Box Security in Spotlight
After suffering a 46% decline in quarterly profit in Q4 after a wide-reaching breach in which millions of customer credit cards were stolen, Target CEO Gregg Steinhafel resigned from the company Monday. Following the incident, investors are increasingly focused on cyber security, “What we’ve seen is that cyber attacks can have a real impact on the bottom line,” says analyst Jason Niedermeier.
As the online file sharing and collaboration service Box prepares for its IPO, all eyes are on Box security programs. Box offers an online service that allows individuals and companies to store and exchange data over the Internet. Rather than storing data in its own datacenters, employees at a company using Box login to a website. Their files are stored in Box’s datacenters which reduces IT expenses.
Such an arrangement in which data and applications are run and accessed over the Internet is know as the “cloud” and security is being questioned. The NSA relevations brought to light by Edward Snowden revealed a widespread surveillance program that sought to undermine the security of Internet transactions so that they could be eavesdropped on by the NSA, but the weaknesses introduced could also be used by other third parties if discovered.
For companies like Box, security is now a major selling point for corporate clients. Osterman Research, a technology analyst firm, estimates that 90% of file sharing revenue will come from corporate clients and not consumers. While experts agree that Box security controls are among the best in the industry, it will be important for the company to continue bolstering its security credentials in light of the Target incident.
In addition to robust security, additional Box security controls are provided by an ecosystem of third party providers that include data loss prevention, audit trails of user activity, and malware detection. With these controls, Box is well positioned compared with rivals Dropbox and Google Drive.
Security Industry Pivots from Antivirus to Cloud Data Security
Antivirus software has been a mainstay of computer security for well over two decades, but that era is coming to a close. Even major security software vendors are admitting that this new era demands new tools. “Antivirus is dead,” says Brian Dye, Senior Vice President for Information Security at Symantec, which in 2013 brought in over $1 billion in revenue from its flagship Norton Antivirus product line.
What’s changed is that hackers have adapted and are now developing viruses which come in many different variants. By the time one variant, or version, of the virus is added to antivirus definitions, it has already splintered into millions of other variations which have a different software fingerprint. These other variations are undetectable by antivirus software until they too are added to virus definitions. The new focus is on cloud data security, not detecting viruses, say experts.
In this new threat landscape, a new generation of security approaches has emerged to secure the data itself and detect threats in progress so they can be shut down, rather than prevented. The recent sacking of Target CEO Gregg Steinhafel shows just how severe a data breach can be to the reputation and revenue of major companies. That’s because hacking is more than just a recreational hobby, it’s now big business and backed by significant nations and criminal organizations. And as more data moves to the cloud, cloud data security will become more prominent.
The security industry is already moving to address the threats in this new cloud world and ensure cloud data security using a new set of tools. In the case of Target, however, the technology alone may not be enough. In that case, the company had a security tool in place that correctly identified the breach and sent the IT security team an alert, but failure to follow up on the alert caused the company to ignore it for over a week while millions more credit cards were stolen. It’s clear that a mix of people, process, and technology will be needed.
SaaS Security Under Scrutiny After High Profile Breaches
The firing of Target CEO Gregg Steinhafel this week underscored just how important computer security is to modern corporations. “I think it’s a clear sign that we’re in a new era, one in which companies are engaged in what you could clearly call asymmetric warfare against an insurgency,” says security expert Charles Nguyen who likens cyber intrusion to the kind of disruption companies face in war zones.
The new battlefield is almost completely invisible, with battles taking place with ones and zeroes being sent between computers at lightspeed over fiber optic cables that encircle the entire world. As commerce has become increasingly reliant on technology, new vulnerabilities are coming to light. This increased reliance on technology is converging with a shift in hacking from a hobby to the foundation of criminal enterprise and even state-sponsored military insurgency.
Nowhere is this more evident than in the software-as-a-service (SaaS) applications being used by companies. SaaS Security is an increasingly prominent topic among those in IT security, whether at security conferences or even in the corporate boardroom. “I’ve had clients tell me they are presenting the state of their SaaS Security to the board of directors, because cloud is now a board-level concern,” says Nguyen who advises security teams at Fortune 500 companies.
But technology is not enough, he says, to achieve SaaS security. In the case of Target, the company had a security software tool that detected the breach as soon as it began. The failure lie with the security team that failed to follow up on the alert the received, while the breach continued for another week and millions of customer credit cards were stolen. For that, Nguyen says companies also need old-fashioned people and process to be secure.
Latest Addition to the CIO Job Description: Cloud Service Broker
The role of the chief information, one of the newer additions to the c-suite, is undergoing a substantial transformation. “Ten years ago, the CIO was the chief buyer and builder of a massive internal network of technology. Now, you’re seeing the CIO transition to one of a broker for externally maintained cloud services, adding a layer of enablement, integration, and security,” says Redwood analyst Michelle Chakraborty.
The shift to the cloud is being likened to a similar shift in the consumption of electricity a century ago. In the early days of electricity, companies manufactured and ran large electricity generation facilities next to their factories, not unlike how companies today maintain large data centers to power knowledge workers. However, as electricity became more mainstream, its generation was centralized at large power plants, and then transmitted across the country to factories.
Computing power, once a significant differentiator for companies that could harness it, is quickly becoming a commodity and consumed like a utility. “Always on-demand and reliable computing power from cloud providers like Amazon and Google are allowing companies to focus on the value they offer on top of those platforms, rather than the actual computing platform itself. It’s a big change,” says Chakraborty.
What that means for the CIO is that their job is transitioning to a role whereby they purchase computing power and applications consumed by their employees, without actually maintaining datacenters or building the software internally. However, this doesn’t mean their role is disappearing anytime soon. A new role, one that Gartner defines as the “Cloud Service Broker” is emerging whereby IT provides a layer of management and streamlines the consumption of the cloud.
Gartner expects 30% of companies will deploy a cloud service broker function, either internally or from an outside provider. The benefits of the cloud service broker can include reducing the risk of cloud with strong security and compliance, adding visibility and analysis of usage, centralizing audit trails and policy enforcement, and streamlining the acquisition process for buying cloud services. Whether the function is performed internally or externally, survey respondents are clear that the CIO is ultimately responsible for it getting done, with 80% saying the CIO or a designee is responsible for cloud service broker capabilities.
When making the decision to insource or outsource this new function, think about your own organization’s capabilities. If you prefer to use operational funding versus capital spending, the cloud service broker is not a core competency of IT, if an external CSB can be deployed more rapidly, or if employees rely on a large number of cloud security services, then it may make more sense to outsource the role. Whether it’s performed internally or outside the company, it’s clear this new responsibility is a clear indicator of how the role of the CIO is changing.
Protecting Your Company from Backdoor Attacks – What You Need to Know
“We often get in quicker by the back door than the front” — Napoleon Bonaparte
A rare example of a backdoor planted in a core industry security standard has recently come to light. It is now widely believed that the NSA compromised trust in NIST’s encryption standard (called the Dual EC DRBG standard) by adding the ability for NSA to decipher any encrypted communication over the Internet. This incident brings to fore the question of how much trust is warranted in the technologies that enable business over the Internet today.
There are only a few organizations in the world (all with 3 letter acronyms) that can pull off a fundamental backdoor coup such as this. More commonly entities undertaking backdoor attacks do not have that level of gravitas or such far reaching ambitions – instead the majority of these entities tend to leverage backdoors to undertake cybercrime missions ranging from advanced persistent threats on specific target companies, to botnet and malware/adware networks for monetary gains. In these instances, Cloud security services are a favorite vector for injecting backdoors into the enterprise.
What can we really trust?
In his 1984 Turing Award acceptance speech, Ken Thompson points out that trust is relative in what is perhaps the first major paper on this topic titled Reflections on Trusting Trust which describes the threat of backdoor attacks. He describes a backdoor mechanism, which relies on the fact that people only review source (human-written) software, and not compiled machine code. A program called a compiler is used to create the latter from the former, and the compiler is usually trusted to do an honest job. However, as he demonstrated, this trust on the compiler to do an honest job can, and has, been abused.
Inserting backdoors via compilers
As an example, Sophos labs discovered a virus attack on Delphi in August 2009. The W32/Induc-A virus infected the program compiler for Delphi, a Windows programming language. The virus introduced its own code to the compilation of new Delphi programs, allowing it to infect and propagate to many systems, without the knowledge of the software programmer. An attack that propagates by building its own Trojan horse can be especially hard to discover. It is believed that the Induc-A virus had been propagating for at least a year before it was discovered.
While backdoors in compilers are more frequent than backdoors in standards, they are not as prevalent as backdoors in open-source software. Enterprises freely trust closed- and open-source software as evidenced by its extensive use today. In our experience, we have not come across any corporate enterprise that does not use (and hence trust) at least some open-source software today.
The open-source conundrum
The global software contributor base and publicly reviewable source code are both hallmarks of an open-source ecosystem that actually provides transparency and value for free. Yet, these are the same characteristics that pose the biggest risk of backdoor exploits into enterprises by malicious actors intent on capturing competitive advantage.
Unlike surpassing huge barriers in influencing (or writing) an industry standard, open-source projects enable someone to choose any of the millions of open-source projects (> 300,000 hosted in SourceForge alone, at last count) in hundreds of mirror sites opening up a broad surface area of attack.
One of the earliest known open-source backdoor attacks occurred in none less than the Linux kernel — exposed in November 2003. This example serves to show just how subtle such a code change can be. In this case, a two-line change appeared to be a typographical error, but actually gave the caller to the sys_wait4 function root access to the system.
Hiding in plane sight
Given the complexity of today’s software, it is possible for backdoors to hide in plain sight.
More recently, there have been many backdoors exposed including an incident last September with an official mirror of SourceForge. In this attack, users were tricked into downloading a compromised version of phpMyAdmin that contained a backdoor. The backdoor contained code that allowed remote attackers to take control of the underlying server running the modified phpMyAdmin, which is a web-based tool for managing MySQL databases. In another case that came to light as recently as August, 2013, a popular open-source ad software (OpenX) used by many Fortune 500 companies including was determined to have a backdoor giving hackers administrative control of the web server. Worse than the number of these backdoors is the time elapsed between the planting of the backdoor and the actual discovery of the backdoor. These backdoors often go unnoticed for months.
How to prevent backdoor attacks
The reality in today’s enterprise is that software projects/products that have little or unknown trust are leveraged every day. We have found that many of these backdoors elude malware detection tools because there are no executables, Enterprises must now look for new ways to track the open-source projects that enter their enterprise from external untrusted sources, such as open-source code repositories and must be able to rapidly respond to any backdoors discovered in these projects. If not, these backdoors have the potential to inflict serious and prolonged harm on the enterprise.
SaaS Security Highlighted in New Report
A recent report on SaaS Security highlighted a number of developments including that the average company in Europe is using 588 cloud services, almost as many as US companies which average 626 services. That shows that European employees are just as prolific in embracing the use of SaaS application at the office, despite their potential risks.
Other key findings, which surveyed over 1million workers in the EU and UK:
Adoption of Cloud Services in Europe is Similar to U.S.
Data from more than 1 million users in Europe suggests that the adoption of cloud services is similar to the U.S. On average, a European organisation has 588 cloud services in use, compared to 626 in the U.S.
Organisations Need to Educate Employees on Data Protection Directives and Privacy Laws
Employees are unaware of the risks of cloud services and are unknowingly putting their organisations at risk. Of the 2,105 cloud services used, only 9% provide enterprise-grade security capabilities, and 72% store data in the US. Furthermore, only 12% encrypt data at rest, 21% support multi-factor authentication, and 5% are ISO 27001 certified.
Petabytes of Data Being Stored in U.S. Data Centres
Collaboration, Content Sharing, and File Sharing are the most widely used cloud service categories. Among the Top 10 services in each category, only 5 of the 30 cloud services are headquartered in Europe. Twenty-five of the top 30 providers are based in countries (U.S., Russia, China) where the privacy laws are non-existent compared to Europe.
U.S. Does Not Have Grip On Social Media
Four of the Top 10 social media sites are headquartered outside the U.S. Of the four non-U.S. based social media sites, 2 are headquartered in Europe (Xing, Badoo), 1 in Russia (VK), and 1 in China (Weibo).
Tracking Services Present Significant Danger
Unbeknownst to IT, there are 49 different services that are tracking employees’ behaviour on the Internet. All of these services are based in the U.S. and expose organisations to watering hole attacks.
SaaS Security Final Piece Before Adoption Spreads
According to industry research from IDG, the companies want to adopt new cloud technology but are waiting until SaaS Security is more developed. That’s the situation US auto parts supplier Artes Electric is in. Their CIO Eric Atkins said at a panel at RSA Conference, “We see a lot of value in SaaS applications but are taking a wait-and-see approach before uploading our sensitive data.”
Experts agree, there is still some ways to go before SaaS applications meet the security and compliance requirements of corporate customers. The context of the information being uploaded is also important. According to Justin Somaini of Box, “a [movie] script is just is just a file for all intents and purposes. But movies are there to get an emotional reaction.”
That makes the actual footage of the movie much more valuable. Leaking a blockbuster movie online before it debuts in theaters can impact the bottom line of content owners. In the case of the largest movies, these breaches can dampen theater ticket sales by tens or even hundreds of millions of dollars over the initial release of the movie in theaters. That makes uploading such data to the cloud look risky for production companies.
Still, there are significant benefits to leveraging on demand services despite SaaS Security. Being able to collaborate on a film in real time anywhere in the world is much easier with the new generation of collaboration tools than just using email and other traditional applications.
What’s needed before more widespread adoption of SaaS in enterprises is greater visibility into what apps employees are using and their risk. From there, security teams can determine which ones pose a risk and which ones are safe enough to host sensitive information. “It’s all about the context of the information and the security controls of the SaaS application.”
