As part of an ongoing series on using privileged account management solutions to meet DFARS requirements, CyberSheath’s security consultants have explored technical controls in great detail, providing readers with real world applications that make a meaningful impact. This week CyberSheath continues to explore NIST control 800-171, “separate the duties of individuals to reduce the risk of malevolent activity without collusion”.
CyberSheath’s security consultants and implementation engineers have previously written about utilizing privileged account management solutions to meet DFARS requirements, and this week James Creamer continues to explore DFARS control requirements in detail.
Last week CyberSheath began a new series, “In-Depth Look at PAM Controls for DFARS Requirements”, dedicated to providing a detailed analysis on how privileged account management solutions play an important role for organizations in meeting DFARS requirements.
In previous blogs, CyberSheath security analysts have identified new cyber security requirements from the recent changes to DFARS and have provided solution overviews for meeting those requirements and regulations. The series “In-Depth Look at PAM Controls for DFARS Requirements” will expand on previously mentioned regulations and provide a more granular look at how privileged account management solutions can play an important role in meeting DFARS requirements.
Security researchers at Kaspersky Labs released their Threat Intelligence Report for the Telecommunications Industry Monday, revealing the top attack vectors against Internet Service Providers (ISPs) and Cellular Service Providers (CSPs). The report found that attackers commonly target employees with blackmail. Surprisingly enough, the report found that there are a number of employees that help voluntarily too. Threat actors have been identifying employees from a combination of publically available and data breach information, while dark web forums are full of employees offering their services in exchange for payment and often aide in the blackmailing process. Hacker-recruiters leverage the employee’s access to exfiltrate sensitive information.
Organizations continue to expand their application infrastructure at an alarming rate, whether it be in the cloud or on-site. Studies vary, but an estimated 48% to 65% of servers worldwide are run on some flavor of UNIX. The latest report from the Linux Foundation found that Linux is winning the battle in the cloud with an estimated 79% of cloud deployments running the operating system. Many of these UNIX devices are using SSH keys for authentication instead of passwords for the sake of convenience.
A few short months ago in April, Verizon released their annual publication of the Data Breach Investigations Report, and after reviewing the report, we would recommend that you pack up the rod and reel, and throw your waders on, because the theme of this year’s report is ‘gone phishing for credentials.’
On April 27th, the European Commission signed into law the General Data Protection Regulation (GDPR – Regulation 2016/679 and 2016/680) that will serve to unify 28 (now 27 with the Brexit, perhaps) different privacy laws into one unified regulation applicable to all. The regulations, which are set to go into effect in May of 2018, will require widespread standardization and unification of data privacy requirements across EU member states.
If you’re reading this blog, chances are, it’s your responsibility to understand and enforce your organization’s compliance with the latest PCI Data Security Standards. With the release of PCI DSS version 3.2, the PCI Security Standards Council General Manager Stephen Orfei explained that “PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.” Privileged accounts and their management is the central point of where people, process, policy, technology and security converge. It is no surprise then that the PCI DSS 3.2 standards spend much of their time stressing the importance of protecting privileged accounts.
Securities and Exchange Commission (SEC) Chair Mary Jo White bluntly told attendees of the Reuters Financial Regulation Summit in Washington D.C. a few short weeks ago that cybersecurity is the single largest risk facing the financial sector reports Reuters. Despite “a lot of preparedness, a lot of awareness” among broker-dealers and investment advisors, Ms. White said, “their policies and procedures are not tailored to their particular risks.” White further stated "we can't do enough in this sector,” a statement proven by the coordinated malware attack that stole $81 million from Bangladesh central bank this past February.