×
[searchandfilter taxonomies="search"]

CISO Survival Part 2: The Perils of Managing Sensitive Data

By Scott Lavery • February 1, 2019

In our previous post, we talked about the role of the CISO and how the rapidly evolving, connected economy is creating challenges around the cataloging and security of sensitive data within an organization.  We also discussed the perils of being a CISO and not knowing where that sensitive data resides – much less how it’s secured.

And it is key to remember, that in companies where a CISO role is not in place, you can probably substitute CIO or CTO when thinking about those responsibilities.

So how does a CISO get a handle on where sensitive data resides in their organization?  And how do they take those first steps in assuring that the data is secured? 

Identifying where sensitive data exists may sound like a simple task, but anyone in IT will tell you, it’s not.  Applications are complex and always changing.  Storage systems are even more complex and prone to being orphaned and forgotten about.  Sensitive data can exist in multiple production environments and is often replicated for lower testing and development environments. It is also frequently archived and sent to the land of misfit zip files.

To make the task even more daunting, the identification of sensitive data is a continuous job.  If you identify your data today, that’s great!  But it will change in a month, a week or even a day.  New applications are implemented.  New data comes in.  New test and development environments are created. 

One approach that many companies take, is to utilize tools to figure out how data moves from system to system and where the storage silos are. 

This allows for the discovery of where sensitive data is originating and where it is being sent or replicated.    If sensitive data ends up being stored outside of fully secured databases, a company needs to be able to track how it got there.

And while there are many tools that excel at doing automated data discovery across an enterprise, some companies choose to go the manual approach – using pen, paper and spreadsheets.  After all, it’s their company and their data, shouldn’t they be able to figure out where the data is? 

It’s a step in the right direction, but picture an auditor or investigator coming in and asking for an inventory of your sensitive data.  Pulling out a spreadsheet that may be weeks or months out of date is not going to go over well. 

Data discovery tools are typically designed by companies that focus on data security and tailor their solutions to perform comprehensive examinations of a company’s data infrastructure.

So, you have a tool in place that produces reports on where your sensitive data lives.  What now?

Now you have to assess the risks associated with the access, management and storage of data deemed “sensitive.”  Data security can longer be viewed as an IT problem.  It is a business problem that affects multiple departments and the company’s financial stability.  And that risk has to be owned by someone.  In today’s regulatory driven environment, it typically rolls up to, you guessed it… the CISO.

A good next step in assessing data risk is to have a Privacy Impact Assessment. 

A Privacy Impact Assessment is structured to identify data security issues and, as all sensitive data is not created equal, typically provides a data classification matrix with risks associated with the tiered levels of sensitive data.  For example, exposed bank account numbers are typically a higher tier of risk than a vendor identification number.

A comprehensive Privacy Impact Assessment will provide:

  • The movement patterns of sensitive data between departments and data storage mechanisms.
  • The amount of sensitive data the company processes and stores.
  • The physical and virtual locations of that data.
  • The number and roles of users that have access to the data
  • A liability cost estimate associated with the exposure of that data.

The Privacy Impact Assessment should provide the data needed to construct a phased plan to address the identified risks.  Don’t try to boil the ocean.  Typically a company will move to address the areas of highest liability first, ensuring that comprehensive controls are put in place before moving down the risk priority list.

Please contact us to learn how Appsian can be a key component in helping to address data risk.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

CISO Survival: Are You Protecting Your Sensitive Data?

By Scott Lavery • January 30, 2019

Do You Even Know What and Where It Is?

Not too long ago, I was involved in the war room activities surrounding the breach of a major travel company.  A breach that not only led to the exposure of sensitive information, but also to the use of that information to subvert the international travel infrastructure (yes, I’m being cagey with details here.)

A war room, in this instance, is an immediate incident response step and is typically a dedicated conference room full of ‘smart’ people that is setup to lead identification and remediation activities around a suspected or confirmed security breach.

Once the firefighting was done and the immediate threat remediated, the team moved into forensics mode, where the questions moved from ‘what happened?’ to ‘how did this happen?’.

In the course of that activity, the CISO of the company was brought in.  In addition to questions around security policies and response capabilities, two key questions were asked:

Where do we have exposure to the hacking of data we categorize as sensitive to our customers, employees or partners?

What controls are in place to secure that data?”

In essence, his answers were:

If you’re asking for an inventory of where sensitive data exists, I’d have to partner with the application teams to determine that.

As far as controls, we have a pretty strong network perimeter.  But, again, I would have to partner with the application teams to ascertain what controls are in place at that level.

That CISO is no longer employed by that travel company.

Let’s talk about the role of the Chief Information Security Officer (CISO) 

Presumably it is a position that leads the charge to ensure that the organization is adequately protecting all data that is proprietary and/or necessary to conduct business operations.  That casts a pretty wide net.

But that net, in addition to proprietary business intellectual property, clearly includes customer, partner and employee data.  The compromise of any of these can lead to major impacts to business operations. 

A phishing attack yields the credentials of an application-level, high privileged user?  Well, that application is essentially ‘owned’ by the bad guy.  What kind of damage can they now do?

Even the compromise of lower level users can lead to a bad guy being able to escalate privileges and/or leap frog across other applications in the enterprise.

Aside from the potential for business disruption, the exposure and malicious use of sensitive data can lead to major financial losses and regulatory penalties for any organization.

Data awareness is a critical component of today’s CISO responsibilities. Knowing where your sensitive data lives is key.  Knowing the mechanisms of how it’s accessed and managed is just as key.

In the current compliance environment, data privacy is a hot button that is shaping many of the new regulations around the digital economy.  Whether it be GDPR, the California Consumer Privacy Act or the multitude of other mandates on how companies will be required to support data privacy, the anticipated responsibilities of the CISO are evolving well beyond having a handle on your network protection controls.

Application awareness is becoming a necessity.  Understanding what applications are housing sensitive data; whether it be a legacy ERP system or a cutting-edge cloud application, will be an inventory a CISO will be expected to maintain.

Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

According to the OWASP, ERP Is Vulnerable

By Scott Lavery • January 22, 2019

Representatives of the Open Web Application Security Project (OWASP) periodically release a top 10 list of known vulnerabilities that impact applications across a typical enterprise.  Why is this so important?  In today’s world, the common digital attack does not focus on network vulnerabilities because networks no longer represent the wall or moat that protects an organization.  Today, the bad guys are focused on applications.

With the advent of mobile and the connected economy, identity is the new perimeter.  And identities live in applications.  So, that’s what the attackers are targeting.  And Enterprise Resource Planning (ERP) applications represent juicy targets as they are typically the user store of record for most companies.  Names, addresses, SSNs, bank account numbers and other sensitive data are usually found in an organization’s ERP infrastructure.

Let’s talk about a couple of the top vulnerabilities recently identified by OWASP, and how they specifically relate to an ERP application:

Broken Authentication

 Authentication encompasses the controls in place to ascertain the identity of an entity logging into an application.  It is commonly confused with ‘authorization’, but authorization represents the controls in place to determine what rights and permissions are in a system after being authenticated.

ERP systems, like all critical applications, rely heavily on controls around making sure that I am who I say I am when logging in.

Broken authentication is when those controls can be subverted.  And it is pretty common due to the ineffective design and implementation of most identity and access controls.  Session management is the backbone of most identity management solutions and is present in most all stateful applications.  ‘Stateful’ just means that once I log in, I am able to traverse the application doing what I need to do without having to re-login every time I access a new page or component.  The application ‘remembers’ me.

Attackers can use automated tools to detect broken authentication controls and essentially gain access to an application by utilizing session hijacking or stuffing credentials into a session via dictionary attacks.

Many ERP systems are what we consider to be legacy applications and were designed and implemented when session management was not a huge concern due to the insular nature of their deployments (accessible only inside the network, etc.).  This leaves them very vulnerable to authentication attacks.

Sensitive Data Exposure

Legacy on-premise applications are notorious for not maintaining good data controls around the information they contain.  The risk was typically viewed as minimal, because the only people that could access those applications were ‘trusted’ employees inside the network.  ERP implementations typically fell into this category.

In my experience doing security assessments in years past, ERP systems were typically an asterisk in my final report as my customers were not willing to invest in the time or expertise needed to fully vet their security controls.  The common rationale?  It’s an inside application that is only accessible by a few individuals in Finance and HR.

In today’s world, many of those legacy applications, including ERP, have evolved into web applications that allow access from the internet.  And, in many cases, that evolution has not been well-planned or architected. Patchwork code and sloppy implementations rushed to market to meet a need to become part of the connected world have led to a whole new attack space for bad actors.

What’s exposed?  Attackers have discovered that many organization’s keys-to-the-kingdom are data stores, including ERP systems, which are not well protected and are now exposed to the world wide web as a highway in.  Whether it be financial data, personal information or private health data, attackers have new targets to go after.

Most of these applications are unable to implement the granular controls needed to control and monitor access to sensitive information.   Companies have to start looking beyond the built-in security capabilities of these applications.  Capabilities that weren’t typically designed or implemented to deal with today’s connected world.

What Can Companies Do?

It’s time to take a different view of application security.  Applications no longer exist behind network perimeters, managed by firewalls and other network-level protections.  In today’s digital economy, companies are rushing to be able to exchange data with prospects, customers, employees and partners – regardless of how they’re accessing the application (mobile phone, tablet or desktop), and from where they are trying to access it (inside/outside the network, etc).

Learn how Appsian can help protect against the risks associated with Broken Authentication,  Sensitive Data Exposure and many of the other top application vulnerabilities identified by OWASP.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Locking the Front Door Isn’t Always Enough

By Scott Lavery • January 10, 2019

Most of us are now familiar with what Multi Factor Authentication (MFA) has brought to our daily lives.

Try accessing your bank account from a new computer or mobile device.  Or from a location that is far from home.  Or even when you try to log in in the middle of the night.  All behaviors that could be deemed “suspicious” and potentially hacker generated.

MFA is the method that is commonly utilized to mitigate risks associated with these “out-of-the-norm” behaviors.  Essentially it boils down to your bank, for example, saying “we’re just not sure this really you and we recognize that your account information could have been hacked, so we want more proof that you are who you say you are.”

So, let’s take a step back

In the digital world we live in, how do we “prove” we are who we say we are?  Usually it’s via a username and password that is assumed to be known only by the user.  But in these days of phishing attacks and other social hacks, usernames and passwords are not as secure as once thought.  Hence the introduction of MFA.

MFA demands an additional form of identity validation.  Username and password are something you know.  MFA accepts that validated information, but also requires either something you have or something you are to provide that additional level of validation when needed.

What you “are” focuses on biometrics.  Let’s discuss that in a future post.

What you “have” typically revolves around a phone that can receive text messages or uses an application to receive approval requests.  You input a code you have been sent or you click on “Approve” in a phone application, and only then are you allowed access.

Works well.  But, as the good guys get smarter, so do the bad guys.

MFA is subject to compromise when access to an application is generated via email or a malicious website link.  Essentially, hack kits have been released that will allow the creation of a link that appears to be a legitimate site (a bank, organization’s ERP, etc), that when clicked, circumvents any additional identity validation that MFA provides.

It’s phishing on steroids and emphasizes the need for MFA protection within an application.  Front door security is important and is an effective layer of protection.  But in-application MFA represents an additional layer of identity validation that protects an enterprise from these front door phishing attacks.

Learn more about in-application MFA

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

2019: ERP In the Crosshairs

By Scott Lavery • January 2, 2019

There’s an old Hollywood saying that showcases the cinematic battle between the well-armed and the ill-prepared:

“Never bring a knife to a gun fight.”

Classic quote.  But a far more accurate representation of today’s conflict between hackers and legacy application owners might read:

“Never bring a slingshot to a nuclear bombardment”

ERP systems, the cornerstone of many organization’s application infrastructures, are typically wielding slingshots when battling bad actors with sophisticated technology and pervasive social attacks.

ERP systems have been increasingly targeted by hackers and nation state cyber terrorist due to several factors:

  • ERP systems typically hold the keys to the kingdom for an organization. Names, national identifiers, bank account info and proprietary company financial data are just some of the types of data that ERP applications store.
  • ERP systems are complex (millions of lines of code) and typically onerous to administer, patch and upgrade. There is typically very little tolerance for the downtime needed to keep the system up to date on necessary maintenance.
  • Customized functionality is often introduced into ERP applications without a view into the security vulnerabilities that might be exposed.
  • Legacy ERP systems were originally designed to operate within an organization’s network. It has only been recently that bolt on additions have been adopted to allow Internet access.  This increased attack surface has led to known vulnerabilities being exposed to a much larger group of bad actors.

In 2018, a report was published by Onapsis and Digital Shadows detailing current trends in ERP security.  Both firms are active in forensic consulting and incident response.  Some of the key findings included:

  • Attacks on ERP systems are evolving. They aren’t focusing on finding new vulnerabilities, but rather on taking advantage of known existing vulnerabilities that likely have not been patched.
  • Several known botnet packages (Dridex, etc) have been modified to utilize the delivered malware to target internal ERP applications. This allows for the easy theft of credentials of users across the system.
  • Hacks are no longer just about stealing data. There is clear evidence that nation state hackers are seeking to sabotage critical business operations for key organizations. 
  • Cloud and mobile are increasingly expanding the threat surface of most ERP implementations. Access without the appropriate controls has created a playground for bad actors.

ERP systems have been around for thirty plus years.  For many organizations they are like the foundation of a house.  Key business operations rely on the availability and integrity of their functionality.  Disrupting that availability or compromising that integrity would likely result in significant losses – or worse – to the business.

In 2019, attacks against ERP systems will continue to evolve.  And regardless of whether the intent is to steal data or to disrupt business operations, these attacks will look for cracks in that foundation.

Appsian can help protect against those attacks. Appsian can help shore up your foundation.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

ERP Breaches Increasingly Becoming User-Centric

By Ryan Quinonez • December 5, 2018

According to a report from the Information Commissioner (ICO), data breaches are up 75% in two years. Research from the Identity Theft Resource Center also state that the number of breaches at U.S. businesses, government agencies, and more topped 1,300 last year, versus less than 200 in 2005.

Compromised credentials, unauthorized data sharing, and privilege abuse have caused some of the most severe data breaches across the globe. Organizations have always prioritized traditional network security; however, threats are increasingly becoming user-centric, originating at the application level.

In today’s security environments (governed by mobile devices, remote connectivity, and web-facing applications) identity has become the new network perimeter. The first line of defense is no longer a network firewall – it’s now your end users.

Modern threats have evolved to exploit these new weaknesses and unfortunately many organizations have lagged behind.

A Look at ERP Breaches, Inside and Out

Appsian has compiled a whitepaper using several recent cases where alarming data breaches impacted prominent global organizations. Addressing the top internal and external threat vectors, these breaches highlight the need for critical security features that can prevent the loss of PII, allow for faster detection and response, and aid in maintaining regulatory compliance.

In this whitepaper we explore a number of headline-grabbing breaches and highlight concerns from the perspective of preventing breaches, protecting data, and fast-tracking remediation and response tasks.

Download the Whitepaper HERE.

PeopleSoft Application Security

PeopleSoft applications are the core of an organization’s financial, personnel and corporate operations. The amount of PII across these applications makes them a crucial part of your organization’s security strategy. With evolving threats, the security stature of ERP applications needs to evolve too. But, despite robust security features, out-of-the-box PeopleSoft applications are not prepared to tackle modern security threats and regulatory compliance.

Our security experts are happy to answer any questions you might have. Write to us at [email protected] or request a demo for our exclusive PeopleSoft security products.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

The Marriott Breach: Do You Have Unwanted Guests In Your ERP System?

By Scott Lavery • December 3, 2018

Marriott has reported that a massive data breach of its guest reservation system has led to the exposure of over 500 million customer accounts.  The data, maintained by the Starwood division of Marriott, includes names, mailing addresses, email addresses, passport numbers, dates of births, reservation details and, in some cases, payment card information.

And although the payment card data was likely encrypted, the key decryption components were also exposed.

What is of real interest when talking about this breach (probably the second largest ever) is that evidence shows that the hackers had been active in the Marriott system since 2014.  Four years, and undetected during that period.

Four years of unauthorized and undetected access is an eternity for hackers.  And really inexcusable from a security perspective.  But it does serve to show that unprotected systems can lead to stealth attacks where hackers are less interested in “smash and grab” intrusions and more focused on a long term presence in systems – where they can harvest information over a long period of time.

The Marriott breach was apparently a direct attack on back-end databases, but front end access mechanisms are also a frequent target for infiltration attempts.  This is especially true for applications where there is limited visibility into activity at the request / response level.

Who is accessing what information?  Where are they accessing it from?  Do they need to be accessing it at all?  What controls do you have in place to protect sensitive data?  These are all questions that a company needs to be prepared to answer.  And not just in the event of a breach.

New regulations, like GDPR and the recent California Consumer Protection Act, now require organizations to be able to report on data access.  Let’s say I discover that my bank account has been hacked.  I have no clue how the culprits obtained my data.  But it had to start somewhere, and under the new regulations I have the right to go to any company that stores my personal data, such as bank account information, name, address, SSN, etc, and demand to know who has accessed that information.

If an investigator or auditor showed up at your company’s doorstep demanding to see that level of access detail, would you be able to provide it?  And could you provide it for the last four years?

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

December is Prime “ERP Data Breach” Season… Be Prepared!

By Scott Lavery • November 28, 2018

Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.

What is the weakest link in your ERP security chain?

Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.

Recommendations for mitigating the “human error” element

Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:

  • Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
  • Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
  • Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
  • Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
  • Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
  • Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.

Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.

Download Your Whitepaper!

On a time-crunch? Request a quick session with our PeopleSoft security experts.

Contact Us Today!

1. https://info.digitalshadows.com/ERPApplicationsUnderFire-Press.html
2. https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications
3. https://www.cyberark.com/resource/cyberark-global-advanced-threat-landscape-report-2018/

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

ERP Data Breaches: The Penalties Are Real… Real Expensive

By Scott Lavery • November 8, 2018

The 2015 Anthem Medical Data Breach

In August of this year, the United States approved the final judgement against the healthcare company Anthem resulting from the 2015 data breach that exposed the personal information of over 79 million people.  This personal information included names, Social Security numbers, dates of birth, email and street addresses and other data that falls under the protection of the Health Insurance Portability and Accountability Act (HIPAA).

The final penalties included a $115 million settlement paid by Anthem, the reimbursement of demonstrable out-of-pocket costs paid by the victims in dealing with the breach, as well as Anthem being ordered to fund a minimum of two years credit monitoring for impacted consumers.

Quite a financial blow to Anthem, and it ignores the cost associated with the two years of lawsuits and litigation that led to eventual settlement.

The breach, reportedly conducted via a phishing attack spearheaded by a foreign nation state, clearly exposed the lack of effective authentication and access controls within the Anthem environment.  Allegedly, a single user employed by an Anthem subsidiary opened a malicious email which allowed for the download of multiple files to the user’s computer and the eventual compromise of that user’s access to Anthem systems.

We’ve discussed social engineering attacks and how effective they can be at initiating enterprise-wide breaches.  But a key component of the Anthem breach was just how ineffective their protections around allowing access to sensitive data were.

Reportedly, this lack of protection included:

  • Production level data residing in multiple non-production (testing, development) environments.
  • A lack of step up authentication capabilities restricting access to sensitive data.
  • A lack of enforcement of the principle of least privilege, which mandates that user accounts only have roles and permissions needed to do their day to day job.
  • A lack of an effective single sign on infrastructure, which typically leads to users, in the interest of convenience, utilizing the same usernames and passwords across multiple systems.

Appsian can help shore up protections in many of these areas.  Don’t become the next Anthem.  Let us show you what our security platform can do for your organization.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands