Game of Thrones Hack: Winter Has Come for Passwords

The recent security breach at HBO of confidential data including Game of Thrones scripts, cast personal details and administrator passwords highlights the vulnerability of password-only protection. The breach involved hackers stealing about 1.5 terabytes of data from HBO systems — more than seven times as much as the 200 gigabytes taken in the 2014 Sony hack — including scripts for five Game of Thrones episodes and two unreleased episodes of Ballers and Room 104. Passwords Alone Are Not Enough to Stop the Breach The hackers have reportedly released numerous confidential documents, including one with a list of personal phone numbers,…

6 Reactions to the Cisco 2017 Midyear Cybersecurity Report: Part 2

Last week, I discussed the first three reactions I had to the “Cisco 2017 Midyear Cybersecurity Report.” I discussed how vendor consolidation is increasing, how spyware is being branded as malware and how detection of threats is continuously improving. DevOps as a Target In the Vulnerabilities section of the document, Rapid7 describes how DevOps is a target and vulnerability for many companies that may use things like AWS, Azure, or Docker frameworks for development. When these resources are built, they are not always deployed in a secure state and often are left behind to run indefinitely. Identity management tools that…

Post-Brexit Data Flows: Why There’ll be No Place for UK Firms to Hide from GDPR

As with most aspects of the EU, unhindered cross-border data flows are something most U.K. firms just take for granted these days. Thanks to the cloud, huge volumes of corporate data is stored in third party providers’ data centres, frequently not even in the UK. Aside perhaps from those in highly regulated sectors, corporate users don’t think twice about accessing that data, and sending it to and from partners and customers on the continent. However, the U.K.’s departure from the world’s biggest trading bloc raises new questions about the legality of such transfers. In a new report, the House of…

Four Things You Don’t Know About Cybersecurity… That You Should

Ponemon Institute recently conducted a survey, sponsored by Centrify, designed to more deeply understand the current state of cybersecurity. The Impact of Data Breaches on Reputation & Share Value: A Study of U.S. Marketers, IT Practitioners and Consumers examines differing perspectives across a number of security topics. I’d like to focus on IT professionals at this time, as I believe the results are enlightening, to say the least. 43 Percent of IT practitioners said their organization had a data breach involving sensitive customer or business information in the past two years. This tells us that more than one in five organizations…

What are CDM and CRED?

The Continuous Diagnostics and Mitigation (CDM) Task Order for CREDMGMT provides guidance and tools to federal civilian agencies to fulfill the Manage Credentials and Authentication (CRED) Function. This functional area is designed to prevent the binding of credentials the use of credentials by anyone other than the rightful owner (person or service). The approved tools provide careful management of credentials, preventing attackers from using hijacked credentials to gain unauthorized control of resources, especially administrative rights. The CRED capability ensures that account credentials are assigned to, and used by, authorized people or services. This solution relies on the results of the…

Am I Affected by the European General Data Protection Regulation?

It’s a year until the biggest shakeup to Europe’s privacy laws in nearly a generation takes effect. The European General Data Protection Regulation (GDPR) will bring sweeping new rules into force, including new consumer rights over how personal data is used, and mandatory 72-hour data breach notifications. Yet there’s still confusion over which companies and what types of data are covered by the law. With firms currently complying with less than 40% of GDPR principles on average, time is running out. That’s why Centrify is running a new monthly blog series designed to raise awareness about the GDPR, as the clock…

Password Vaults Alone Are Not Enough to Stop the Breach

A recent Forrester study examined four levels of identity and access management (IAM) maturity and found a direct correlation between the number of privileged identity management (PIM) best practices implemented and the number of security incidents encountered by an organization. Wait, Isn’t Privileged Identity Management == Password Vault? Nope. Centrally controlling shared access to non-human accounts and automating periodic password rotation for shared accounts reduces risk, no doubt. This is a critical component when minimizing your attack surface and will make it harder for hackers to get in to your environment (initial compromise) — it is a best practice. However,…

PWN2OWN 2017 Outcome: Implement Multi-factor Authentication & Least Privilege

Zero Day Initiative, a security research program that offers rewards for successful hacks, reported that on last day of their recent “PWN2OWN 2017” competition, a team of contestants pulled off an unique and challenging feat: they compromised a virtual machine and managed to “escape” to the host system running the virtualization software.  The hack involved three distinct and challenging tasks: Compromising Microsoft’s Edge Browser Compromising the Guest Operating System (running Windows 10) Compromising the VMware Workstation virtualization software And this was all accomplished through a controlled website. Although this may not be the first time each individual layer was compromised, this…