Our 2016 Security Predictions…Because You Have to Write One of These!

As the year draws to a close, it’s time to face the facts: You are being deluged with 2016 predictions while you scroll through your news feed on your mobile device. And right here, right in the palm of your hands…that’s our very first prediction. Your security team has a device visibility problem.

Whether it is called BYOD, BYOx, IoT, or some other acronym, the fact is every workplace of every size needs to see the phones, laptops, access points, printers, and more in and around their network. 2015 was the year this hits home, and now as Hello Kitty gets hacked we can see that we are susceptible via any connected device. But it’s not just childhood playthings. Now, if we all agree this is a major trend, and you’re done reading all the other 2016 predictions, let’s look at specific device security trends (ahem, predictions) you’ll see come true in 2016.

So, as we continue to work hard to close out the year with a bang, we took some time to sit down together at Pwnie headquarters to sip some eggnog and discuss our predictions for the year ahead. Here are a few we came up with:

 

2016 will truly be is the “year of mobile” – because a company will be breached via an approved mobile device, but not in the way you’d expect.

To date, no one has publicly acknowledged that a misconfigured device led to a crippling breach – or worse, the demise of an enterprise.  But in 2016, this will change: we’ll learn (and see proof) of the first major, publicly disclosed breach linked to a connected device. And as these device threats take the spotlight, organizations will increasingly seek out ways to achieve better visibility of the devices in and around their networks – for without this critical situational awareness, they cannot hope to effectively enforce even existing BYOD policies.

 

2016 is the year physical and cybersecurity truly intersects

Not long ago, a group of researchers demonstrated how to use a drone to intercept wireless printer transmissions from outside an office building, among other nefarious uses for drones. These use cases, as well as the integrated data we can now see via personal devices, are increasingly common and highlight the close link between physical and cyber security. In 2016, we’ll see more reports of seemingly innocuous, connected devices – like drones, health monitors,  printers or even vacuum cleaners – being used to penetrate the network of an enterprise, each brought past physical security quite easily.

 

The perimeter is dead. Now it will be  time to start acting like it.

While historically the defense industry has focused on building walls and “digging moats” to keep attackers out, the billions of devices in and around an organization act as countless new points of entry – ways for attackers to parachute in, often undetected. The perimeter is dead (and has been for some time). Companies will begin to shift the lion’s share of their time and resources fortifying their defenses and instead, start placing more emphasis on effectively detecting and responding to current threats and even in-progress attacks. Many of these involve devices lurking in and around the workplace and also the “human factor” – internal employees wreaking havoc, often unintentionally, but sometimes maliciously.

 

The insider threat is real. In 2016 we get real about it.

While the industry has been aware of insider threats for a long time, we are just starting to fully grasp the notion that knowing is half the battle. As more agile detection and remediation technologies are introduced, companies are realizing just how large of a threat insiders pose, and that attacks from within often create the most damage. A recent SANS Institute study showed that almost three-quarters (74%) of IT security professionals are most concerned about negligent or malicious employees who might be insider threats. The FBI and Department of Homeland Security agree that insider threats have increased and that such threats pose a serious risk. The biggest inhibitor of progress on this front has been cost – if the price tag is too high, CIOs tend to find it cheaper to simply ignore the threat. Yet they cannot continue to bury their heads in the sand when it comes to insider threats. The stakes are too high, and in 2016 we’ll see companies begin to take this far more seriously and stories will focus around people losing their jobs and perhaps even being charged with corporate espionage.

 

Taking digital forensics to the next level in 2016. Device intelligence will be utilized in new and innovative ways to aid local law enforcement in catching known criminals – a capability once reserved for top intelligence officials and the FBI.  Additionally, advancements in device detection, fingerprinting and intelligence gathering will help organizations and government agencies assess hard-to-secure locations and people, such as SWAT or delivery vehicles, bases of military operations, and high risk targets such as politicians, celebrities or executives.

 

The in-security of political campaigns will become clear.

As the 2016 presidential primary season heats up, the field narrows and stakes for each remaining campaign are growing higher. A candidate’s most valuable assets – data and voter information, along with policy and political secrets – are now prime targets for cyber theft, fraud and even political hacktisvism. Yet According to the Online Trust Alliance (OTA), most presidential campaign sites have received failing grades on privacy, security and consumer protections. We expect to see more reports of frequent, and increasingly sophisticated targeted attacks on these largely insecure campaigns. Politicians and their campaign leads need to wake up and realize they simply cannot afford to NOT have cyber security at the top of their priority list. Read all about how campaigns can secure themselves in our blog post on the subject.

What do you think 2016 will bring? If you have thoughts on device security please also consider taking our 5-minute annual survey. For your five minute effort you’ll get the report AND be entered into a chance to win a 12-month subscription to Pwn Pulse and a Pwn Plug R3.

Infosec Professionals Needed for Annual Wireless and Wired Device Threat Study

Participants to Receive Completed Research Study and Entry to Win Pwn Pulse Subscription

BOSTON, MA–(Marketwired – Dec 29, 2015) – Pwnie Express, the only company providing threat detection of the billions of wireless and wired devices in and around your workplace, today announced its second annual Device Threat Survey. The company is currently seeking IT security professionals to participate in this valuable security research. Spearheaded by the company’s research team, Pwnie Labs, this survey will explore top-of-mind threats related to high-risk or unknown hardware for security teams as they enter 2016.

What: Today’s organizations are suffering from a device visibility problem. Whether it is called BYOD, BYOx, or IoT, every workplace of every size needs to see the phones, laptops, access points, printers, and more in and around their network. Heightened visibility is critical to effectively arming security teams and better protecting businesses from the threats presented by the billions of devices in and around the workplace.

Where: To participate in this 5-10 minute survey, please visit:https://www.surveymonkey.com/r/ZY53C7P

Contest: All entrants will be automatically entered into a drawing for a 12 month subscription of Pwn Pulse, Pwnie’s enterprise-class SaaS solution purpose-built to detect, fingerprint, and analyze any wireless and wired device.

To view results of Pwnie Express’ inaugural 2015 study, The Internet of Evil Things Report, please visit here.

About Pwn Pulse
Pwn Pulse continuously detects all of the devices putting an organization’s workplace at risk. The SaaS platform detects devices connected to or even around a network, helping to replace legacy, expensive, on-site, manual point-in-time assessments. Pwn Pulse finds unidentified, open attack paths including: mobile phones, Wi-Fi Printers, Access Points, Smart Devices, and more, while working to amplify an organization’s existing IT and security tools, people, and workflow.

About Pwnie Express
Pwnie Express provides threat detection of the billions of devices in and around your workplace. By automating wireless and wired device detection, Pwnie solutions continuously detect the devices on or around your network that are open pathways for attackers. Pwnie arms your security team to win the BYOD battle with the ability to detect and fingerprint any device, from phone to thermostat, in order to prioritize your security response, reduce alert fatigue, and provide situational intelligence. See all the things you’re missing at pwnieexpress.com or @PwnieExpress.

Many gifts aren’t all fun and games

The Morning Call

December 24, 2015

Many gifts aren’t all fun and games

By Paul Muschick

It’s always a relief when your kids unwrap their gifts on Christmas morning, as you finally can sit back and relax. But that doesn’t mean your responsibilities are wrapped up.

When setting up wireless phones, iPods, tablets and other electronics, including toys and video games connected to the cloud, you should act to prevent hacking, viruses and intrusions on your child’s privacy. Then teach them to use their new gadgets wisely.

If all this work makes you yearn for the days when your biggest worry was why you had bolts left over from assembling your kid’s bike, I’m with you. Consider this the new version….

(original article)

5 Ways Campaigns Can Secure Themselves

As a former government major, the first question I get asked is usually some variation of “who’s going to win in 2016?!” The second question: “How’d you end up in cybersecurity? What does cybersecurity even have to do with government?”

The answer, increasingly, is “everything.” After the recent data breach kerfuffle between the Sanders and and Clinton campaigns, the connection has become clearer. It’s not just about policy now – it’s about practice. A candidate’s most valuable assets – data and voter information, along with policy and political secrets – are now prime targets for cyber theft, fraud, and even political hacktisvism. A recent study by Wakefield Research that examined American perceptions of the threat of political hacking, shows 64% of registered US voters believe it is likely that a 2016 presidential campaign will be hacked.

Calling the breach a “software glitch” or “data issue,” the media sought to make it a story of political intrigue and election drama. They’re not wrong: in today’s world, losing access to data, or data in the wrong hands, could spell defeat. But when “a vulnerability in the software was exploited,” it sounds a lot more like a data breach. While the fault for this particular breach lies with the company that Democratic National Committee had hired for its database, campaigns have access to all kinds of sensitive information and many potential threats.

So how well are campaigns protecting themselves? According to the Online Trust Alliance (OTA), the answer is….not well. The organization recently reported that 17 of 23 presidential campaign sites received failing grades on privacy, security, and consumer protections. While websites are just the “posters on the wall,” campaigns whose websites can be easily defaced, used to mislead potential supporters, or used as a pivot into the organization are most likely not paying much attention to data security. And with the level of personal data now collected by these campaigns – from contact and financial information to personal views on abortion, gun reform and other sensitive topics – securing data is more important than ever.

But here at Pwnie, we don’t  just point out the problem: we want to give you solutions, like Kyle’s post on passphrases NOT passwords earlier this week. Yes, it’s difficult, if not impossible, to fully secure yourself, but a few simple steps will go a long way. Consider this a holiday gift for the campaigns themselves.

 

5 Ways the Presidential Campaigns Can Secure Themselves
1. Admin Rights and Rules.
Who has access to your data? To your computers? For that matter, to your candidate? A quick audit of the administrator privileges for all of your services (data, website, social media, etc) every couple of weeks shouldn’t take more than an hour and will help to reveal superfluous users and unnecessary access to potentially sensitive data.
If possible, whittle it down to the minimum number of people. I know that access is necessary for speed and flexibility, but a little creative thinking can go a long way. Have a higher-up who wants to post directly to social media? Great – but does she need the creds to every platform, or is she only ever going to post to Twitter? A newsletter that is written by two people but needs to be reviewed by twenty? Post an editable version somewhere outside of the email service and copy over to where it needs to be. It’s all about risk management and reduction (you’ll never get rid of risk entirely), but make sure you know what risk you’re accepting.

2. Train personnel on how to avoid becoming a conduit for attack.

This is a major undertaking that many very secure organizations haven’t been able to accomplish, and I can only give you a limited list in a summary post like this one. Luckily, you (campaigns) already have one major advantage: your personnel actually care. They wouldn’t be there working for you if they didn’t care about the campaign, so it’s vital that you remind them that they, personally, could be the end of the campaign if they don’t pay attention to their cyber hygiene.

      • In this category, the top reminder is “passwords, passwords, passwords.” When the European Space Agency is using three-character combinations as passwords, it’s clear that we haven’t gotten to a point where everyone knows to use good passwords.
      • Give them someone to talk to if they suspect something is up. Do your personnel know who to talk to if they’ve seen anything suspicious? Do they have someone to tell when they receive a suspicious email? Create a system of reporting so that helpful employees can be helpful.
      • Public WiFi is dangerous! If cellular dongles or hotspots are not an option, remind them to be careful with what is sent (or logged into) via public WiFi.
      • Install AntiVirus. Though many have claimed “the end of AntiVirus,” there’s no excuse to not protect yourself when there are excellent free options available.
      • Remind them, too, that even their personal cyber safety can affect the campaign. A few simple steps might save them – and your campaign – a world of worry.

3. Be aware of the hardware.

We’ve said it, and we’ll say it again: hardware is another way into your organization. With the rise in the number of devices – both given out by the organization and brought in by employees and volunteers – the number of potential beachheads has skyrocketed. Without getting into the threats posed by the Internet of Things, start by asking yourself a question: what happens to any hardware provided by the campaign after an individual leaves, or the campaign is over? Is it wiped? Do you know what your volunteers are using on the campaign trail, and do you know if they’re leaking data?

4. Vet any third party providers.

NGP VAN’s claim on their blog that they “played no part in the October data issue that has been mentioned” is true in the sense that they did not help any campaign to download or export any data, but as with any third party data breach, their vulnerability led to the release of sensitive information. What other third party providers are you using? Do they value data protection? For most services, you have options: data security should rank right up there with price as an important deciding factor.

5. Use virtual private networks (VPNs).

While this might be a little more advanced than the previous suggestions, it isn’t as difficult as many might think. With many inexpensive VPN options available today, there’s no reason not to protect your sensitive communications by putting them on a private network.

This is only a preliminary (and cursory) overview, but as two more campaign staffers were just let go in light of the recent scandal and the race becomes even more contentious, these little things make a big difference.

Creating A Secure PassPHRASE and Ditching PassWORDS

In a nearly two decade career in technology, mainly in security, I can count on my two hands the amount of times that I’ve changed my personal behavior because of something I’ve heard in a meeting. Typically it would happen as I was sitting in the audience watching a presentation at some con, and a sudden realization came over me that if I tweaked my behavior just a bit I could better secure myself. At the same time I’ve been really lucky to sit next to super smart security people, literally, at work each day and listen in as they detailed why what I was doing was WRONG (or dumb, or idiotic…). Unfortunately, it isn’t always done with grace. There’s nothing I hate more than a smug reminder of how insecure I am with no suggestion of how to make it better.

Last week in a cramped conference room in Boston it happened again, but this time it was done with such ease and simplicity I not only wanted to change my behavior, I wanted to punch myself in the face for not having realized it sooner. The conveyer of this great idea – though not the first person to say it – was Jayson Street, well known throughout the community and of course on this blog for saying what he means, telling it like it is, and always trying to help all of us in need. The advice might be old hat for some, but it hit me like a ton of bricks.

The one thing you can do to better secure yourself in 2016 is to ditch your passwords and start using passphrases.

Yes, I know, many of you have been talking about and doing this for years. Even Edward Snowden got on the bandwagon earlier this year. Simply because it’s been talked about doesn’t mean people are actually adhering to the advice, and that means we have to keep talking about this one as much as possible, since our biggest threat remains the uneducated consumer. AND, yes, the strongest password is the one you can’t remember…but people outside of a very few in security simply laugh at the absurdity of that statement.

Now, with that all behind us, let’s talk about how to implement this into your connected lifestyle.

5 Ways To Create a Secure Passphrase…and Ditch Passwords

Think of a passphrase as a complex sentence, versus a password that is simply, well, a word that maybe has some digits or a few symbols (yes, you are SO tricky using ‘$$’ as ‘ss’). But there are a few tips you should follow (or share with your employees) to create the strongest passphrase.

1. Use The Space Bar

Most online accounts will now support the use of blank spaces in your passphrase, this will allow you to create that sentence we talked about above, but it also makes it harder to figure out by both humans or sniffers.

2. Go Long…15 or More Characters

Most password crackers will slow when the passphrase hits 15 or more characters, and that’s when they get past the NTLM hashes and have to actually work at it! Can they still figure it out? Sure, but the longer it takes for them to get your password your chances of them giving up rises.

3. Use a Passphrase That is Personal, but Unique

The beauty of a passphrase is that it should be something that you can remember a bit more easily, but it can’tcreate a secure password be something that people would easily guess. Say, for example, you are a huge Star Wars fan (I hear there is a new one that came out recently), so you decide to create a passphrase of “May the force be with you!”. Look at you, it’s more than 10 characters, it uses the space bar, and even that pesky exclamation point. Nice work, but it’s not stronger than you’re old “w00ki3” password.

Most likely you have already liked Star Wars on Facebook and everyone knows you were at the midnight showing dressed as Jenga Fett. While that passphrase was personal, it wasn’t unique. You may have, instead, chosen something that was both personal and unique, maybe:

Think of something you’d tell someone close to you, but not your coworkers. Unforgettable? Slightly embarrassing? (“I actually like Episode one. Don’t tell anyone!”) Perfect.

“I actually like Episode one. Don’t tell anyone!”

4. Keep Being a Character

No, not you personally, your passphrase. Still use those exclamation points, hyphens, ampersands…they are even more effective in a passphrase. Building on our example:

“I @ctually like Episode 1. Don’t tell anyone!”

5. Variety is the Spice of Live…and Passphrases

Here is where I’m still going to tell you that you need different passphrases for different accounts. Now, is it realistic that you’ll have a different passphrase for every single site, app, and account? Probably not.. Doesn’t mean we can’t try. One suggestion here is to create a variety of passphrases that also will help you remember where each one belongs. Example:

“I @ctually like Episode 1. Don’t tell anyone at the bank!”

Feel better? Feel more secure? Good! Now, make it your 2016 resolution to replace passwords with a secure passphrase.

Pwnie Express Receives Prestigious SC Magazine Security Innovator for “One of the Best Crystal Balls in the Business”

Pwn Pulse™ recognized for its industry defining ability to detect, fingerprint, and analyze rogue, misconfigured, and unauthorized wireless and wired devices threatening all workplaces

 

Boston, MA – December 17, 2015Pwnie Express helps protect your business with an enterprise-class SaaS solution purpose-built to detect, fingerprint, and analyze any wireless and wired device. This solution, Pwn Pulse, was recognized today for its industry shaping technology as SC Magazine named the company a 2015 Security Infrastructure Innovator. One of only two companies awarded this prestigious distinction in the Security Infrastructure category, Pwn Pulse was also vigorously tested by the publication prior to this designation.

The best way to recognize true innovation in security is to actually use the products in real-world scenarios, and this is what SC Magazine did. Peter Stephenson, technology editor for the magazine, wrote about his use of Pwn Pulse in SC Magazine’s December issue:

“We tested the Pwn Plug in the depths of Levi’s Stadium, home of the San Francisco 49ers and the most high tech football stadium in the world with more than 12,000 Wi-Fi access points. We ran a single Pwn Plug during the World Cup soccer match last spring with about 75,000 fans in the stadium. The single device followed several thousand Wi-Fi users and many of the access points. Obviously, we were impressed.”

Stephenson continued, “When this Innovator took the management and visibility of the devices to the cloud – their Pwn Pulse offering – the company’s business exploded.” He noted, “These folks have one of the best crystal balls in the business – they really know how to predict an important emerging niche – and exploit it.”

“It has become obvious with the proliferation of the Internet of Things and our BYOD lifestyles that the ability for security teams to detect rogue, misconfigured, and unauthorized devices is critical to securing the overall business infrastructure,” said Paul Paget, CEO, Pwnie Express. “At Pwnie, we purpose-built a solution for security teams looking to discover, assess, and fingerprint all the wireless and wired devices accessing or near their network. Pwn Pulse is an enterprise-class SaaS platform built to enhance any company’s security infrastructure, so this recognition by SC Magazine perfectly underscores our efforts, the work of our team, and our customers around the world.”

 

About Pwn Pulse

Pwn Pulse continuously detects all of the devices putting an organization’s workplace at risk. The SaaS platform detects devices connected to or even around a network, helping to replace legacy, expensive, on-site, manual point-in-time assessments. Pwn Pulse finds unidentified, open attack paths including: mobile phones, Wi-Fi Printers, Access Points, Smart Devices, and more, while working to amplify an organization’s existing IT and security tools, people, and workflow.

 

About Pwnie Express

Pwnie Express provides threat detection of the billions of devices in and around your workplace. By automating wireless and wired device detection, Pwnie solutions continuously detect the devices on or around your network that are open pathways for attackers. Pwnie arms your security team to win the BYOD battle with the ability to detect and fingerprint any device, from phone to thermostat, in order to prioritize your security response, reduce alert fatigue, and provide situational intelligence. See all the things you’re missing at pwnieexpress.com or @PwnieExpress.
SC Magazine is a trademark of Haymarket Media

Annual Innovation List Provides Clues to Security’s Future

The end of a year always brings about both retrospective and predictive posts. It is important, especially in our security community to both recognize where we’ve been to learn from the past and look forward to what might happen in order to be prepared. That is why SC Magazine’s annual “Security Innovator” awards have been a great barometer of both sides of this coin. During my career in security I’ve always used this list to look back at the accomplishments from the past year, bindustry innovatorut also get a feel for where the market is going.One example hit me as I read this year’s list of innovators, which included a “Hall of Fame” designation for FireEye, who originally grabbed an innovator award back in 2010. Five years, and we’ve seen our industry shape and reshape itself over and over again.

And now we do it all again.

Pwnie Express Named 2015 Security Innovator by SC Magazine

When an article starts out “This is one of our personal favorites” you just can’t help but continue reading on, and that is exactly how the article about Pwnie Express being named a SCMagazine 2015 Security Innovator begins. This annual list of the very coolest up and comers in the security industry is broken into ten categories. Pwnie was one of only two innovators selected in the “Security Infrastructure” category, which the magazine described as a “tough one”.

Obviously when you get this type of recognition you immediately think about the engineering talent and vision that went into creating our Pwn Pulse solution, launched at RSA 2015. Then, to our amazing users who have deployed Pwn Pulse around the world to detect, fingerprint, and analyze the rogue, misconfigured, and unauthorized wireless and wired device
s threatening their workplaces.

Innovation In Action

The best way to recognize true innovation in security is to actually use the products in real-world scenarios, and this is what SC Magazine did. Peter Stephenson, technology editor for the magazine wrote about his use of Pwn Pulse December issue:

“We tested the Pwn Plug in the depths of Levi’s Stadium, home of the San Francisco 49ers and the most high tech football stadium in the world with more than 12,000 Wi-Fi access points. We ran a single Pwn Plug during the World Cup soccer match last spring with about 75,000 fans in the stadium. The single device followed several thousand Wi-Fi users and many of the access points. Obviously, we were impressed.”

Stephenson continued, “When this Innovator took the management and visibility of the devices to the cloud – their Pwn Pulse offering – the company’s business exploded. He continued, “These folks have one of the best crystal balls in the
 business – they really know how to predict an important emerging niche – and exploit it.”

And there it is…the future, and this is what is truly exciting for us all here at Pwnie and throughout our industry. We continue to push forward in the face of sometimes insurmountable challenges.

See For Yourself

For those not familiar with Pwn Pulse it is solution that continuously detects all of the devices putting your office(s) at risk. The SaaS platform detects devices connected to or even around a network, helping to replace legacy, expensive, on-site, manual point-in-time assessments. Pwn Pulse finds unidentified, open attack paths including: mobile phones, Wi-Fi Printers, Access Points, Smart Devices, and more, while working to amplify an organization’s existing IT and security tools, people, and workflow.

If you have time register for our demo so we can hear directly from you about your challenges in this area and if Pwn Pulse can help.

FYI: SC Magazine is a trademark of Haymarket Media.

Security infrastructure: Innovators 2015

Flagship product Pwn Pulse

Cost Depends on configuration.

Innovation The obvious one is the form factor, but underneath that is the significant functionality that makes the Pwn Plug and the Pwn Pro used with Pwn Pulse a paragon of network visibility.

Greatest strength These folks have one of the best crystal balls in the business – they really know how to predict an important emerging niche – and exploit it.

PwnieExpress

This is one of our personal favorites. To start, the name is said, “Pony Express,”the Pwn being the hacker version of “own.” This is appropriate because the Pwnie Express tools allow users to “own” the security on the enterprise network through increased visibility and the ability to test systems easily…

(Original Article)