by Neil Murray
This time last year futurologists were predicting the gentle evolution of the Big Data trend. Few would have predicted how dramatic the resurgence of security has been.
Sure, there was a drumbeat of public security breaches like Snowden in play, but the flurry of large-scale breaches in 2014 such as Target, JP Morgan, Home Depot and Sony have fundamentally tipped the balance of where security sits in the planning process for IT teams for the coming few years. It was my central point in the BBC 2015 predictions article you may have seen last week.
Organizations should reduce reliance on technology solely for security and need to focus on making employees part of the solution – a shared security responsibility.
These breaches were the culmination of months of research and work by the attackers. However, as attackers refine their tools, techniques and processes, breaches will occur in greater numbers and with increasing speed and frequency – the outcome of the growing Crime-as-a-Service industry. In response, larger companies will begin to remove point security solutions and instead aim to provide a broader, more holistic view of their overall security posture.
But it’s not just large organizations under attack. Smaller companies will be increasingly targeted to be used as ‘springboards’ to gain entry to the companies they provide services for or have relationships with. Advanced threats usually equate to more IT investment, and to balance their books smaller companies will continue to look to consolidate vendor security services.
These landmark breaches have also highlighted that all organizations will be forced to reduce their reliance on technology solely for security and will focus on more effective ways to make the employees part of the solution – a shared security responsibility.
There are, of course, other trends to consider in 2015 – wearable tech is now becoming refined, affordable and the consumer has a myriad of choices as a quick glance at CES news shows. These devices will drive an uptick in requests to make corporate information accessible through apps on new types of mobile platforms. As the perimeter becomes even less defined, organizations will need to reassess their security processes and technologies to compensate.
Something fundamental changed last year. We’re in the midst of the Big Data era, powered by cheap storage, new grid-computing technology and maturing adoption by users. However, now more than ever, we’re reminded of the risks presented by our valuable data falling into the wrong hands.
by Orlando Scott-Cowley
One year after the Target data breach, there’s never been a better time to consider how vital email security is to maintain the sanctity of the supply chain. Email, by its very nature, directly connects companies large and small together creating opportunities for hackers to turn suppliers, partners or customers into unwitting victims of malware.
An obvious example of these dangers to the supply chain can be found in the Target breach which ran from November 27th – through December 15th last year and exposed credit card and personal data on more than 110 million consumers. The breach at Target appears to have begun with a malware-laced email phishing attack sent to employees at a heating, air conditioning and refrigeration firm that did business with the nationwide retailer.
Traditionally businesses have used security scanning or gateway services to make it harder for traditional spam or phishing attacks but these only usually protect users on the network and corporate managed devices. But determined attackers are increasingly using a combination of sophisticated social-engineering and targeted or spear-phishing emails in their attacks.
Securing your relationships with suppliers and third parties is quickly becoming a top priority for those who have learned a lesson from the Target breach. Since the evolution of BS7799 part 2, into its current form of ISO27001, considering how to secure suppliers’ systems and imposing your security controls on those third parties has been a key part of security best practice. It is, therefore, not a new idea, that we ought to ask our suppliers how they store, process and secure our data, transactions and connections.
At Mimecast we have elected to adopt ISO 27001 as the cornerstone of Mimecast’s Information Security Management System as it is globally recognized as the best framework to demonstrate audited and continual improvement and on-going security management. Recent additions to this framework (ISO 27001:2013) added greater emphasis on keeping supply chains secure. But this isn’t a guarantee of security, it’s only part of a much wider scope of protection, both theoretical and technological.
I also believe protection must be available to employees no matter the device used to access corporate email systems and without adversely affecting user experience.
For example, our own Targeted Threat Protection service immunizes all embedded links by re-writing them to point to Mimecast’s global threat intelligence cloud. This real-time security check protects against delayed exploits or phishing techniques that direct people to good websites at first, only to arm their dangerous payloads afterward.
Enterprises must protect the user when they actually click, so in the (un)likely event you experience the same fate as Target, you’ve supplied the best protection technologically available. This last line of defense has become the only defense against those who seek to abuse the trust we have in our business relationships.
by Dan Sloshberg
Last week, Mimecast was thrilled to be recognized at the 2014 SC Magazine Awards Europe ceremony for our Email Security service. The judges, drawn from the senior ranks of the information security profession based on their experience and impartiality, selected Mimecast’s Email Security service to receive the status of ‘Highly Commended’ in the ‘Best Email Security Solution’ category.
Mimecast’s Email Security received the status of ‘Highly Commended’ in the ‘Best Email Security Solution’ category
Mimecast’s Email Security provides a comprehensive, cloud-based service to mitigate email risk –gaining ‘Visionary’ status in the Gartner Magic Quadrant for Secure Email Gateways 2013. It provides customers with 100 percent anti-virus protection, including zero-day threat protection SLA, and a 99 percent anti-spam protection SLA, without the need to deploy any on-premise hardware or software.
The majority of Mimecast’s competitors have acquired their security technology and bolted together point solutions to form an offering. The Mimecast Email Security platform is unique in that it’s built specifically for purpose. From the Message Transfer Agent up, Mimecast builds, owns and manages the technology to process and protect customers’ email. This means more straightforward deployment, setup and management for IT teams and a more valuable and integrated experience for users.
It’s recognition of the success we’ve enjoyed in delivering simple yet effective corporate email security, minimizing IT overheads and improving user productivity. If you’d like to find out more about Mimecast’s Email Security you can find videos and supporting documentation here.
by Orlando Scott-Cowley
Doctor Who: Series 7 Part 2, The Bells of Saint John.
There’s something in the WiFi. You know you’ve made it as an actor and as a security issue when you appear on Doctor Who. If, like me, you tuned-in to (showing my age there, who “tunes-in” anymore?) the new series of Doctor Who last weekend, you may have chuckled at the use of WiFi networks as a medium for evil. Rogue Access Points that upload the soul of their users, leaving them trapped inside a Spoonhead, sorry server, somewhere in London’s Shard building. Kudos to the script writers for the plot, and for renaming servers, spoonheads – I’ll be in the spoonhead room.
“I don’t know where I am… I don’t know where I am…” is a cry most IT managers, administrators and help desk staff have heard in their time; usually from hapless users trying to find their way onto the network or perhaps around their desktop, rather than being trapped inside an evil WiFi network. That wasn’t lost on me, nor was the uploading of souls; something we might think Facebook has in their roadmap–or at least the curating of your own soul. The evil walking WiFi base stations, hoovering up data and people, did remind me of Google Street View cars that were caught hoovering up WiFi networks, but I’m sure that’s coincidental.
Now, while not all WiFi networks are this evil there are certainly many we should avoid. I’m still amazed to see the SSID “Free Public WiFi” whenever I’m on a train or at an airport; while not necessarily unsafe, it does indicate an old an unpatched version of Windows XP is running somewhere – which in itself is terrifying. Others are certainly more dangerous; there’s often a looky-likey network at conferences or near popular coffee shops, designed to trick you into joining and routing your traffic through them. This is just plain unsafe and even on open public networks you should always use a VPN or at least HTTPS connections. Firesheep was an excellent demonstration as to how vulnerable unencrypted web traffic is on open wireless networks.
As IT professionals we’re constantly reminding our users of the security risks associated with the unknown; like free or open WiFi networks as well as clicking links in email. Hopefully now Rogue Access Points have made it to prime-time this job will be a little easier.
I’m waiting to see if there is another episode of Doctor Who dedicated to Phishing emails, or perhaps password sniffing, but in the mean time I’m trying to work out how to change my SSID to that funky font used in Doctor Who.
Remember, if you’re looking for WiFi and sometimes you see something a bit like this, don’t click it.