Cybersecurity experts applauded the introduction of a new Senate bill in July that would mandate minimum security standards for the growing number of internet-connected devices and sensors used by the federal government.
The bipartisan bill, called the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, is sponsored by the co-chairs of the Senate Cybersecurity Caucus, Sen. Mark Warner, D-Va., and Sen. Cory Gardner, R-Colo., and Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-09-18 00:28:502018-05-03 16:08:29Bipartisan Bill Jump-Starts Badly Needed Security for Internet of Things
What is data worth? On the surface, it is just a bunch of 1s and 0s on a hard drive. Most users don’t think about or even fully understand data. Their cell phones work, email is at their fingertips, and a friend is just a video chat away. But, enormous companies are built using data. Data is a big driver of economy, advertising, and business decisions. On the darker side, data is a target for attackers, who find a large market for it.
When it comes to personal data, is your credit card or your health information worth more? According to the Ponemon Institute[i], health records have sold for $363 per record — more than the price of stolen credit cards and service account credentials combined! 2015 was known for healthcare mega-breaches. It’s estimated that half of US citizens’ medical information is available for purchase, with 112 million records becoming available in 2015. Supply and demand works here, too. Due to the large number of records available on the black market, the price has dropped significantly in recent months. This doesn’t mean the healthcare industry is out of the woods. According to McAfee Labs[ii], healthcare attacks are increasing even though the average price per record is dropping.
Personal health information (PHI) is attractive because it lasts longer and is more difficult for victims to protect. Unlike the credit card industry, the healthcare industry hasn’t come up with a good way to stop and prosecute fraudulent charges. If you see your credit card is used by someone else, you can call up and have the charges reversed and a new card issued. This isn’t the case with your PHI. Likewise, it is more difficult to see if your PHI was used to buy drugs or equipment. How often do you check your medical bills compared to your credit card statements? Additionally, PHI opens the door for attackers to steal victims’ identity, or buy and sell medical equipment and drugs with the stolen information. Because they have such valuable information, healthcare organizations must take an active role in protecting their data, yet not close it down so tightly they can’t remain in business.
Recently, I went on Shodan, a search engine that scours the internet and gathers information about all connected devices. It isn’t secret; anyone can use it to search for vulnerable devices. In the US alone, I found hundreds of devices belonging to organizations that handle sought-after health information. These organizations used insecure protocols, services, and software with known exploits — illustrating the seriousness of this problem.
The healthcare industry must overcome the same challenges other industries face. It is only unique in the value of its data. Lack of finances, expertise, and time all compound the problem. I call this the Security Triangle (a spinoff of the Project Triangle). You have expertise, time, and finances and you only get two. RedSeal can help healthcare organizations balance out this security triangle. When a healthcare organization installs RedSeal, the automation it provides will free up their experts to handle other pressing issues.
RedSeal will parse through the configurations of multiple vendors and visualize all paths from the internet to the inside of your network. RedSeal offers a single pane of glass for your network, vulnerabilities, best practice checks, and policies, to simplify the understanding of information flows. You can set up RedSeal to alert you if your organization is at risk from an insecure protocol being accessible to the web. Without RedSeal, this process is painstakingly manual, requiring a great deal of time and resources to fully understand.
With RedSeal in your network, you can ensure that your organization’s policies are followed. If there are any changes that increase the risk to the organization, the dashboard will alert you. Organizations that keep medical data can set up policies to alert them if internet devices can directly access medical records, or if they can leapfrog into the network through some other server. Normally this requires a plethora of tools or manual labor, making the process complex. Once configured, RedSeal will automatically check policies to ensure access to critical systems remain as configured. If new access is introduced, the dashboard will alert you — saving time and resources, and freeing up your experts to more urgent tasks.
Healthcare organizations using RedSeal can automate manual tasks and improve security, freeing up their resources to take on more urgent matters — saving lives.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Nate L. Cash, Senior Director, Federal Professional Services/ Director of Information Securityhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngNate L. Cash, Senior Director, Federal Professional Services/ Director of Information Security2017-09-12 05:00:172023-03-30 19:08:03Protecting PHI, Challenges and Solutions for Healthcare
Strategic News Service | Global Report on Technology and the Economy | September 4, 2017
By Ray Rothrock, RedSeal Chief Executive Officer
RedSeal CEO Ray Rothrock contributed a Special Letter to the Strategic News Service Global Report on Technology and the Economy. In it, Ray starts with history of cyber security, from the early days of the World Wide Web in the early 1990s where cyber was a technical issue managed by engineers and similarly skilled people. Things have changed drastically, and today cybersecurity is everyone’s problem, and everyone must be involved. As a result, it takes a strategy of policy, technology, personnel, and investment to do it correctly.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-09-11 05:56:082018-12-10 12:45:05Cyber Security is Everyone’s Business
I just came across a WSJ Pro article titled “Inside the NSA: Companies Need to Follow the Basics,” and figured I could offer an “amen.” The NSA gets points for seeing things clearly – but then, I suppose that is their job, whether we like it or not! The area they discuss isn’t easy to write about; in fact, it’s similar to the challenge that investment magazines face. Every month, they have to write about what’s new and interesting as if it will help readers make money, when the best advice is rather boring — buy and hold. What are these magazines supposed to do? Make another cover article out of “Indexing – Still the Great Deal It’s Always Been?”
The same thing happens in network defense. Props to Rob Sloan, the author (and WSJ Pro) for making news out of the point that what we need to do is go back to the basics, and do them well … and then do them well again. The biggest challenge we face in defending our networks is just getting around to doing all the things we already know how to do. Our enemies don’t need to be James Bond villains in super-secret lairs with super-weapons – we leave out many “Welcome to Our Network” mats in the form of unpatched systems and easily evaded perimeters.
The article clearly lays out what we need to do to up our defensive game: first, we have to pay attention to the basics. Second, we have to pay attention to the basics. And yes, third, we have to pay attention to the basics (just like “location, location, location” for real estate). We’re all overwhelmed, but as the article points out, 98% coverage for any given issue isn’t good enough. We need to prioritize and find the 2% we missed, by gathering all our inventory, not just most of it, and testing every asset.
And then, after all that preventative work, we still need to plan for digital resilience. Resilience starts from all that inventory, and mapping of how your business functions and what is critical in your infrastructure. After that, it’s about hardening. And after that, it’s about testing your readiness so you can bounce back from the inevitable assaults. This is exactly what the RedSeal Digital Resilience score measures. We directly quantify the quality of your inventory, then look at hardening, and then at attack readiness.
So, I value the NSA’s perspectives, as reported in the article. The folks at NSA are among the government’s thought leaders for digital resilience. While government execution of cyber ideas isn’t above criticism, their networks are some of the very biggest, and their adversaries are some of the most motivated. For folks in the intelligence community, it’s not paranoia – people really are out to get them, and they plan accordingly. We should listen to their advice.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2017-09-05 05:00:132020-05-19 09:31:10Keep Up with the Basics
Smart cities will either be flexible or secure – they are not at all likely to be both. Why? Cities are sprawling, complex affairs – they change and grow without central control. Indeed, attempts to build centrally planned cities have generally been disastrous. Historically, cities only work when many individuals can all optimise independently for their own goals and objectives, without central control.
https://www.redseal.net/wp-content/uploads/2017/09/iStock-588957634.jpg476735RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-09-01 13:42:312018-12-10 12:44:46How Smart City Initiatives Can Be Securely and Effectively Managed
In the warmer months when I’m not traveling I often get up early and wander my property pulling and spraying weeds. This is an endless and thankless task, yet a necessary evil to preserve my investment and maintain appearances. I am amazed how quickly weeds grow and by the places they find purchase. In just a few days, given the right conditions whole beds can be overtaken.
A few days ago I was meandering about my yard wondering why I don’t have a gardener when it struck me. My own personal battle for yard supremacy provides a great parallel to the efforts of cybersecurity professionals. It occurred to me that vulnerabilities are the weeds of the digital terrain. They are constantly popping up in the strangest places; you can never seem to get them all; and they can quickly get out of hand if you let your attention slip.
Just like weeds, all vulnerabilities are not created equal. Their type, and more importantly their location, are factors we need to consider. The poison ivy at the far end of the property where no one goes is a concern, but far less of one than the poison ivy on the kids’ play set. In the digital terrain, this is the equivalent of vulnerabilities on assets that don’t provide access to critical data verses those that do — whether directly or via pivot attacks. So, it’s not the type of vulnerability that’s important, it’s the exposure that vulnerability delivers to critical resources that is the true cause of risk. The common practice of focusing on CAT1 vulnerabilities is inherently flawed, since the severity of the vulnerability has little to do with the risk it causes for the organization.
People have been fighting weeds since the first crops were sown sometime around 9000 BC. We know weeds and have developed many tools to fight them, yet they persist. We pull them, spray them and set up lines of defense for them to cross. Sound familiar? This is akin to patching, firewalls, and micro segmentation.
I’m making two points here: first and most importantly I need a gardener, but also it is worth reminding ourselves that vulnerabilities aren’t going away anytime soon. Regardless of how much effort you put in, you’ll never have the necessary resources to patch them all. A better strategy is to prioritize what you patch based on the actual risk it causes for your organization. A CAT1 vulnerability isolated by firewall rules provides little risk, but that CAT3 vulnerability exposed directly to the internet may provide a beachhead that exposes your most important data and systems. To quote the old adage, we need to work smarter not harder. For cyber, that means moving from a patch-based methodology to one that focuses on risk.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Jeff Greenehttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngJeff Greene2017-08-24 05:00:092018-06-11 10:10:24Vulnerabilities: The Weeds of Your Digital Terrain
The deluge of cyber-attack stories in the news is becoming commonplace. Recorded cyber crime cost the UK economy £10.9bn in 2015/16; and unreported crime could cost magnitudes more. For small businesses alone, the average cost per attack is around £3,000.
Fortunately, the level of attention criminals are paying to cyber crime is more than matched by those fighting against them. But for SMEs with limited budgets, securing themselves can be a tricky job.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-08-23 13:58:122018-05-03 16:08:30How Small Businesses Should Invest in Cyber Security
Former ForeScout CEO will Oversee Strategic Growth and Address Increasing Demand from Global 2000 Companies for Digital Resilience
SUNNYVALE, Calif. – August 23, 2017 – Today RedSeal, the leader in network modeling and cyber risk scoring, announced that Gord Boyce joined the company as Senior Vice President of a newly formed business unit to address demand in the commercial market. Boyce will lead a team of global sales, customer engineering and professional service resources, focused on driving adoption of RedSeal’s award-winning digital resilience platform.
“Gord rounds out our leadership bench with deep cyber industry expertise, and a tremendous track-record in sales,” said Ray Rothrock, chairman and CEO of RedSeal. “He understands the unique challenges of the high-growth security landscape, and we are thrilled to have his experience delivering enterprise-class platform value to the Global 2000.”
Boyce, a high-tech veteran, brings nearly 25 years of cyber industry experience to RedSeal. As CEO of ForeScout Technologies, he led the company to a global leadership position in the network access control (NAC) market. Prior to ForeScout, Boyce held several senior management positions within Nokia’s Internet Communications and Enterprise Solutions business groups.
“I’ve followed RedSeal’s growth for some time, and am excited to join this visionary company, and help enterprises around the world elevate their cyber security strategy”, said Gord Boyce. “Prevention and detection solutions are necessary, but clearly not sufficient. The RedSeal platform delivers what security and network teams – and their executives– needed yesterday: resilience and continuity.”
RedSeal – one of Red Herring’s Top 100 Global Companies for two consecutive years – posted more than 40 percent year-over-year growth in 2016,and CSO Online recently recognized its digital resilience platform as the top security tool in network security for 2017.
Boyce will be based in the company’s headquarters in Sunnyvale, Calif.
###
About RedSeal
RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2017-08-23 01:00:482017-08-23 09:39:06Cybersecurity Veteran Gord Boyce Joins RedSeal to Lead Commercial Business Unit
At the recent Black Hat USA conference, CIO asked 250 self-identified hackers for their opinion on security solutions. The answers are a good indicator for what works to protect your organization. Of all the technologies out there, the responders identified multi-factor authentication and high-level encryption as the two that are hardest to get past – 38 and 32 percent, respectively – making them the two best tools an organization can use to thwart attackers. The lesson? Your organization should invest in multi-factor authentication and strong encryption for data at rest and data in motion to make the attackers’ job much more difficult.
Another surprising revelation – more than 90 percent of respondents find intrusion prevention systems, firewalls, and anti-virus easy to overcome. This is because attackers use technologies to encode their payload (i.e. disguise their software so it isn’t detected). They also realize that it is much easier to ‘hack’ the weakest link, the human element. Let’s say an attacker shows up and tells the receptionist she has an interview. Then the attacker explains, with an exasperated look on her face, that she didn’t have time to swing by a print shop to print her resume. The attacker then asks the receptionist to print it. As human beings, we feel empathy and we want to help. The receptionist sticks the USB drive into a computer, finds the resume, and prints it – firing off the payload attached to the USB document.
Does this mean that the money and man hours spent on firewalls, intrusion prevention systems, and antivirus is wasted? The answer is no. These technologies help thwart the most basic and greatest number of automated attempts at breaking into your organization. The example I used above is called a social engineering attack. Attackers will put together payloads and either email them out, attach them to resumes and apply for jobs, or physically go to your location and drop USBs on the ground. In fact, 85 percent of those surveyed prefer these types of attacks because of how successful they are. Each of these attacks makes your perimeter security useless. CIOs and ISOs need to harden the internal security of their organization as well. They need to train their employees for these types of attacks, tell them what to look out for, and breed an environment where it is okay and even expected to challenge people.
Understanding your network and the actions that attackers take to compromise your environment will help your organization develop contingency plans. These contingency plans will help your organization maintain a resilient network. You can’t just protect your network and expect that to be enough anymore. The question all leaders in security should be asking is, “what do we do when an attacker gets in and how do we lessen the damage done to our organization?”
That is the beginning of building a resilient network.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Nate L. Cash, Senior Director, Federal Professional Services/ Director of Information Securityhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngNate L. Cash, Senior Director, Federal Professional Services/ Director of Information Security2017-08-18 05:00:182023-01-24 11:22:09Advice from Hackers at Black Hat
Security spending and staffing are rising, but restrained resources are tempering market growth.
The IT security market is often painted as a non-stop growth curve with no end in sight. But many analysts who have studied market trends say despite recent increases in spending and hiring, the market paradoxically is being slowed by a shortage of resources.
In some cases, upper management is putting a cap on spending and hiring. In the recently published 2017 Black Hat Attendee Survey, most security professionals say they are increasing hiring and spending. Yet, some 71% of security professionals do not feel they have enough people to handle the threats they will face in the coming year. Fifty-eight percent say they don’t have enough budget.
In order to provide you with the best experience possible we might sometimes track information about you. Sometimes this may involve writing a cookie. We use this information for things like experience enrichment, analytics and targeting advertising. We recommend allowing these functions to get the most out of your experience.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.