This white paper examines the need for strong authentication and explores the return on investment that can be realized in order to help organizations move toward more effective security.
Analyst Report: The Digital Universe in 2020 - ChinaEMC
This IDC Country Brief discusses China, where the amount of data created, replicated, and consumed each year will grow 24-fold between 2012 and 2020, according to the 2012 IDC Digital Universe study, sponsored by EMC.
RSA Monthly Online Fraud Report -- February 2014EMC
This report discusses the latest global trends in phishing and cybercrime. In January, phishing losses to global organizations is estimated at $387 million.
When money is the at the top of the mind of
cybercriminals, where do they turn their heads to? The
Banking Sector. This SlideShare takes you through the top 5 cybersecurity risks that banks and other financial firms face today.
Analyst Report: The Digital Universe in 2020 - ChinaEMC
This IDC Country Brief discusses China, where the amount of data created, replicated, and consumed each year will grow 24-fold between 2012 and 2020, according to the 2012 IDC Digital Universe study, sponsored by EMC.
RSA Monthly Online Fraud Report -- February 2014EMC
This report discusses the latest global trends in phishing and cybercrime. In January, phishing losses to global organizations is estimated at $387 million.
When money is the at the top of the mind of
cybercriminals, where do they turn their heads to? The
Banking Sector. This SlideShare takes you through the top 5 cybersecurity risks that banks and other financial firms face today.
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
While retailers keep opening new stores, hackers continue mastering their skills.
What cybersecurity challenges should the retail industry expect in 2020? It is time to reveal trends and prepare to fight upcoming attacks.
Learn the details: https://www.intellias.com/retail-security-challenges-in-2020-in-depth-security-coverage-to-prevent-retail-theft/
MIST Effective Masquerade Attack Detection in the CloudKumar Goud
Abstract: Cloud computing promises to significantly change the way we use computers and access and store our personal and business information. With these new computing and communications paradigms arise new data security challenges. Existing data protection mechanisms such as encryption have failed in preventing data theft attacks, especially those perpetrated by an insider to the cloud provider. We propose a different approach for securing data in the cloud using offensive decoy technology. We monitor data access in the cloud and detect abnormal data access patterns. When unauthorized access is suspected and then verified using challenge questions, we launch a disinformation attack by returning large amounts of decoy information to the attacker. This protects against the misuse of the user’s real data. Experiments conducted in a local file setting provide evidence that this approach may provide unprecedented levels of user data security in a Cloud environment.
Keywords: Mist, Insider data stealing, Bait information, Lure Files, Validating user
Emerging application and data protection for cloudUlf Mattsson
Webcast title :
Emerging Application and Data Protection for Cloud
Description :
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about Data Protection solutions for enterprise.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about new Standards for masking from ISO and NIST.
Learn about the new API Economy and how to control access to sensitive data — both on-premises, and in public and private clouds.
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
In the future, it is expected that the industry will be marked with multiple technologies. These technologies will play a crucial role in the improvement of the levels of efficiency that companies exhibit. On the other hand, one of the major weaknesses that will likely arise is a threat to the privacy, integrity, and security of data (Sloane, 2018). Through the use of various technologies such as the internet of things, companies will find it hard to protect their data against breaches (Griffy-Brown, Lazarikos & Chun, 2019). Data breaches will be based on the use of the latest technologies to exploit weaknesses found in the various systems. It is, therefore, recommended that companies must adopt a holistic approach in the development of protective, preventive, and reliable mechanisms of ensuring and guaranteeing information security and reduce the risks of data breaches (Ghosh, Mishra & Mishra, 2019). However, with the current trends, it is expected that more breaches will continue to happen, ranging from the use of phishing, hacking, malware, and also but not limited to ransomware.
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
Remote work is quickly becoming the new normal and criminals are taking advantage of this chaotic situation.
The EU Agency for Cybersecurity's providing guidance for the huge increases in the number of people working remotely, using tele-health it is vital that we also take care of our cyber hygiene.
Viewers will learn more about:
- How to use encryption, controlling new storage of regulated data and data sharing in this new situation.
- Anonymization leaves personal data open to re-identification, which exposes firms to GDPR non-compliance risks.
- How are the HIPAA rules changing in this situation?
- GDPR prescribing pseudonymization and how is that work.
- How is CCPA changing the rules?
- How to secure wi-fi connections preventing snooping of your traffic and fully updated anti-virus and security software, also on mobile phones.
- How important files can be backed up remote or locally. In a worst case scenario, staff could fall foul of ransomware for instance.
- What apps are secure to use in this new era?
- Should we use MFA, PW managers or local PW management?
We will also discuss how to use the CERT-EU News Monitor to stay updated on the latest threats and check the following basics.
This white paper examines the XDP implementation and discusses its benefits and advantages over RAID, with special consideration given to the unique requirements of enterprise flash storage arrays.
Configuration Compliance For Storage, Network & Server EMC
This white paper shows the benefits of integrating IT infrastructure management technologies such as Network Configuration Manager, Storage Configuration Advisor and vCenter Configuration Manager into the RSA Archer platform for Configuration Compliance.
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
While retailers keep opening new stores, hackers continue mastering their skills.
What cybersecurity challenges should the retail industry expect in 2020? It is time to reveal trends and prepare to fight upcoming attacks.
Learn the details: https://www.intellias.com/retail-security-challenges-in-2020-in-depth-security-coverage-to-prevent-retail-theft/
MIST Effective Masquerade Attack Detection in the CloudKumar Goud
Abstract: Cloud computing promises to significantly change the way we use computers and access and store our personal and business information. With these new computing and communications paradigms arise new data security challenges. Existing data protection mechanisms such as encryption have failed in preventing data theft attacks, especially those perpetrated by an insider to the cloud provider. We propose a different approach for securing data in the cloud using offensive decoy technology. We monitor data access in the cloud and detect abnormal data access patterns. When unauthorized access is suspected and then verified using challenge questions, we launch a disinformation attack by returning large amounts of decoy information to the attacker. This protects against the misuse of the user’s real data. Experiments conducted in a local file setting provide evidence that this approach may provide unprecedented levels of user data security in a Cloud environment.
Keywords: Mist, Insider data stealing, Bait information, Lure Files, Validating user
Emerging application and data protection for cloudUlf Mattsson
Webcast title :
Emerging Application and Data Protection for Cloud
Description :
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about Data Protection solutions for enterprise.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about new Standards for masking from ISO and NIST.
Learn about the new API Economy and how to control access to sensitive data — both on-premises, and in public and private clouds.
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
In the future, it is expected that the industry will be marked with multiple technologies. These technologies will play a crucial role in the improvement of the levels of efficiency that companies exhibit. On the other hand, one of the major weaknesses that will likely arise is a threat to the privacy, integrity, and security of data (Sloane, 2018). Through the use of various technologies such as the internet of things, companies will find it hard to protect their data against breaches (Griffy-Brown, Lazarikos & Chun, 2019). Data breaches will be based on the use of the latest technologies to exploit weaknesses found in the various systems. It is, therefore, recommended that companies must adopt a holistic approach in the development of protective, preventive, and reliable mechanisms of ensuring and guaranteeing information security and reduce the risks of data breaches (Ghosh, Mishra & Mishra, 2019). However, with the current trends, it is expected that more breaches will continue to happen, ranging from the use of phishing, hacking, malware, and also but not limited to ransomware.
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
Remote work is quickly becoming the new normal and criminals are taking advantage of this chaotic situation.
The EU Agency for Cybersecurity's providing guidance for the huge increases in the number of people working remotely, using tele-health it is vital that we also take care of our cyber hygiene.
Viewers will learn more about:
- How to use encryption, controlling new storage of regulated data and data sharing in this new situation.
- Anonymization leaves personal data open to re-identification, which exposes firms to GDPR non-compliance risks.
- How are the HIPAA rules changing in this situation?
- GDPR prescribing pseudonymization and how is that work.
- How is CCPA changing the rules?
- How to secure wi-fi connections preventing snooping of your traffic and fully updated anti-virus and security software, also on mobile phones.
- How important files can be backed up remote or locally. In a worst case scenario, staff could fall foul of ransomware for instance.
- What apps are secure to use in this new era?
- Should we use MFA, PW managers or local PW management?
We will also discuss how to use the CERT-EU News Monitor to stay updated on the latest threats and check the following basics.
This white paper examines the XDP implementation and discusses its benefits and advantages over RAID, with special consideration given to the unique requirements of enterprise flash storage arrays.
Configuration Compliance For Storage, Network & Server EMC
This white paper shows the benefits of integrating IT infrastructure management technologies such as Network Configuration Manager, Storage Configuration Advisor and vCenter Configuration Manager into the RSA Archer platform for Configuration Compliance.
In the associated Hands-On session, participants will learn how to copy data from and to HDFS, browse HDFS, write, run and monitor MapReduce jobs, by fitting a logistic regression model on a real-world data set. The hands-on exercises will be carried out on a virtual machine running Greenplum HD distribution based on Apache Hadoop.
We are a new generation IT Software Company, helping our customers to optimize their IT investments, while preparing them for the best-in-class operating model, for delivering that “competitive edge” in their marketplace.
User engagement relies greatly on the ease of accessing information, the flexibility in fulfilling transactions, and the time taken in the process. To continue delivering efficiency for the modern workforce
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
Many major companies realize the continued importance of data and systems protection. Organizations will need to remain vigilant with regard to remote work policies, data access, and upskilling. Learn more about the different types of cyber security trends by PM Integrated.
This Cyber Security Survey carried out by
Entersoft Security is a high level survey of
Hong Kong Fintech businesses as on
2018. The survey was carried out in July
2018 against the top HongKong based
Fintech’s in 2017 and early 2018. It helps
these Fintech organisations understand the
nature and significance of the cyber security
threats that they may face and what they
would need to do improve security.
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
5 STEP PROCESS TO MOBILE RISK MANAGEMENT
1/ Understand how employees want to use Mobile Devices and Applications
2/ Identify potential threats
3/ Define the impact to the business based on probable threat scenarios
4/ Develop policies and procedures to protect the business to an acceptable level
5/ Implement manageable procedural and technical controls, and monitor their effectiveness
Best Cyber Security Courses In Bangladesh.docxArindamGhosal6
Mitisol is the perfect solution for Cyber security and risk management, Cyber security and risk management, Cyber Security Company in Dhaka, Bangladesh.
We are the best instutute for Cyber security courses, Cyber Security Course Training, Advanced Cyber security courses in Dhaka, Bangladesh. So keep visiting our websites to get update on regular basis.
For digital media companies, effective cybersecurity programs a mustGrant Thornton LLP
In digital media trust is everything, without it your business model doesn’t work. Cybersecurity can be a key component, ensuring the integrity of your services. Check out this brief guide to securing your data.
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
This white paper discusses the results of a CIO UK survey on a“Trust Paradox,” defined as employees and business partners being both the weakest link in an organization’s security as well as trusted agents in achieving the company’s goals.
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
SPECIAL REPORT : SECURE BUSINESS ...
How-to avoid being hostage of ransomware attacks ?
How-to preserve collaborators work, identities, access ?
"WHY CYBER PROTECTION CAN'T WAIT ?!"
This SPECIAL report from our Partner SYMANTEC, realized in collaboration with WSJ CUSTOM Studios is really a NEED to Read for ALL Executives, Leaders, Influencers, Owners, Admins, ...
Similar to Why Passwords are not strong enough (20)
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
CloudBoost is a cloud-enabling solution from EMC
Facilitates secure, automatic, efficient data transfer to private and public clouds for Long-Term Retention (LTR) of backups. Seamlessly extends existing data protection solutions to elastic, resilient, scale-out cloud storage
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
With EMC XtremIO all-flash array, improve
1) your competitive agility with real-time analytics & development
2) your infrastructure agility with elastic provisioning for performance & capacity
3) your TCO with 50% lower capex and opex and double the storage lifecycle.
• Citrix & EMC XtremIO: Better Together
• XtremIO Design Fundamentals for VDI
• Citrix XenDesktop & XtremIO
-- Image Management & Storage
-- Demonstrations
-- XtremIO XenDesktop Integration
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
Explore findings from the EMC Forum IT Study and learn how cloud computing, social, mobile, and big data megatrends are shaping IT as a business driver globally.
Reference architecture with MIRANTIS OPENSTACK PLATFORM.The changes that are going on in IT with disruptions from technology, business and culture and so IT to solve the issues has to change from moving from traditional models to broker provider model.
Force Cyber Criminals to Shop Elsewhere
Learn the value of having an Identity Management and Governance solution and how retailers today are benefiting by strengthening their defenses and bolstering their Identity Management capabilities.
Container-based technology has experienced a recent revival and is becoming adopted at an explosive rate. For those that are new to the conversation, containers offer a way to virtualize an operating system. This virtualization isolates processes, providing limited visibility and resource utilization to each, such that the processes appear to be running on separate machines. In short, allowing more applications to run on a single machine. Here is a brief timeline of key moments in container history.
This white paper provides an overview of EMC's data protection solutions for the data lake - an active repository to manage varied and complex Big Data workloads
This infographic highlights key stats and messages from the analyst report from J.Gold Associates that addresses the growing economic impact of mobile cybercrime and fraud.
This white paper describes how an intelligence-driven governance, risk management, and compliance (GRC) model can create an efficient, collaborative enterprise GRC strategy across IT, Finance, Operations, and Legal areas.
2014 Cybercrime Roundup: The Year of the POS BreachEMC
This RSA fraud report summarizes cybercrime in 2014 and includes the number of phishing attacks globally, top hosting countries for phishing attacks, the financial impact of global fraud losses, and a monthly highlight.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Why Passwords are not strong enough
1. WHY PASSWORDS AREN’T
STRONG ENOUGH
Making the Case for Strong Authentication
The risks associated with the use of password-only authentication are not new. In 1995,
the US Computer Emergency Response Team (CERT) reported that approximately 80
percent of the security incidents they received were related to poorly chosen passwords.
More than fifteen years later, two-thirds of organizations are still using just a password to
secure remote access1.
With today’s threat landscape and the increased value placed on the information created
and stored, systems that rely on static passwords for security are left vulnerable and at
risk of being breached. In this paper, we will examine the need for strong authentication
and explore the return on investment that can be realized in order to help organizations
make an informed decision when contemplating their strategic move toward more
effective security.
The Need for Strong Authentication
Today’s organizations face an advanced threat landscape and a complex regulatory
environment that can impede their business objectives directly. Therefore, protecting
access to information and assuring the identities of users requesting that access are core
elements of any security initiative.
But cybercriminals have begun to recognize the value of enterprise credentials and
proprietary information, and as threats such as phishing and malware continue to evolve,
they are becoming more challenging to contain. Despite the fact that “password-only”
authentication is recognized for providing relatively weak security, the use of a single
password as a means of assuring user identities continues to dominate. A primary “weak
link” is the employee, who may engage in poor password management practices and
work around established security policies to make his job easier.
In the last few years, numerous industry regulations have been issued that require
organizations to enact strong authentication security measures to protect against
unauthorized access to information. Today, as functionality and technology move to
new channels, so do the myriad of threats thus driving an increasing demand for strong
authentication across the organization.
1
White Paper
RSA 2011 Workplace Security Survey
2. – The online and mobile channels. Organizations continue to recognize the opportunities
and cost efficiencies associated with providing real-time access to information online.
As a result, an increasing number of Web-based customer portals and business
applications are being launched that enable customers to access and manage their
accounts 24/7. Mobile access – smart phones in particular – provides customers with
similar access and offers even more functionality through customized applications.
– Remote and mobile access. The global nature of business and employee mobility has
forced many organizations to provide employees and other end users around-the-clock
access to corporate email and other business applications from multiple locations and
One out of four
employees write their
passwords down
on paper in order to
remember them.
multiple devices – including smart phones.
– Access for new user populations. Today’s organizations are extending access privileges
beyond the employee to external contractors, partners, and suppliers to facilitate and
streamline business processes. These new user populations require on-demand access
to proprietary information such as sales forecasts, competitive intelligence, pricing
charts, inventory, and customer data.
Inside the Threat Landscape
As organizations extend information – and access – to new channels, the risk of
unauthorized access or being targeted by a cyber attack increases. Perhaps the most
inhibiting factor preventing many organizations from fully utilizing and realizing the
potential of a new channel is security – or, more accurately, a lack of effective security.
Ultimately, business objectives and the benefits of the new channels may win out. The
potential for increased business opportunities, new revenue streams, and improved
customer satisfaction and loyalty drive organizations not only to make the move to the
new channels – but also to apply strong authentication to protect access to their network
and their valuable business data against the growing number of threats on both sides
of the firewall.
Internal Threats
Employees use multiple systems, devices, and applications that require separate and
disparate log-ins and passwords. This often leads to unsafe password practices such as
using the same password on multiple systems, sharing passwords and keeping a record
of passwords in handwritten or electronic documents. Among business professionals
surveyed on password management, 41 percent of employees stated they have used the
same password to access multiple accounts and 25 percent admitted to writing their
passwords down on paper in order to remember them2. Poor password management
practices are putting organizations at risk every day.
The growth of the mobile workforce and anytime, anywhere access from multiple devices
are other examples of the threat posed by insiders. Today, the range of end user devices
being used for access is growing; 47 percent of employees regularly access their
corporate network or webmail through a mobile device such as a BlackBerry or iPhone2.
The use of public computers, kiosks, and wireless hot spots is also a common practice
for accessing corporate systems, creating an opportunity for a key logger and other
malicious programs to steal employee passwords.
External Threats
Using methods such as advanced social engineering, phishing scams, Trojans and other
forms of malware, hackers target any and all access paths to the corporate network –
including SSL VPN and mobile user credentials. The goal? To gain insider access to
corporate networks and steal valuable company-sensitive information such as intellectual
property, personally identifiable information (PII), corporate data, and trade secrets.
2
RSA 2011 Workplace Security Survey
PAGE 2
3. Botnets, in particular, present a serious threat to organizations as most infections
come with a malware program designed specifically to infiltrate corporate networks
and perform specific tasks that siphon out sensitive information or steal passwords.
Today, botnet activity can be accounted for in nearly 90 percent of the Fortune 500
organizations3. Because small and mid-sized businesses are capable of spending only a
fraction of what their enterprise counterparts do on security technology, this segment is
particularly vulnerable to cyber threats.
Most government
regulations call for
the use of strong
authentication to protect
access to applications
and systems that contain
sensitive data.
Another form of external threat targeting organizations is spear phishing, a form of
phishing attack that is targeted mainly at employees or high-profile targets in a business.
Spear phishing emails attempt to get a user to divulge personal or sensitive information
or click on a link or attachment that contains malicious software. Once the user clicks on
the link or attachment, malware is installed, usually in the form of a key logger. With this
method, the hacker is able to capture and steal anything the user types, including
corporate credentials, bank account information or other sensitive passwords.
The True Costs of Password Authentication
For many organizations, IT budgets are limited, and cost often is the biggest hurdle to
overcome in making the case for strong authentication. In fact, cost is exactly why the
use of passwords persists as a security “solution” – the acquisition costs of password
authentication are near zero. However, this authentication method – once viewed as
“free” – is expensive in terms of ongoing management and support costs. According to
the Help Desk Institute, roughly 30 percent of all help desk calls are for password resets
– and cost between $25 to $50 per call. This “unseen” cost can be taxing on IT resources
and does not account for the impact of lost productivity for the end user.
Compliance is another consideration when determining the true costs of password
authentication. Many government and industry regulations require the use of strong
authentication in order to meet compliance. By failing to provide additional protection
beyond a static password for users accessing sensitive data, organizations may be
subject to hundreds of thousands of dollars in regulatory fines and penalties.
Overall, passwords are weak and compromised easily, which puts organizations at high
risk for a data breach. The average cost to a business for a data breach in 2010 was
$7.2 million, or $214 per compromised record4, which factors in numerous costs such
as customer notification, forensics and investigation, legal fees and potential fines.
Then there are the intangible costs, such as the impact of a breach on customer trust
and loyalty as well as damage to the business’ brand and reputation.
Cyber Threats Have No Boundaries
The distribution of malware has extended beyond the financial industry and increasingly
is affecting businesses in other industries as well, including healthcare, insurance,
telecommunications and education as well as government agencies. The original
intended goal for most cybercriminals was to infect online users with a Trojan to collect
their bank account information or credit card numbers. By extending their reach into new
industries, criminals are targeting a new set of valuable information that can be resold,
including patient medical records, personally identifiable information (PII), proprietary
corporate data, and sensitive government information that can compromise the security
of entire countries.
3
R
SA white paper, “Malware and the Enterprise: Understanding the Potential Impact of a
Trojan Infection,” May 2010
4
Ponemon Institute, “2010 U.S. Cost of a Data Breach”
PAGE 3
4. Consumers are also employees, and employees conduct personal business and check
personal email accounts from corporate workstations. Similarly, as organizations extend
their information and access to new channels and make access available to a wider array
of resources, the variety of devices touching the corporate network expands to include
”uncontrolled” consumer devices such as the family computer, smart phones, PDAs and
iPads. These devices, which may not have any security measures in place, put the
organization at higher risk for malware infections and data loss.
How do you know
which authentication
solution is right for your
business? The RSA
Authentication Decision
Tree is an interactive tool
designed to help you
learn about, evaluate
and select the most
appropriate strong
authentication solution
based on your business
needs. To access the
Authentication Decision
Tree – and receive your
customized report –
visit www.rsa.com.
Volumes of business data are landing in the hands of cybercriminals, usually
unbeknownst to the organization. To demonstrate, after nearly three years of work
tracking the Sinowal Trojan, RSA discovered that the data in the possession of
cybercriminals extended beyond bank accounts and credit and debit cards; it also
included email addresses and passwords and FTP and VPN login credentials. This
discovery was one of the first of many that demonstrated just how vulnerable the
sensitive data of organizations and government agencies is to the threat of increasingly
persistent and malicious adversaries.
An Overview of Strong Authentication
The key difference between password-based authentication and strong authentication is
that the user must provide more than one factor, or proof, in order for a successful
authentication to be made.
In deciding on the type of strong authentication to deploy, organizations can choose from
a range of solutions and form factors available on the market today. Each solution and
form factor offers different value propositions in terms of security, portability, scalability,
ease of use and end user convenience, reliability and, of course, total cost of ownership.
One-time password authentication
One-time password (OTP) authentication is one of the most popular strong authentication
methods being used today for protecting access to corporate networks. Often referred to
as two-factor authentication, it is based on something you know (a PIN or password) and
something you have (an authenticator). The authenticator generates a new random code
every 60 seconds, making it difficult for anyone other than the genuine user to input the
correct code at any given time.
To access information or resources protected by one-time password technology, users
simply combine their secret personal identification number (PIN) with the code that
appears on their authenticator display at that given time. The result is a unique, one-time
password that is used to positively assure a user’s identity.
One-time password technology is available in many form factors including:
– Hardware authenticators. Traditional hardware authenticators (sometimes referred to as
“key fobs”) are portable devices that are small enough to fit on a key chain and meet
the needs of users who prefer a tangible solution or who access the Internet from a
number of different locations.
– Software authenticators. Software authenticators (for PCs, USB drives, or mobile
devices) are typically offered as an application or in a toolbar format that is securely
placed on a user’s desktop, laptop or mobile device.
– On-demand. On-demand authentication involves delivery of a unique one-time
password code “on demand” via SMS (text message) to a mobile device or a user’s
registered e-mail address. Upon receipt of the unique code, a user simply enters it,
along with their PIN or password, to gain access.
PAGE 4
5. Risk-based authentication
Risk-based authentication is a system that measures a series of risk indicators behindthe-scenes to assure user identities, devices, and/or authenticate online activities. Such
indicators include certain device attributes, user behavioral profiles, device profiles and
IP geo-location. The higher the risk level presented, the greater the likelihood is that an
identity or action is fraudulent. If the system determines the authentication request to be
above the acceptable risk threshold (typically established by each organization), then
risk-based authentication provides the option to challenge the user with “step up”
authentication. In a step-up authentication scenario, a user may be asked to answer
challenge questions or submit an authorization code delivered to a phone via SMS text
message or e-mail.
Knowledge-based authentication
Knowledge-based authentication is a method used to authenticate an individual based
on knowledge of personal information, substantiated by a real-time interactive questionand-answer process. The questions presented to a user are gleaned from scanning public
record databases, are random and previously unknown or unasked to the user.
Digital certificates
A digital certificate is a unique electronic document containing information that identifies
the person or machine to which it is bound. The digital certificate can be stored on a
desktop, smart card or USB. For stronger two-factor authentication, the digital certificate
can be locked on a smart card or USB, requiring the user to enter a PIN in order to unlock
the certificate and use the credential. The digital certificate can then be utilized to
authenticate a user to a network or application. In addition to being used for user
authentication, digital certificates can add value to the enterprise by enabling digital
signatures or e-mail encryption.
Digital certificates can also be combined with OTP deployments using a hybrid
authenticator. In this case, the hybrid authenticator stores multiple credentials and
streamlines the end-user experience. A common use case for a combined certificate and
OTP deployment is to unlock hard disk encryption with a digital certificate followed by
authentication to a VPN with a one-time password.
The ROI Benefits of Strong Authentication
The perceived cost of strong authentication is misleading, and organizations that focus
solely on cost overlook the long-term benefits that can be derived from implementing a
strong authentication solution. Also, strong authentication is no longer just built for the
large enterprise. Many vendors offer effective strong authentication solutions that fit the
limited IT budgets of small and mid-sized businesses and deliver the same benefits.
Considerations that should be made in making the case for strong authentication include:
Reduce risk
As functionality and technology move information – and access – to new channels, the
risks to information grow. As the workforce continues to mobilize, corporate
“boundaries” become less distinct – as do the types of devices that are used to access
the corporate network. The value of the organization’s data no longer is specific to
industry or size – no business is “safe.” Strong authentication can help organizations
mitigate their risk by assuring the identities of users before granting access to sensitive
information and applications – regardless of the channel or device that they are using to
access the information.
PAGE 5
6. Enable employee mobility
Perhaps the most
inhibiting factor
preventing many
organizations from fully
utilizing and realizing the
potential of the online
channel is security.
Technology is making the world smaller, connecting employees with information no
matter where they are in the world. As the remote and mobile channels become more
refined, more employees can access the corporate network and its sensitive data –
anytime, anywhere, and from a wide range of corporate-sanctioned and/or consumer
devices and venues that may or may not be secure. Strong authentication offers an
additional layer of protection to facilitate secure remote access to critical business
systems and information – and ensure and enable employee mobility and productivity.
Creates new business opportunities
Extending applications to multiple channels, including online and mobile, has allowed
organizations to provide convenient self-help services that offer real-time access and
improve customer satisfaction – and offer easy, 24/7 access to information for
contractors, partners and suppliers. In any online or mobile environment, it is important
to establish trust with the user. Strong authentication provides organizations with the
assurance that their users are who they say they are – and simultaneously builds the
confidence of the user populations – in particular, the customers – who are using the
services that contain their personal information.
Lower costs
Some business applications provide the ability for companies to address expensive,
labor-intensive internal processes. Order processing, human resource systems, forms
processing applications and numerous other personnel-intensive business processes are
being automated to introduce efficiencies and reduce costs. Strong authentication
enables convenient – and critical – authentication for users of these applications which
are critical components of the business infrastructure. In addition, strong authentication
eliminates the high volume and cost of password resets, thereby reducing the cost of
help desk support.
Support Compliance
Government regulations such as Sarbanes-Oxley, PCI Data Security Standard, US Data
Breach Notification laws and the Health Insurance Portability and Accountability Act are
just a few of the regulations that call for the use of strong authentication to protect
access to the corporate network in order to meet compliance requirements. Failure to
meet these requirements could result in regulatory fines and penalties.
Conclusion
Unlike password management systems, strong authentication delivers the powerful
security necessary to protect access to sensitive data – regardless of channel – and
allows users to conduct business safely. The hidden costs associated with password
security outweigh the perceived high price-tag of implementing strong authentication.
Many security vendors provide multiple strong authentication solutions for companies of
all sizes, including cost-effective solutions built specifically for businesses with limited IT
budgets. Moving away from cost-based thinking to the benefits that can be realized with
enhanced security creates a compelling case to show the return on investment from
strong authentication.
PAGE 6
7. Debunking the Myths of Strong Authentication
Myth
Reality
I use passwords
because they don’t
cost me anything.
Passwords are actually expensive to manage when you
consider that nearly 30 percent of calls placed to the help
desk are for password resets. When the average cost of a
help desk call is factored in, passwords actually come with
many hidden costs.
My business uses
strong passwords
and our employees
are required to
change them on a
regular basis, so this
lowers my risk.
Strong passwords that include numbers, capital letters or
characters are harder for a hacker to guess, but also harder
for employees to remember. This creates a spike in help
desk calls and leads employees to engage in unsafe
password management practices, such as writing down
passwords on paper, which actually increases risk.
My business can’t
afford the cost of
strong
authentication.
Strong authentication can be very cost-effective – and not
just for large organizations. Many vendors offer packages
that carry the benefits of enterprise-level strong authentication security, but that are developed specifically for the
needs – and limited IT budgets – of small and mid-sized
businesses.
The cost of strong
authentication
outweighs the
benefits.
The cost of strong authentication is much lower than what
it would cost if your organization experiences a data breach
or the fines and penalties you will have to pay for being
non-compliant. In addition, strong authentication supports
the move to new channels for which can open the door for
new business opportunities and revenue streams.
Cyber threats only
target large organizations and the
government.
In fact, it’s quite the opposite. Cybercriminals are targeting
small and mid-sized businesses on a frequent basis
because they usually have limited security controls in place
– such as weak password authentication –making them
more vulnerable to an attack.
PAGE 7