Continuous Web Applications Attacks Prove the Need for New, Proactive Security Approach

- Greg Gray, BOHH Labs Senior Software Engineer

While being proactive about security has always been a choice in the realm of web application deployment, it is only in recent years that it has become a priority over just reacting to security breaches. Too often we don’t discover the problem until after we have been hacked. This blog post will investigate methods for attack prevention rather than cleanup.

More and more we are seeing job postings for IT Security Managers. This is an important step in the development of a proactive security approach. Committing time and resources to the problem makes it clear to everyone up and down the organizational chart, and to the board and stockholders, that security is a high priority. It also ensures that there is consistent leadership for securing the company’s resources.

So, what does the IT Security Manager do? First and foremost, working closely with other management entities and IT personnel, they establish the policies for maintaining a secure work environment. This includes policies for passwords, application access permissions, workstation application restrictions, etc. These policies establish the baseline for everyone’s contribution to the company’s security. These policies must also include IT’s role in policing the policies and, with Human Resources’ contribution, procedures for dealing with violators.

While these policies are being developed and implemented, the Security Manager should also focus on what is necessary for the IT staff to implement the policies. One way to divide up the responsibilities is into several groups, for example: workstation, network, and development.

The workstation group is responsible for ensuring workstation policies are enforced by using a set of tools specific to this task. Virus protection, scans for unauthorized software, port scanning are some examples.

The network group is responsible for protecting important systems from attacks from outside the business and inside the business. Auditing is a primary line of defense and include such tools as Nessus, Nmap, SAINT, lsof (list open files). Monitoring tools are also important to the network group. Some tools will report attacks as they occur, such as: TripWire, LogCheck, and ZoneAlarm

The development group has a key role that encompasses the entire spectrum of attack vectors. This begins with the deployment process where the integrity of the software build is critical. Applications should be contained in their own isolated environments so that one compromised application doesn’t affect another.

Possibly the most important protections to be put into place involves the protection of customer data. This is the root of the data security problem. Data encryption with keys, tokenization, and newer approaches, such as BOHH Labs’ Secure Data as a Service, are necessary to ensure data integrity and prevent its dissemination to the world after a successful data breach.

The IT Security Manager will also need to remain vigilant for old and new attack vectors via up-to-date cyber security threat reports. Each of the security subgroups should watch for old and new attacks pertaining to their areas of support. 

After all new policies are in place, or maybe even before the policies are in place, the IT Security Manager should engage with a company that does independent security audits. The results may uncover areas that no one thought would be an issue or, they thought it was another groups’ responsibility.

Vigilance is key to preventing data theft and protecting customer and company resources. The successful effort may go unnoticed. It’s a “no news is good news” situation. But at the end of the day, when the reports to the company directors shift from reporting the number of breaches to reporting the number of failed attacks, the ideal of a Proactive Security Approach may be fully realized.

Post Industry Event POV: Security Concerns Are Still Challenging Enterprise Progression

Last week, several of BOHH Labs’ leaders, CEO, Simon Bain, COO and SVP of Business Development, AJ Jennings and SVP of Partner Engagement, Marina Simonians, attended the inaugural Arrow Technology Summit in Denver, a premier event for IT Value Added Resellers (VARs), Managed Service Providers (MSPs) and Systems Integrators (Sis).

The Arrow Technology Summit is for IT partners and solution providers who are actively seeking the information, opportunities and relationships that will grow their bottom line. ATS brings together leading industry experts to give you the actionable information and perspectives you need to grow your IT business.

At BOHH Labs, we are big fans of industry events, as they are a great opportunity to understand market trends and challenges, share information, learn from peers, and speak directly to people on what problems they need addressed and what they are currently lacking. ATS was no different and was a great summit focused on bringing companies together to address the changing digital enterprise landscape.

BOHH Labs was honored to not only attend but be a sponsor at the event and showcase our breakthrough technology, Intelligent Secure Data as a Service (SDaaS), that enables businesses to strengthen their offerings to data-driven industries, especially in the areas of security, edge computing, the internet of things, hybrid cloud, data intelligence, analytics and next-gen data centers.

One of the most interesting takeaways was understanding that all the companies we met with are plagued with the same challenge: the desire to embrace digital innovation into their solutions and help customers unlock the value of their data analytics, yet they are unable to securely open up their data. We heard countless stories from senior execs wary of the current data security solutions that promise protection with solutions that rely on application level security, data masking applications and other encryption algorithms that have been proven to leave open massive security threats. We heard everything from those who were terrified of losing keys, opening up databases to the cloud, and even those unsure of how to back up their databases.

It is evident enterprises are looking to increase their value with innovative digital services and maximize the value of their data assets. However, data security is challenging enterprise progression. As part of these conversations, we were delighted with the reaction received by our SDaaS solution to address these setbacks.

SDaaS uniquely protects all data, while maintaining security for searching, analytics, and use, unlocking valuable data to become an asset for companies and preventing data breaches. Our service acts as a layer between the user/application and the back-end data, and has no reliance on a keystore, which resonated with many who are wary to keeping encryption keys proven to be ineffective. Instead, its uses an AI engine to manage the encryption process to completely mitigate any access to data by attacking a keystore. SDaaS encrypts down to the sub-field level with each encryption process being handled with a uniquely derived key which is never stored, eliminating internal and external threats while protecting data at rest, in transit, and in use. 

As a result, SDaaS enables enterprises to securely deploy innovative applications, cloud services, and analytics that they desperately need, without opening their data to massive, widespread, and malicious security threats. 

Overall, it was a very successful event with over 300 companies attending and we gave 60 demos on how our solution is uniquely suited to enable partners and resellers in their efforts to leverage valuable new insights on customer and company data, while preventing internal and external data breaches. We left the summit upbeat with our message and solution resonating with most of the conference attendees.

How the BOHH Labs/Approyo Partnership Can Accelerate the Transition to SAP HANA in the Cloud

The enterprise technology landscape is rapidly changing, and more companies are embracing digital transformation and integrating cloud services to enhance business agility, efficiency and extract analytics. In fact, technology leader in business applications, SAP, has pegged a deadline of 2025 for when it will terminate support for its ECC6 on-premise solution.

For businesses looking to migrate to more advanced SAP HANA systems in the cloud, this may seem like a long way off, but the deadline shouldn’t be the only driving force behind your migration strategy. Cloud-based SAP HANA solutions offer businesses a vast array of benefits, as they look to harness the potential of digitization and business transformation.

However, digital transformation is an evolving market and there is not a one-size-fits-all solution. For businesses to be successful in their transformation to cloud-based SAP HANA solutions, there must be collaboration, and Approyo and BOHH Labs have teamed up to offer SAP customers seamless migration to SAP HANA cloud environments. Approyo CEO, Chris Carter, and BOHH Labs CEO, Simon Bain, illustrate below how strategic partnerships can create a best in breed solution that bring success for the end customer.

Chris shares:
As part of the push to move to the cloud, SAP has developed SAP S/4HANA, which is built on the advanced in-memory platform, SAP HANA, and is an entirely new generation of SAP Business Suite. It fundamentally redefines how enterprise software creates value across industries with instant insight. SAP S/4HANA also personalizes the user experience on any device and natively connects to Big Data, the Internet of Things, and business and social networks - all in real time.

Like all new things, especially in technology, the updates can be daunting. Approyo can help businesses move SAP applications, such as SAP S/4HANA, to the cloud with tailored implementation roadmaps to ensure every organization undergoes a seamless migration. We are one of the only SAP partners in the world that can migrate SAP applications to the cloud, provide ongoing support and provide long term managed services for hosted cloud environments.

Simon Shares:
While Approyo specializes in making SAP migrations smooth from an implementation standpoint, we combine with their capabilities to make the migration smooth by enabling better security and access to data stored with SAP HANA. We bring security to the data and the business suite, so customers can get simple access to their complex data. We provide total security on all stored data by uniquely providing database or specific file security, enabling prioritization and control of sensitive data. BOHH’s security service provides full text search capabilities, even on secured data, and supports Bot technology for data to be conveniently accessed and bring enhanced access flow to data within the system.

Chris adds: 
Often companies are hesitant to migrate completely to cloud deployments due to security, performance disruption and accessibility. This includes migrating to the new SAP S/4HANA platform. The BOHH/Approyo partnership is reducing these setbacks.

Simon concludes:
By partnering together, Approyo and BOHH Labs can address customer demands and focus on what our enterprise, integrator and reseller customers need to secure access to their business-critical applications and data in the cloud with minimal disruption. The joint solution between Approyo and BOHH Labs is addressing the challenges enterprises face migrating to the cloud and enables SAP customers to leverage the analytics capabilities of SAP HANA, while gaining a secure method to easily access all enterprise systems to quickly find, search and unlock the value of all their data.

Why Data Access is the Heart of a Competitive Business

- Alan Jamieson, VP of Business Development at BOHH Labs

Businesses are evolving and starting to quickly realize that the data they retain has value to the company, but only if they can leverage it.  In fact, by 2020, some global analysts predict that data will be listed as a company asset, so it has significant monetary value. 

Some businesses already have a data-driven strategy that leverages its rich customer data assets to look for new revenues streams, business opportunities or use its machine performance data to improve efficiency through fewer machine breakdowns or to ensure that production is at its highest level that is already giving them competitive advantage.

Let’s reflect on Fortune 1000 companies over the last decade. Globally, our traditional Fortune 1000 companies are changing, and a significant percentage have fallen off the global stock markets or ceased trading, due to competition from newer entrants.  New online banks have set up business and are winning business from global banking organizations, as they offer more cost-effective services and are better able to understand their customers. New banking companies are looking for customers to use them for multiple services and customers, especially the younger generation, who expect more convenient and real-time 24-7 answers. Why does this matter?  Customer experience is a key business matrix. How customers interact and access their data is important for all parties and traditional banks are not always of the same thinking, or importantly, don’t have the technical systems to know their customer.  Additionally, newly formed companies don’t have legacy infrastructure to consider and are often more agile in their approach.

The greater knowledge businesses have access to through real-time interactions and many years of customer engagement, the greater analytical visibility they can gain on their customer or business operations, which helps make informed decisions on how you can extend or develop that relationship through new services and products.

It’s clear our global use of digital technologies, both in our consumer and work lives, is helping companies get more data on customers/users and their behaviors. The business world is starting to analyze those large volumes of data to drive greater customer and business insight. However, in our increasingly connected world, the variety of data – compliant, sensitive and confidential, plus the volume of data that is being produced, available, and perhaps more importantly, collected, is impacting and challenging many global companies. Data breaches are still occurring on a frequent basis and are a key security consideration in how data is accessed and protected today.

To handle today’s influx of structured and unstructured data, businesses use real-time data warehouses and often archive or store data over 12 months old to reduce its storage or operational costs. While data volumes are growing annually, the overall mix of data types creates the biggest challenge. How do you ensure that authorized users can access sensitive information like pricing, compliant data like Personal Identify Information (PII), Personal Health Information (PHI) and confidential corporate data, but other business users can do analytics on the overall dataset without seeing the protected data?

BOHH Labs has developed a solution that enables businesses to keep data access at the heart of driving competitive business with our Secure Data as a Service acting as a layer between the user/application and the back-end data, enabling total security on all your stored data. This helps to protect only the compliant or sensitive data fields that can only be accessed by specific users, while importantly enabling a wider business community of users to access the data for analytical purposes.  Making decisions using greater sets of data, helps to make more informed decisions through analytics. Secondly, as our service includes a secure conversational bot, we help companies who have an interest in customer self-service initiatives. Customers securely access data and authenticate through existing applications to access their specific information using voice as opposed to a keyboard, which improves user’s experience, customer services and drive competitive advantage.

Detection is Not Enough Protection

- Becca Bauer, Director of Marketing & PR

Another day, another breach. For today’s purposes, let’s look at the recent data breach from Dixon Carphone, where the names, addresses, and email addresses of anywhere from 1.2 million users to 10 million users was exposed. While the breach just came to light recently after GDPR came into effect, the breach actually occurred back in July 2017. That’s right – for just short of a year, the company had NO idea it was subject to a data breach.

While details on the how, who, and why of this particular attack are still coming to light, it does bring up the fact that breach detection is not protection. In fact, in a recent study sponsored by IBM Security with research independently conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study finds that the Mean-time-to-identify (MTTI) a breach is 197 days, and the Mean-Time-to-Contain (MTTC) is 69 days. This means that on average, it takes half a year to identify a breach! Just imagine how much data an attacker could get in that amount of time while going unnoticed.

This figure is unacceptable, especially since the security industry as seen an influx in support for threat detection tools over the last several years. This ranges from everything like network threat detection to understand and monitor traffic patterns and endpoint threat detection to track information/behaviors on user machines to popular threat intelligence tools like AI and ML for their self-learning capabilities and ability to recognize patterns and anomalies.

Unfortunately, the industry has made people believe that detection can work. We are not saying that no detection solutions work and they should be removed from your security strategy all together, but it’s clear detection alone is not enough. What we need is a new way to protect our data. 

At BOHH, we believe the core focus must be on protecting the data at the foundation level. Given that a business will easily spend millions on their data protection solutions, it would only make sense to secure the data itself as it comes through and sits in your database. BOHH Labs has developed a Secure Data as a Service (SDaaS) solution that acts as a layer between the user/application and the back-end data store and enables protection of all stored data, no matter where it is located, by uniquely providing field level security, removing these fields from the source, storing the encrypted data and separately, without changing the underlying database structure or using a keystore to manage the encryption keys. By doing this we are removing not only the hacker threat to the data, but also the more prominent insider threat, which is often very difficult to detect. By putting the security focus on the data itself, not just where it is coming from, where it is stored or being transacted to, it enables better protection for both external and internal threats that organizations desperately need to keep sensitive information protected, and not just reliance on monitoring and detecting anomalies within the system.

Not All Encryptions Are Created Equal

In today’s volatile digital security world, encryption has become a standard security measure to keep your data protected. Many in the security industry would even goes as far to say that it is one of the most important methods for providing data security, especially for end-to-end protection of data transmitted across networks. The core foundation of encryption focuses on converting information or data into a form unreadable by anyone except the intended recipient. Once a file or data piece is encrypted, it becomes difficult for external sources to get access/understand the encrypted information.

While highly touted, encryption is hardly a new strategy with the origins of hidden messages and cryptography dating back to the 19th century. Since then, it has evolved and there are many different types of encryption algorithms that are used. However, not all of these are created equal or are completely secure. Below are several types of today’s popular encryption algorithms all of which have security loopholes.

Homomorphic Encryption

Homomorphic encryption requires a public key to enable search. This also means it requires a keystore to hold the private key to enable the encryption. The person with access to the keystore has access to your data! This means you are putting your data at risk to internal misuse and in the hands of who owns the keystore. You don’t believe you would have an internal person who abuse this power? Nor did the CIA until Edward Snowden fled the country.

Data Masking

Data masking has generally been created as an intermediate layer between the data store and the user and is becoming more common as part of the GDPR regulations. The masking gateway accesses the data as an administrator and transforms (masks) the data on a user query. However, the stored data remains in clear text and is vulnerable. Simply put, this is really just application redaction.

TDE – Transparent Data Encryption

This technology encrypts the data file on disk, stopping anyone from reading it, while it is at rest on the disk drive. HOWEVER, as soon as it is loaded in to the database, it is decrypted and available to be viewed by all who have admin privileges. This puts the encrypted data at risk to internal misuse as admins have approved access to the keys and could decide to capitalize on this access to sensitive information. 

Column Level Data Encryption

Column level data encryption is generally implemented with a keystore, which means that those with access to the store also have access to the data. However, just as importantly, if this is implemented post production, it requires whole-sale changes to the database and the calling applications, leading many implementations to remain incomplete, as well as expensive.

As you can see, many of these encryption tools are lacking in complete external and internal security.

At BOHH Labs, we believe that the parties at the two ends of a data message – the sender and requester – should be the only ones who have access to that data message. We believe encryption should be dynamic. In other words, your keystore should be dismantled and the encryption keys, IV’s Salts, should be created by the application based on different criteria at that moment in time. This means that each piece of data, each network message, or each file is encrypted to a unique key, so it doesn’t leave your data open on your key store and accessible to unauthorized employees.  Dynamic key creation encryption that has no reliance on web security or keystores is a cornerstone of BOHH’s data security service. Every data request is isolated from the requestor and is encrypted using transient keys that are destroyed after each transaction. This means the original data request never has direct access to the company network or backend database and terminates intercepting party connections and renders partial data a third party may get access to useless, making it very difficult for to steal useable data (including a database admin). Further, by uniquely providing field level security, removing these fields from the source, storing the encrypted data and separately, without changing the underlying database structure or using a keystore to manage the encryption keys, which removes not only the hacker threat to the data, but also the more prominent insider threat.

As such, despite being popular in the security industry, it’s clear that many of the current encryption methods that have backdoors, especially for internal misuse. If you are interested in more about BOHH’s keystore-less encryption method that makes these security loopholes obsolete, reach out to learn more.

How to Keep Up on the Latest in Cybersecurity News

Cybersecurity is always a hot topic, for a very good reason: the hits just keep on coming. Trying to keep up with the latest news and vulnerabilities is a daunting task, but you have to do it. Installing the latest security software and running the latest tests is not complete due diligence in the modern world of continuous cyber attacks. As the saying goes, “knowledge is power,” and it is especially so in the web-connected world.

So, how do you keep your knowledge at peak efficiency? Reading, of course. There are hundreds of technology sites and blogs that will help keep you informed about the latest issues but that’s a lot of reading. What follows is a list of the some of the best. You should recognize some of these if cyber security is not a new to you. Hopefully, the list includes some that you weren’t aware of and will add some bulk to your reading list.

The Hacker News 

The Hacker News is one of the largest and well-read information security sites. They feature news and thorough coverage of the information technology vulnerabilities and trends. The Hacker News is supported and endorsed by security experts, administrators, and members of various underground hacker groups and communities worldwide.

Krebs on Security

Brian Krebs is not your typical cyber export (but who is typical?).  His formal education includes a Bachelor of Arts degree in International Studies from George Mason University in 1994 (programming was a hobby). So, what prompted him to switch his focus to cyber security? In 2001 his home network was compromised by a Chinese hacking group. What followed was a self-taught crash course in computer and Internet security.

In his own words from his website, “Much of my knowledge about computers and Internet security comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet. The rest I think probably comes from a willingness to take risks, make mistakes, and learn from them.”

Open Web Application Security Project (OWASP)

Established in 2001, OWASP is a non-profit organization that has dedicated itself to the development of knowledge, tools, and best practices for secure application development. In their own words, they want to “be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.”

One of their most important projects in my experience has been the “OWASP Top 10 Most Critical Web Application Security Risks”. Not only do they describe the risks in detail but the also provide examples for mitigation in multiple languages.

Schneier on Security

Bruce Schneier’s blog has been in existence since 2004. He writes about security in articles, books, and academic papers. He is currently the CTO of IBM Resilient, a fellow at Harvard's Berkman Center, and a board member of the EFF.

The blog includes articles pertinent to current security issues and has an engaging comment area with lively discussions. He also produces a monthly, well-read newsletter.

Dark Reading 

Dark Reading is a long-time source for information about new cyber threats and current cybersecurity technology trends.

From their website: “Dark Reading.com encompasses 13 communities, each of which drills deeper into the enterprise security challenge: Analytics, Attacks & Breaches, Application Security, Careers and People, Cloud Security, Endpoint,  IoT, Mobile, Operations, Perimeter, Risk, Threat Intelligence, and Vulnerabilities and Threats. Each community is led by editors and subject matter experts who collaborate with security researchers, technology specialists, industry analysts and other Dark Reading members to provide timely, accurate and informative articles that lead to spirited discussions.”

Naked Security by SOPHOS 

Naked Security is SOPHOS’ news aggregator, providing the news, opinion, and advice on our favorite topic: computer security issues and the latest Internet threats.

Naked Security also produces a daily newsletter that provides a list of important cybersecurity news articles published within the last 24 hours. This is a must read.

Summary

I hope this list added a few more sources for your cybersecurity knowledge needs. Feel free to comment below on these and other sites that you have found invaluable to our work.