Get My Score

Blog

analyst cloud security survey

What are your peers doing when it comes to cloud security?

Organizations continue to adopt cloud computing at a rapid pace to benefit from the promise of increased efficiency, better scalability, and improved agility.

While cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) continue to expand security services to protect their evolving cloud platforms, it is ultimately the customers’ responsibility to secure their data within these cloud environments.

The 2019 Cloud Security Report (download) highlights what is and what is not working for security operations teams in securing their cloud data, systems, and services in this shared responsibility model. The results are a continuation of past challenges: 

  • The top cloud security concerns of cybersecurity professionals are data loss and leakage

top cloud security concerns 

 

  • The most challenging cloud compliance process that is most challenging for IT professionals is monitoring for new vulnerabilities in cloud services that must be secured.  Following closely behind, as the second most challenging compliance process, is audit/risk assessments within the cloud environment.

 cloud compliance

 

  • The top two biggest operational security headaches teams are struggling with when trying to protect cloud workloads are compliance and lack of visibility into cloud security.

compliance is an operational cloud security concern 

 

Overall, the findings in this report emphasize that security teams must reassess their security posture and strategies, and address the shortcomings of legacy security tools to protect their evolving IT environments. This 2019 Cloud Security Report has been produced by Cybersecurity Insiders, the 400,000 member information security community, to explore how organizations are responding to the evolving security threats in the cloud.  Download the full report at https://www.cavirin.com/resources/2019-analyst-cloud-security-report

0
0
0
s2sdefault
google cloud security

Google Cloud Security Command Center and Multi-Cloud Lead the Way

 

Google Cloud Security Command Center

Last week, as part of a very successful and over-subscribed Google Next, we participated in the general availability announcement of Google’s Cloud Security Command Center (Cloud SCC). Cloud SCC is an intuitive, intelligent risk dashboard and analytics system for surfacing, understanding, and remediating Google Cloud Platform (GCP) security and data risks across an organization. The Cloud SCC Dashboard serves as a launching point for Cavirin’s CyberPosture Intelligence platform which includes assessment, monitoring, scoring, and remediation. Our deep integration with the Google Cloud Platform provides you visibility and manageability for Google Cloud Platform and hybrid cloud deployments, including multi-cloud deployments.


Google Multi-Cloud 

Speaking of hybrid and multi-cloud deployments--Cavirin's sweet spot--we provide overall visibility, securing both workloads and cloud services, across any infrastructure, anywhere.  Google’s focus on security across not only its own cloud but across the hybrid/multi-cloud in general, matches very well with Cavirin’s vision.  Google’s deep commitment to multi-cloud deployments, unique amongst the three major providers, was announced with its Anthos open management architecture on April 9th.  From Google:

“…..this is really the stack for the next 20 years, meaning that it’s not really about the three different clouds that are all randomly different in small ways. This is the way that makes these three clouds — and actually on-premise environments, too — look the same.”

Google’s new strategy is to encourage and protect multi-cloud deployments, a direction aligned with almost ¾ of organizations. Customers require a security solution that spans this hybrid infrastructure, looking at both workloads as well as any cloud services consumed.  So you can see why I'm pretty stoked that the Cavirin solution, announced back in April 2018, aligns with the Google Cloud Platform strategy.  Google’s native security tools are complementary to what Cavirin offers with continuous compliance and automation, visibility, and consistency, major concerns identified by organizations moving to or planning to move to the cloud.

 

Primary Cloud Deployment Strategy

(Source:  2019 Cybersecurity Insiders Cloud Security Survey)

 

How Cavirin Fits Into Your Cloud Picture

The Cavirin solution leverages the broadest set of benchmarks, frameworks, and regulations, to continually assess the compliance and security score of workloads, both on-prem and across the hybrid/multi-cloud, immediately informing the operator of any security drift and recommending remediation. In some cases, the solution is able to carry out automated remediation via Ansible Playbooks, closing the loop from monitoring to change management. Scoring accuracy is improved by leveraging machine learning to better map and weight technical controls.

The same approach applies to cloud services, wherein the case of Google Cloud, the system continually monitors the various cloud services via StackDriver, identifying potentials for breach, and then triggering auto-remediation via Google Functions. This, along with Cavirin’s workload remediation, is the essence of closed-loop security for the hybrid cloud. In parallel, the system forwards all security observations to the Google Cloud SCC, where, in combination with other Google Cloud security services, the operator is presented with a unified and actionable view of his or her security posture.

Where the organization has implemented a true hybrid or multi-cloud architecture, Cavirin presents security findings from across the multiple clouds via the CyberPosture Dashboard, a simple-to-interpret view that correlates security and compliance and offers prioritized guidance.

So, check out Cavirin’s closed-loop security for Google Cloud and our SCC integration on the Google Cloud Marketplace.

0
0
0
s2sdefault
security command center

Come See us at Google Cloud Next ’19 – Booth S1409

Many of the most high-profile breaches from recent years have been caused by misconfigured servers and cloud services that left sensitive information exposed. Cavirin is focused on protecting your cloud, container and server resources in the Google Cloud Platform (GCP) and hybrid environments. At Google Cloud Next ’19 we will be demonstrating how customers can:

  • Automatically discover 9 GCP cloud resource types including VPCs, subnets, Cloud Account (including Identity and Access Management (IAM)), Google Kubernetes Engine (GKE), Google Compute Engine (GCE), BigQuery, Cloud SQL and Cloud Key Management Service (KMS), and 22 operating systems
  • Evaluate several thousand technical controls at the cloud, container and OS levels spanning configuration, compliance and vulnerability checks
  • Compute a proprietary CyberPosture Score that helps you translate assessments into an easy-to-understand risk metric
  • Prioritize remediation plans based on CyberPosture score improvement potential
  • Auto-remediate, where possible, via Ansible and serverless (e.g. Google Functions) approaches

These features work in tandem to close the gap between proactive and reactive security in what Cavirin calls Closed Loop Security. With Closed Loop Security organizations can detect new, deleted or changed resources via Google StackDriver Monitoring, risk-score infrastructure changes to prioritize remediation plans and automate remediation via pre-built Google Functions.

Today, Google announced the general availability of Cloud Security Command Center in which we are thrilled to be one of its integration partners which helps security teams prevent, detect, and respond to threats from a single pane of glass. With our integration, customers will benefit from the following improvements:

Unified Dashboard for DevSecOps teams - Cavirin’s security, compliance and vulnerability findings will be presented in the Cloud SCC dashboard alongside findings from other security offerings that customers may have purchased.

 gcp cloud security command center

 

Findings Prioritized by CyberPosture Scores. Each finding presented in the Cloud SCC dashboard represents a single configuration, compliance or security issue for one instance of 9 resource types. Cavirin presents up to 500 findings prioritized by their CyberPosture Score improvement potential, which is proportional to the relative risk of any finding based on the underlying technical control, its weight, resource criticality and other factors in Cavirin’s proprietary CyberPosture Scoring methodology.

security command center gcp 

 

Actionable Finding Details - Each finding also presents additional details on the security or compliance control framework that generated the finding, the GCP identifier of the failed resource, CyberPosture Score improvement potential, remediation steps, and other details.

 google cloud security center

Comprehensive Security & Compliance Frameworks - Findings in Cloud SCC are powered by the following control frameworks that contribute over 80,000 technical controls. Several of these frameworks were led by Cavirin security experts:

  • CIS GCP Foundation Benchmark, co-authored by Cavirin
  • Cavirin GCP Network Policy Pack to protect against open TCP ports
  • Compliance frameworks: GDPR, HIPAA, PCI-DSS 3.2, ISO 27002:2013, AICPA SOC2, CJIS
  • Security frameworks: CIS (OS-level), DISA, CIS Google Chrome, NIST 800-171, NIST 800-53r4, NIST CSF, Cavirin Patches & Vulnerabilities
  • Container frameworks: Cavirin Image Hardening, Cavirin Patches & Vulnerabilities, CIS Docker CE, Container Linux, CIS Kubernetes

CyberPosture Intelligence for GCP - Cloud SCC customers are one click away from the Cavirin dashboard with a “credit-score”-like representation of security and compliance posture across GCP, AWS, Azure, containers, and on-premises infrastructure. The Cavirin CyberPosture score helps customers analyze trends and drill into scores by asset group, environment, policy pack, cloud service, operating systems, and individual resources to pinpoint risk and prioritize remediation plans.

cloud security command center 

Making the magic work - Getting started with Cavirin and Cloud SCC is easy. Contact Cavirin to get you provisioned for Cloud SCC access. Once you have that information, please browse and find the Cavirin Cloud SCC Companion in the Google Marketplace. This application establishes trust and connectivity between Cavirin and GCP to post security findings about your organization’s GCP resources into Cloud SCC. Follow the self-service provisioning wizard steps for Cavirin Cloud SCC Companion (found in the Marketplace documentation).

gcp security command center 

Next, provision the Cavirin CyberPosture managed VM app in the Google Marketplace.

Finally, connect Cavirin to GCP Cloud SCC using the integration steps within Cavirin.

Next Steps

 

0
0
0
s2sdefault
tax preparer security

Security Tips to Get You Through April

Ok, what’s worse than having to file your taxes? Falling for a tax scam. The problem is that there are way too many ways to fall victim. However, instead of focusing on the individual and the various well-documented phone, email, and other social engineering scams, we’ll look at the real pot ‘o gold – independent tax preparers. Why buy a quart of milk when you can own the whole cow?

We’re not talking about the major brokerages, H&R Block, and other established firms.  The real risk is in compromising the corner tax preparer, in many cases doubling up as an accountant.  Much like the independent doctor or dentist (becoming harder to find, btw), these preparers have access to the most confidential of financial data for literally hundreds of customers, a gold mine for identity theft.

Members of the IRS Electronic Tax Administration Advisory Committee (ETAAC) in June noted that they believe “far fewer than half of the tax professionals are aware of their responsibilities under the FTC Safeguards rule and that even fewer professionals …have implemented required security practices.”

In a good year, preparers need to be on the lookout for spoofed sites, ransomware, and phishing, basic network hygiene, physical intrusions – it only takes one USB drive, and even dumpster divers.  They also need to head off scams where a hacker poses as a new client, possibly using stolen credentials.  But, 2019 is anything but a normal year!  

Between the government shutdown and changes in the tax law, many individuals are confused, stressed, and are delaying preparation, all falling on the shoulders of their preparers.  In the interest of time, they’ll use less secure channels for communication, leave confidential messages, and of course, be more at risk from others spoofing their preparer’s identity. 

As a preparer, be extra diligent as to any client or external email enclosures or links, any USB drives supplied with client data, and calls, said to be from clients, but possibly not, requesting confidential data.

On the IT side, it goes without saying to lock down your WiFi, encrypt all data as a last line of defense against data theft, and automatically assess for vulnerabilities and other security gaps based on industry best practices and patch as required.  This also applies if you are using cloud-based services. 

Scams involving SharePoint and other cloud-based accounts and documents are also in vogue this year, and with more clients apt to share documents via Google Docs, Box, Dropbox, or any one of a number of other services, the chance of a breach grows.

Finally, be on the lookout for any strange behavior when filing, when entering or reviewing data, or when downloading or uploading.  Anything out of the ordinary could indicate a breach, so stop, and pause.

A good IRS guide with links to best practices is here:

 

 

0
0
0
s2sdefault
pci compliance for restaurants

You keep a clean kitchen – how about your security posture?

You go into a restaurant, and, at least in California, the first thing you notice is the green ‘PASS’ in the window.  What does this imply?  That the restaurant has proper hygiene… that their kitchen is clean, their staff is trained in sanitary practices, and that if you order lamb from the menu, you actually get lamb, and not some mystery meat. 

 

 

Although I don't have all the information behind the restaurant scoring system, it's my understanding that the Health Inspector will calculate a score based on the violations observed, and provide a more detailed report to leadership on what areas need attention.  The inspections are routine with follow-ups as needed.  The same must apply for the restaurant’s cybersecurity posture if you want to avoid an upset stomach caused by a credit card breach, or if the owner doesn’t want his or her backend systems compromised, it's important to understand what areas of your backend payment systems need attention, that's why PCI audits take place. 

We all admit that this is a difficult time for many restaurant chains and individual proprietors.  Changing eating habits, delivery services, healthcare and staffing costs, the cost of raw goods and utilities, etc. etc.  But restaurants can’t cut back in securing their IT infrastructures in an environment where the number of breaches has gone up by 40% since 2016, and where the cost of the typical breach costs $50K or more.  A chain will probably survive, but an independent?  Who knows?  Unfortunately, according to Hospitality Technology’s 2017 Restaurant Technology Study, only 38% of restaurants have technology as a strategic priority.

PCI compliance or even EMV and P2PE are where the business in question has the processes in place to protect customer financial data.  The real problem is the PCI audit itself, every 3 or 6 months.   A hacker can set their eye on the company the day after the audit complete, potentially unidentified until the next audit.  And this is if the audit passes.  Many fail one or more audits, and according to a recent Verizon report, this group is 100% likely to be breached in the ensuing 12 months.  In fact, restaurants are many times less secure than the typical enterprise, in that their Linux, Windows, Android, and iOS POS terminals are in less secure environments.  These terminals are 40x more liable to either hardware or software compromise than the typical enterprise, and 90% of restaurant breaches are POS-driven.

We’ve seen this time and time again, and chances are you’ve had your own cards compromised one or more times.  How can we reverse this trend?  As the old saying goes, security is not a destination, but it is a continual journey.  If focused on PCI, you need to continually reassess your cybersecurity posture, either in your own IT environment or if you use public cloud services.  There are frameworks that outline best practices, and solutions that offer automated assessments.  They may not cause you to immediately pass PCI but will quickly identify your breach potential.  At the same time, other frameworks like ISO, SOC2, GDPR, NIST, and others will better ensure your cybersecurity posture.

In closing, though we’ve focused on restaurants, many of the same concerns apply to other hospitality verticals – casinos and gaming, hotels and resorts, cruise ships, and even traditional retail. 

0
0
0
s2sdefault
March Madness - Cybersecurity

How to Protect Your Organization During The NCAA Tournament and Beyond

 

According to the American Gaming Association, 47 million American’s will bet nearly $8.5 billion on the NCAA tournament, so it’s no wonder that every year there is a steep increase in cyber-activity around the event. IT teams must be on high alert to deal with the madness--from the phishing scams to the unassuming malware infected sites employees visit to catch part of the action—the employees' involvement in March Madness can easily open up an organization’s door to a cyberattack. With the threat looming, organizations spend months preparing for this time of year, and we compiled some of the best advice for protecting your organization during the NCAA Tournament and beyond.

  • Remind your employees about phishing attacks. Even if phishing attack education is part of your organization’s security training program, some of the offers made in these emails, especially during March Madness, can be very tantalizing and bring an employee’s guard down.

"Cybercriminals are well aware of the popularity of March Madness and are already preparing spear phishing emails to millions of college basketball fans, as well as non-basketball fans who are merely participating in the ever-popular office pools." 

Dan Lohrmann, CSO, Security Mentor 

    • Set up a few flat screen televisions for the event. Millions of employees stealthily watch the game from their laptops/computers/phones where malware can be camouflaged as streaming videos and network bandwidth is depleted; therefore, companies might want to set up a few flat screen televisions streaming the legitimate video feed, so employees can walk by and get the latest updates, satisfying their bracket interest, without putting their organization at risk and utilizing excessive bandwidth.

A Nielsen cross-platform study says in 2018 over 175 million fans engaged with the tournament across all networks and platforms.

www.forbes.com

      • Ensure that your security patches are up to date so you do not become an easy target of a cyberattack. This is an important one and one that slips through the cracks if automated enterprise patch management is not implemented. Automating routine tasks is key to protecting an organization from cybersecurity threats during an event like March Madness and day-to-day threats.

In 2017 Aberdeen found, if not automated, that in a $100 million company with 100 database instances, vendor patching over the course of one year is likely to be complex (with 440 patches required) and time-consuming (910 hours of disruption).

Aberdeen Group

      • Make sure that you are continually assessing the security posture of all managed cloud services and workloads by getting scored guidance to facilitate a prioritized response plan, so you can make informative and timely decisions when protecting your organization against cyber threats.

60% of organizations believe lack of visibility across all IT asset types constitutes a challenge to their cybersecurity posture.

Ponemon Institute

Although the last one might be a little tough, since the tournament is just underway, it’s one that should be considered as you evaluate your overall security posture for 2019 and beyond. At Cavirin, we do not believe that your cybersecurity posture should be driven by one event, or your IT team will be exhausted come tax season next month.

 

0
0
0
s2sdefault

© 2019 Cavirin Systems, Inc. All rights reserved.