPs will mostly circle around go-to-market areas like marketing, sales and strategic capabilities as technology advantages will not hold for long, given high speed of wide adoption of new technologies.

In Part 1 we covered the Marketing perspective and in this blog post we will cover the Sales perspective and the Strategic perspective.

 From a Sales perspective there is a huge difference between selling boxes and selling services. The second needs a consultative approach for convincing customers to sign a service contract. Consultative selling needs dedicated sales teams for each type of service (e.g. managed and cloud services). Acknowledging the different sales roles (e.g. farmers and hunters) is preferred when dealing with both up-selling and attracting new customers.

Read More

Shellshock is Shocking, According to Shellers


If you’ve had a few spare moments to peruse the news, and happen to do so with an eye toward IT, you’ll have heard about Shellshock. As with many a vulnerability, there are many questions, and in this post I hope to answer some.

What is the problem?

Bash (Bourne-again Shell) is a command line interpreter packaged with most Unix variants. It’s quite handy for running commands, especially when invoked from scripts. The vulnerability roughly relates to how Bash parses environment variables (used to set the context of commands). The vulnerability allows someone entering environment variables to insert arbitrary code. Instead of just setting the context of execution, Bash executes the injected commands.

Read More

Continuous Security Monitoring in a Continuous World


In today’s highly virtualized environments, where continuous integration and deployment are the norm - it’s just impossible to manually ensure that both security and regulatory compliance controls are adequate.

With virtualized workloads, apps, and the supporting infrastructure being persistently updated, your enterprise needs automated and constant security checks to be ran in parallel. Gone are the days of running monthly security and regulatory compliance assessments. As continuous integration and deployment pipelines rapidly become the norm, rather than the exception, a fundamental shift in the way enterprises view security is essential.

But where to start the continuous security monitoring? When looking at your environment in its entirety, with an eye toward monitoring everything all of the time, it can appear overwhelming. And the reality is that you can’t start monitoring everything all at once. Choices need to be made about where to start: endpoints, servers, and applications need the most oversight?

Read More

Think like a Dev, act like an Op and harness Security – Part One

Public Cloud, Cloud Security, DevOps

Creating software is a perpetual journey. Just like relationships, technologies start young and reach maturity over time as they evolve through several phases of completion. Some of them don’t reach adulthood because they’re ahead of their time or simply not practical, while others refuse to go quietly due to their massive popularity in the business world.

Regardless of industry and activity field, truly ground-breaking technologies are designed with a sole intention: to transform the customer experience in ways that no one has done before. With most businesses, however, change doesn’t come naturally, just as habits (good or bad) die-hard in a long-term relationship.

Read More

Home Depot, Target, and the business of being owned

Enterprise Security, Compliance

There has recently been some interesting news. It seems that The Home Depot, both in the US and Canada, has experienced a breach. Recall that Target also suffered a breach not long ago

This begs the question; from a security perspective, does being compliant matter?

There are reports that the malware discovered on Home Depot systems is similar to that discovered on systems at Target. What is striking is that, according to Krebs on Security (who broke the Home Depot story), “On Tuesday, KrebsOnSecurity broke the news that Home Depot was working with law enforcement to investigate “unusual activity” after multiple banks said they’d traced a pattern of card fraud back to debit and credit cards that had all been used at Home Depot locations since May of this year.”

Read More
Evaluating Security Software

Subscribe to our newsletter